RISKS Forum mailing list archives
Risks Digest 28.82
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 29 Jul 2015 16:38:31 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 29 July 2015 Volume 28 : Issue 82 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.82.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: *WashPost* Op-Ed on Crypto Disappeared (McConnell/Chertoff/Lynn) Chertoff & Leiter disagree with Comey (Henry Baker) Cyber "Defense" from Glass Houses (Henry Baker) Android Stagefright Flaws Put 950 million devices at risk (ThreatPost) Westpac missing out on $1m a day from computer deficiency (Dave Horsfall) Office 365 outage (Jeremy Epstein) Is There Such a Thing as `Ethical Cheating'? (NYTimes) For Ransom, Bitcoin Replaces the Bag of Bills (Nathaniel Popper) Spelling checkers don't catch everything, not even on Pluto (Thomas Koenig) Problems Riddle System to Check Buyers of Guns (NTYimes) Sweat the small stuff: anti-drones (ABC7 via Henry Baker) Chinese Tourist's Drone Crashes Into Taipei 101 Skyscraper (Slashdot) Don't bring your drone to New Zealand (Slashdot) PanoptiCity, USA: Municipal Surveillance (Henry Baker) "iPhone and Registration Please" (WiReD) Costco Photo Center compromised (David Farber) A Clinton Story Fraught With Inaccuracies: How It Happened and What Next? (NYTimes) Fiat Chrysler Issues Recall Over Hacking (NYTimes) Re: Hackers Remotely Kill a Jeep (David Lesher) The hackable car (Michael Bacon) Re: What's Wrong With the Internet (Dimitri Maziuk) Re: Facebook blocked from challenging search warrants targeting its users (R. G. Newbury) Re: For .sucks Web domains, currency seems to be paid in reputations (John Levine, Bob Frankston) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 29 Jul 2015 15:30:50 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: *WashPost* Op-Ed on Crypto Disappeared (McConnell/Chertoff/Lynn) [The following item appeared (briefly) on *The Washington Post* webpage, and then subsequently vanished. The right to be *forgotten*? NO. The right to be *remembered*, even if someone else wanted it to disappear. This is an important statement. I'm including it in its entirety, as a public interest. (It also raises an interesting question of the copyright status for something that was unpublished.) As I noted long ago in the first round of crypto wars, ``The cat is out of the bag, and the genie won't go back in the closet. PGN] https://www.techdirt.com/articles/20150729/09460731789/washington-post-publishes-then-unpublishes-opinion-piece-ex-intelligence-industry-brass-favor-strong-encryption.shtml You have reached the cached page for https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html Mike McConnell, Michael Chertoff and William Lynn 28 Jul 2015 at 8:01 PM Why the fear over ubiquitous data encryption is overblown Mike McConnell was director of the National Security Agency under President Clinton and director of national intelligence under President George W. Bush. Michael Chertoff was homeland security secretary under Bush. William Lynn was deputy defense secretary under President Obama. More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation's well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation. In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption -- that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes. The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications. There also are concerns about such encryption providing secure communications to national security intelligence targets such as terrorist organizations and nations operating counter to U.S. national security interests. Several other nations are pursuing access to encrypted communications. In Britain, Parliament is considering requiring technology companies to build decryption capabilities for authorized government access into products and services offered in that country. The Chinese have proposed similar approaches to ensure that the government can monitor the content and activities of their citizens. Pakistan has recently blocked BlackBerry services, which provide ubiquitous encryption by default. We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies' resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring. First, such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors. If third-party key holders have less than perfect security, they may be hacked and the duplicate key exposed. This is no theoretical possibility, as evidenced by major cyberintrusions into supposedly secure government databases and the successful compromise of security tokens held by the security firm RSA. Furthermore, requiring a duplicate key rules out security techniques, such as one-time-only private keys. Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption. The smart bad guys will find ways and technologies to avoid access, and we can be sure that the `dark Web' marketplace will offer myriad such capabilities. This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them. Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process. Strategically, the interests of U.S. businesses are essential to protecting U.S. national security interests. After all, political power and military power are derived from economic strength. If the United States is to maintain its global role and influence, protecting business interests from massive economic espionage is essential. And that imperative may outweigh the tactical benefit of making encrypted communications more easily accessible to Western authorities. History teaches that the fear that ubiquitous encryption will cause our security to go dark is overblown. There was a great debate about encryption in the early 1990s. When the mathematics of public key encryption were discovered as a way to provide encryption protection broadly and cheaply to all users, some national security officials were convinced that if the technology were not restricted, law enforcement and intelligence organizations would go dark or deaf. As a result, the idea of escrowed key[s], known as Clipper Chip, was introduced. The concept was that unbreakable encryption would be provided to individuals and businesses, but the keys could be obtained from escrow by the government under court authorization for legitimate law enforcement or intelligence purposes. The administration and Congress rejected the Clipper Chip based on the reaction from business and the public. In addition, restrictions were relaxed on the export of encryption technology. But the sky did not fall, and we did not go dark and deaf. Law enforcement and intelligence officials simply had to face a new future. As witnesses to that new future, we can attest that our security agencies were able to protect national security interests to an even greater extent in the 1990s and into the new century. Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals. ------------------------------ Date: Sun, 26 Jul 2015 12:32:13 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Chertoff & Leiter disagree with Comey FYI -- [The remarks below were transcribed by me, and haven't shown up anywhere Googleable, so they can't be edited away.] Speaking at the Aspen Security Forum (aka The Deep Security State Pep Rally), where US security officials rub shoulders with the fawning press and with future Beltway Bandit employers, Third Circuit Judge and Secretary of Homeland Security Michael Chertoff and Counterterrorism Director Michael Leiter surprised many by going offscript and disagreeing with FBI Comey's "going dark" stance. Chertoff quotes: "We do not historically organize our society to make it maximally easy for law enforcement even with court orders to get information." "We're not quite as dark sometimes as we fear we are." "Requiring people to build a vulnerability may be a strategic mistake." Leiter quotes: "We undermine our national security by having that back door." "You have to have a law which addresses reality, and not what you hope reality will be." The press greeted Chertoff's and Leiter's remarks with heedless disregard. https://en.wikipedia.org/wiki/Michael_Chertoff https://en.wikipedia.org/wiki/Michael_Leiter https://www.youtube.com/watch?v=M7Ev-Wx3VT8 58.5 minute video "Cooperation and Conflict in the Relationship between Government and Industry in Cyberspace" Chertoff, speaking at around 15:50 "I'm going to take a position -- that is probably going to be a little surprising to people here, given the fact that I've spent a lot of my career in the security area -- and I want to be very clear about what the issue is here. The issue is presented, assuming that there is a court order to get a communication, but it's an encrypted communication, and if there is no duplicate key or back door, the only people who can decrypt it are the sender and the recipient. Now you can make them do it, the court can order them to do it, [but] if you either can't get hold of them or they refuse, then the question is what is the government do and that's the issue that they're worried about. I think that it's a mistake to require companies that are making hardware and software to build a duplicate key or back door, even if you hedge it with the notion that there's going to be a court order, and I say that for a number of reasons. I've given it quite a bit of thought, and I'm working with s ome companies in this area, too." "First of all there is when you do require a duplicate key, or some other form of back door, there is an increased risk and increased vulnerability. you can manage that to some extent, but it doesn't prevent you from certain kinds of encryption, so you're basically making things less secure for ordinary people." "The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. And these apps are multiplying all the time. The idea that you're going to build to stop this -- particularly given a global environment -- I think is a pipe dream. So what will wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted." "The third thing is what are we going to tell other countries, when other countries say great, we want to have a duplicate key too, here in Beijing, or Moscow or someplace else. The companies are not going to have a principled basis to refuse to do that. So that's going to be a strategic problem for us." "Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement even with court orders to get information. We often make tradeoffs and we make it more difficult. If that were not the case, then why wouldn't the government simply say all these [smartphones] have to be configured so they're constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So, I don't think socially we do that. And I also think that experience shows we're not quite as dark sometimes as we fear we are. In the 90's when encryption first became a big deal, there was a debate about a Clipper Chip, that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And it dawned on the people in the community afterward, you know what, we collected more than ever. We found ways to deal with that issue, so it's a little bit of a long winded answer but I think on this one strategically requiring people to build a vulnerability may be a strategic mistake." Michael Leiter, speaking at around 19:30 "I'm close to Mike [Chertoff], but I'm not all the way there and I think some of his arguments, as brilliant as he is, don't quite hold water. There are, you know, there are lots of situations where we force companies to make a decision about where they're going to be doing business. And if you choose to do business in -- let's say Russia -- and Russians don't really have a rule of law and they say please provide me with all of your data, the company can make a choice; they can do business in Russia, and comply, or they can not do business in Russia. Now that's a pretty strong statement to basically stop American companies, but American companies may have to make that choice. They may have to make a choice even though they're technology companies, about where they operate, I know the companies we work for make that choice all the time and then you can actually still do pretty well for your shareholders and your businesses. So I don't think all those..." "The place where I come down really is technologically this is a problem. And it's a problem because we are clearly going to a world where end-to-end encryption with temporary keys that disappear immediately after any communication occurs, that is the future. There is no way around that; we are not going to stop that. And, because of that, for the technology issues, I don't think there is a long term way to preserve the US government's ability to intercept or get access to those. And I also do think that societally, we have to accept that the degree to which we undermine our national security by having that back door or front door, depending upon how you define it, is very real. We have seen that because of the cyberthreat. So I tend to think that both technology and the balance of these probably falls on the side of -- you can try to design it now, but reality is going to overtake you and it's a funny thing that when technology and law conflict, law's not going to change th at technology for long, it's going to overtake it. And you have to have a law which addresses reality, and not what you hope reality will be." ------------------------------ Date: Mon, 27 Jul 2015 10:37:05 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Cyber "Defense" from Glass Houses FYI -- At the Aspen Security Forum last week, there was a lot of swashbuckling talk about cyber "defense". However, after listening to multiple hours of these talks, I *never once* heard about any effort to "harden" today's computers and networks from attack. The entire U.S. Government's attitude towards attacks such as Sony or OPM is: 1) attribute; and 2) retaliate. In other words, cyber "defense" isn't "defensive" at all; it's simply more offensive, but reactive rather than proactive. Leaving aside the significant risks of mis-attribution and mis-retaliation, shouldn't the U.S. be engaged in a "sprint" to secure our glass houses from rocks instead of whining about end-to-end encryption? What possible gain can the U.S. obtain from a cyber war in which we and North Korea (or ISIL, or ...) both reduce each other electronically to the 1950's? Once again, in our asymmetric world, people who live in glass houses shouldn't be throwing rocks -- especially at those who don't live in glass houses. https://www.youtube.com/user/AspenInstitute/videos?sort=dd&view=0&shelf_id=7 https://www.youtube.com/watch?v=KopyWcBUBPw Beyond the Build: Leveraging the Cyber Mission Force Streamed live on Jul 23, 2015 Adm. Mike Rogers, the head of the National Security Agency and Cyber Command discusses cyber warfare, cyber terrorism, and cybercrime, and how we can best "defend" ourselves against what most experts believe will be the cyber equivalent someday soon of Pearl Harbor. ------------------------------ Date: Mon, 27 Jul 2015 09:44:49 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Android Stagefright Flaws Put 950 million devices at risk ThreatPost via NNSquad https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960 An attacker in possession of their target's phone number could send an MMS or even a Google Hangouts message to an affected device that triggers the vulnerability before the victim has a chance to open the message. In some cases, the attack would delete the MMS in question, leaving behind only a notification that a message was sent ... There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded. "Older devices don't have that option, older devices are more exposed and at risk," Drake said, adding that exploits against Ice Cream Sandwich and Gingerbread are much easier to develop and put those versions at extreme risk. "They don't have the hardening measures Android has these days." Apparently, here we go again. And unfortunately, very large percentages of Android users are on older devices that neither Google nor carriers can or will appropriately update. In fact, even getting Google to make official statements and provide official "from the horse's mouth" help center reference pages about such situations -- and possible mitigations or workarounds -- is often simply impossible. Google: I *realize* that this is hard stuff. I *understand* that the openness of the Android ecosystem makes this difficult. But the continuing status quo of security issues piling up on older devices that are still being routinely used by vast numbers of users is simply untenable. At the very least these users need to be directly informed and helped *by Google* -- not left to pick up bits and pieces of often inaccurate information from third party media and various Google adversaries. It's bad for consumers, and it's bad for Google! ------------------------------ Date: Tue, 28 Jul 2015 15:03:53 +1000 (EST) From: Dave Horsfall <dave () horsfall org> Subject: Westpac missing out on $1m a day from computer deficiency http://www.smh.com.au/it-pro/interest-rate-computer-glitch-costs-westpac-over-1m-a-day-20150728-gilh37 ``Westpac Banking Corp is losing over $1 million a day because its computer systems do not allow it to charge property investors and owner occupiers different interest rates.'' In short, the heavy use of investing in properties in Australia is driving first-time buyers out of the market, and so the major banks are trying to throttle it back by charging higher rates for investors than for owner occupiers. Westpac, however is alone amongst the "big four" by being unable to do so because of "technical problems." Apparently it will take "several months" for "senior members of the IT team" to change the system. I'm finding it difficult to shed a tear over the bank's plight, but I guess that their motives are to make it easier for first-time buyers. ------------------------------ Date: Tue, 28 Jul 2015 06:13:34 -0700 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Office 365 outage I haven't seen this reported anywhere, but on 27 Jul 2015, there was a pretty significant Office 365 outage that hit some organizations. Centralizing in the cloud adds risk, as well as benefit. Here's Microsoft's explanation - via an email, not an official pronouncement on their web site. "As part of our ongoing work to improve customer experience, an update that was intended to improve federation for users who have Microsoft consumer accounts in addition to their Office 365 accounts was deployed to the Organization Identity infrastructure. However, this update caused impact for some customers who used the same email name for both services." It basically knocked offline everyone in my government agency. And they've been less than forthcoming about whether any emails were lost, when backlogged emails were delivered, etc. Among the organizations affected (that I found reporting about the problem at downdetector.com) were Lincoln Center, UCSD, Vantage Health Plan, UNM, Vanderbilt, etc. So it wasn't regional. ------------------------------ Date: Sun, 26 Jul 2015 18:13:14 -0400 From: Monty Solomon <monty () roscom com> Subject: Is There Such a Thing as `Ethical Cheating'? When the news broke last week that hackers had breached Ashley Madison, the dating website that helps married people find out-of-wedlock romance, the Internet responded with a lot of snark and not much sympathy. We read Twitter so you don92t have to, and the take-away is this: if you cheat and get caught, you are getting what you deserve; and, if you cheat and get caught because you entered your personal information into a cheaters' dating website whose marketing tagline is Life is short. Have an affair -- you really are getting what you deserve. But married daters looking for someone to defend their honor have at last found a spokesman: Brandon Wade, 45, the founder of the new website OpenMinded.com, which caters to individuals and couples looking for others with whom to engage in what Mr. Wade calls `ethical cheating'. This involves telling a spouse that you are going to be unfaithful, or including the spouse in new, outside-the-marriage relationships, he said. http://www.nytimes.com/2015/07/27/fashion/ethical-cheating-open-minded-dot-com.html ------------------------------ Date: Sun, 26 Jul 2015 10:31:52 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: For Ransom, Bitcoin Replaces the Bag of Bills (Nathaniel Popper) Nathaniel Popper, *The New York Times*, 26 Jul 2015 Hackers seizing sites and files demand virtual currency. Victims are told to pay more than $20,000 in Bitcoin. One group of attackers in Russia and Ukraine collected about $16.5M in Bitcoin in just over a month. One Bitcoin is apparently worth about $290 at the moment. [PGN-ed] ------------------------------ Date: Mon, 27 Jul 2015 22:54:46 +0200 From: Thomas Koenig <tkoenig () netcologne de> Subject: Spelling checkers don't catch everything, not even on Pluto A quick reminder that spelling checkers do not catch everything. A recent NASA press release about New Horizons contained the sentence "Ultraviolent sunlight chemically converts hazes into tholins, the dark hydrocarbons that color Pluto's surface" It was fixed in the meantime on the NASA web site, but other sites still carry it. Of course, instead of a simple error, it could also be a Douglas Adams quote... ------------------------------ Date: Tue, 28 Jul 2015 00:11:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Problems Riddle System to Check Buyers of Guns http://www.nytimes.com/2015/07/28/us/problems-riddle-system-to-check-buyers-of-guns.html The one system that gun rights and gun control advocates both agree on, the National Instant Criminal Background Check System, has major gaps. ------------------------------ Date: Sun, 26 Jul 2015 15:06:51 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Sweat the small stuff: anti-drones FYI -- ".50-caliber gun", "30-kilowatt laser", "anti-tank missile", "tube-launched drone that can carry an explosive charge the size of a hand grenade", "shotgun might suffice" "doing so in a city could risk harming innocent bystanders" You think ? These cures may be worse than the disease... I wonder if this current anti-drone testing program has anything to do with panga boats found in the same area. (Autonomous panga boats may be used for smuggling drugs into the U.S.) http://abc7.com/archive/9220658/ Immigration agents investigate panga boat near Point Mugu Rock August 27, 2013 12:00:00 AM PDT POINT MUGU STATE PARK, VENTURA COUNTY -- Agents with U.S. Immigration and Customs Enforcement are investigating a panga boat abandoned about 100 feet south of Point Mugu Rock [very close to Point Mugu Naval Base]. http://www.independent.com/news/2013/mar/14/panga-runners-land-vandenberg/ http://nypost.com/2015/07/25/military-operation-black-dart-to-tackle-nightmare-drone-scenario/ Military exercise Black Dart to tackle nightmare drone scenario By Richard Whittle July 25, 2015 | 4:00pm Sweat the small stuff. That's the unofficial motto for this year's edition of the military exercise Black Dart, a two-week test of tactics and technologies to combat hostile drones that begins Monday on the Point Mugu range at Naval Base Ventura County in California. The military categorizes Unmanned Aircraft Systems (UAS) by size and capability, from Group 5 drones that weigh more than 1,320 pounds and can fly above 18,000 feet like the Reaper, down to Group 1, mini- and micro-drones less than 20 pounds that fly lower than 1,200 feet. Previous Black Darts have covered threats to troops overseas and targets at home posed by drones of all sizes. But small drones are this year's focus, said the director of this 14th edition of Black Dart, Air Force Maj. Scott Gregg, because of worrisome incidents since the last exercise. [...] [Very long item truncated for RISKS. PGN] ------------------------------ Date: Sun, 26 Jul 2015 21:14:53 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Chinese Tourist's Drone Crashes Into Taipei 101 Skyscraper (Slashdot via Werner U) <http://tech.slashdot.org/story/15/07/25/1622200/chinese-tourists-drone-crashes-into-taipei-101-skyscraper> <http://en.yibada.com/articles/48013/20150724/chinese-tourist-faces-nt-1-5-million-fine-crashing-drone.htm> A Chinese tourist has been hit with a fine of $48,000 (NT $1.5 Million) after his drone crashed into the Taipei 101 skyscraper. The tourist, 30-year-old Yan Yungfan, *was supposedly attempting to film Taipei's cityscape on Tuesday morning with a remotely controlled Phantom 3 UAV when he lost control of the drone, causing it to hit the side of Taipei 101 at around the 30th floor. No one was injured in the incident and only minor damage was sustained by the building's glass windows, but the video immediately became a viral sensation after it was uploaded online. Taipei 101 said in a statement that there have been three incidents of drones crashing around the building since mid-June, with the first two cases taking place on June 15 and June 20.* No injuries have resulted from these crashes, but I wouldn't want to get hit by a 3-pound object falling from that height. ------------------------------ Date: Mon, 27 Jul 2015 11:59:48 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Don't bring your drone to New Zealand <http://yro.slashdot.org/story/15/07/24/1625252/dont-bring-your-drone-to-new-zealand> Personal drones are changing the way some people experience vacations. Instead of toting along a camcorder or a 35mm DSLR, people are starting pack a GoPro and, increasingly, a drone on which to mount it. This is fine if you're going to a drone-friendly country, but be warned that your drone will get you into big trouble in Thailand (where all use of drones by the public is banned outright) and now in New Zealand, where strict new laws regarding the operation of drones (and even tiny toys like the 20g Cheerson CX10) come into effect on August 1. Under these new rules, nobody can operate a drone or model aircraft without getting the prior consent of the owner over which property it is intended to fly -- and (this is the kicker) also the permission of the occupiers of that property. So you can effectively forget about flying down at the local park, at scenic locations or just about any public place. Even if you could manage to get the prior permission of the land-owner, because we're talking "public place," you'd also have to get the permission of anyone and everyone who was also in the area where you intended to fly. Other countries have produced far more sane regulations -- such as limiting drone and RC model operators to flying no closer than 30m from people or buildings -- but New Zealand's CAA have gone right over the top and imposed what amounts to a virtual death-sentence on a hobby that has provided endless, safe fun for people of all ages for more than 50 years. Of course if you are prepared to pay a $600 fee to become "Certified" by CAA then the restrictions on where you can fly are lifted and you don't need those permissions. <http://www.slate.com/articles/technology/future_tense/2015/02/thailand_drone_regulations_why_you_should_care.html> <http://www.stuff.co.nz/technology/gadgets/70493842/drone-operators-may-need-flying-permits-under-new-rules.html> ------------------------------ Date: Mon, 27 Jul 2015 07:25:03 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: PanoptiCity, USA: Municipal Surveillance FYI -- Ubiquitous surveillance beyond the Stasi's wettest dreams. Every streetlight is now a surveillance camera; garbage trucks video your trash in RFID-equipped containers. What next? A wifi system that spies on you? http://www.rt.com/usa/seattle-mesh-network-disabled-676/ "Seattle police deactivate [wifi] surveillance system after public outrage" Perhaps a sewer system that spies on you, too? http://edition.cnn.com/2005/TECH/06/28/spark.toilet/index.html "Clever toilet checks on your health" https://www.aclu.org/blog/free-future/building-mass-surveillance-infrastructure-out-light-bulbs Building a Mass Surveillance Infrastructure Out of Light Bulbs By Chad Marlow, Advocacy and Policy Counsel, ACLU July 23, 2015 | 10:30 PM For almost a quarter century, General Electric's corporate slogan was GE: We Bring Good Things To Life. Well, based upon a report in Sunday's The New York Times, the company may want to dig up that old slogan, repurpose it a bit, and roll it out as GE: We Bring Mass Surveillance To Lights. http://www.nytimes.com/2015/07/20/technology/a-light-bulb-goes-on-over-the-mall.html [Truncated for RISKS. PGN] ------------------------------ Date: Sat, 25 Jul 2015 16:02:54 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: "iPhone and Registration Please" (WiReD, Jun 2015) Drivers license on your phone, what could go wrong with that? http://contentviewer.adobe.com/s/Wired/5857345fd35d4d1f9a1f00273013f68a/WI0615_10_Folio/3030_2306AP_phoneid.html http://tinyurl.com/ongxg7b ------------------------------ Date: Sat, 25 Jul 2015 17:40:54 -0400 From: "David Farber" <farber () gmail com> Subject: Costco Photo Center compromised http://www.costcophotocenter.com/account/default.aspx "As a result of recent reports suggesting that there may have been a security compromise of the third party vendor that hosts Costcophotocenter.com, we are temporarily suspending access to the site. We take the security of our members' data seriously, which is why we are taking this precautionary step. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers. "This situation is affecting multiple online photo sites. We are diligently working to determine when we can re-enable the site, but in all likelihood that will not occur until early August. We will update this statement when we have more information." [...] ------------------------------ Date: Tue, 28 Jul 2015 00:28:03 -0400 From: Monty Solomon <monty () roscom com> Subject: A Clinton Story Fraught With Inaccuracies: How It Happened and What Next? (NYTimes) http://publiceditor.blogs.nytimes.com/2015/07/27/a-clinton-story-fraught-with-inaccuracies-how-it-happened-and-what-next/ A front-page story, corrected multiple times, raises bigger questions. ------------------------------ Date: Tue, 28 Jul 2015 00:33:24 -0400 From: Monty Solomon <monty () roscom com> Subject: Fiat Chrysler Issues Recall Over Hacking http://www.nytimes.com/2015/07/25/business/fiat-chrysler-recalls-1-4-million-vehicles-to-fix-hacking-issue.html The news that two researchers had hacked into a Jeep Cherokee, set in motion a nine-day flurry of activity by the automaker and the safety agency that culminated in the recall of 1.4 million vehicles. ------------------------------ Date: Mon, 27 Jul 2015 22:08:42 -0400 From: David Lesher <wb8foz () panix com> Subject: Re: Hackers Remotely Kill a Jeep (RISKS-28.80) Wired reports that Jeep has announced: [owners will] be sent a USB drive with a software update they can install through the port on their vehicle's dashboard. ....and of course, people with RISKy minds immediately latched on the minor issue of how will owners know which USB key to trust, and which to call HazMat to remove...? Good Question. {Jeep would far rather owners go to their dealers for a patch; it's far cheaper for the company, but..} Why should I spend money on individual USB keys & postage? I'm already making dastardly plans to go after the nation's Jeep dealers & their collection of diagnostic and upgrade computers. I've yet to meet an automotive service manager who keeps up to date with Krebs & RISKS; much less spell "Kaspersky".... PS: How many cars are in the motor pools at Langely and Ft. Meade? Who maintains/upgrades those - the lowest bidder? Just wait until they start silently turning into mobile TOR routers & Bitcoin miners... ------------------------------ Date: Sun, 26 Jul 2015 06:40:30 +0100 From: Michael Bacon <michaelbacon () tiscali co uk> Subject: The hackable car (RISKS-28.81) Call me old-fashioned, but I prefer that the steering wheel be mechanically connected to the steered wheels, and that the brake pedal be hydraulically (or mechanically) connected to the brakes. Putting electronics in the path creates potential for "brain fade" -- as evidenced by the technological marvels that are Formula One Grand Prix cars. It used to be that the most dangerous component in a vehicle was the nut behind the wheel, now it's the systems builder and the hacker 5,000 miles away. Expletives aside, among the last words on many Cockpit Voice Recorders recovered after aircraft accidents are: "Why is it doing that?" The increasing insertion of flawed software into basic vehicle control systems brings strong potential for these to be the last words uttered by many drivers in the future. I'll stick to my "old clunker", thank you, and avoid that risk. ------------------------------ Date: Sun, 26 Jul 2015 14:06:33 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: What's Wrong With the Internet (Emerson, RISKS-28.81) Oh good. Now we just need someone to explain to IETF how a session layer would make a lot of things from distributed programming to firewalls without "deep inspection" to bittorrent to google chrome's connection pooling irrelevant. And how a presentation layer would put encryption someplace less silly than "socket layer" and would also take care of "magic quotes" and the rest of unicode-related mess. And they'll listen. ------------------------------ Date: Mon, 27 Jul 2015 09:41:43 -0400 From: "R. G. Newbury" <newbury () mandamus org> Subject: Re: Facebook blocked from challenging search warrants targeting its users (RISKS-28.81) And all Facebook needs to do, is amend its Terms of Service to add a provision (on, I suggest, an opt-in basis) which appoints FB with Power of Attorney to respond to, and dispute any search warrant which the Attorney receives, aimed at the customer. QED. FB has standing to dispute the warrant, NOT as FB, but as the customer. Ignorant, stupid ruling. Geoffrey Newbury Barrister and Solicitor Suite 106, 150 Lakeshore Road West Mississauga, Ontario, L5H 3R2 1-905-271-9600 newbury () mandamus org ------------------------------ Date: 25 Jul 2015 21:19:35 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: For .sucks Web domains, currency seems to be paid in reputations (BetaBoston) In article <15.CMM.0.90.4.1437849994.risko () chiron csl sri.com16253> you write:
http://www.betaboston.com/news/2015/07/23/sleazy-internet-domain-sucks-up-the-bucks/
This was a rather bad article, sloppy and poorly researched.
Do I need to point out again that what really sucks is the idea that you can't own your identity ...
Um, the point of .sucks is that it's not for you, it's for people to complain about you. This point also appears to elude all of the trademark lawyers whining about it, and it eluded ICANN who predictably panicked when they got the lawyers' letter and asked the FTC and Canadian OCA to give them an excuse to shut down .sucks (with whom they had just signed a long term contract), but it did not elude either the FTC or the OCA, neither of whom had any sympathy at all. It's true that .sucks is a shakedown, but only for the insecure and pretentious. I blogged about it at http://jl.ly/ICANN/ultvanity.html ------------------------------ Date: 25 Jul 2015 17:27:36 -0400 From: "Bob Frankston" <bob19-0501 () bobf frankston com> Subject: Re: For .sucks Web domains, currency seems to be paid in reputations (BetaBoston) I agree that .sucks is an extreme case with its own characteristics. But it's still part of the larger problem of a rent-seeking organization that prevent us from having stable relationships between end points. Both in leasing names and leasing addresses. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.82 ************************
Current thread:
- Risks Digest 28.82 RISKS List Owner (Jul 29)