RISKS Forum mailing list archives
Risks Digest 29.01
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 3 Oct 2015 10:47:55 PDT
RISKS-LIST: Risks-Forum Digest Saturday 3 October 2015 Volume 29 : Issue 01 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.01.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: NSA's Trojan Horse Scored Gold at Athens Olympics (Henry Baker) Xerox "more secure" Supply Chain (Gizmodo via AlMac) Newly found TrueCrypt flaw allows full system compromise (PGN) Google's Cute Cars And The Ugly End Of Driving (Lauren Weinstein) Nerves rattled by highly suspicious Windows Update (Ars) France pushes for global surveillance (EFF) Michael Chertoff on encryption, etc. (HuffPost) Experian hack exposes 15 million people's personal information (The Guardian and Ars Technica) Gigabytes of user data from hack of Patreon donations site dumped online (Dan Goodin) A billion Android phones are vulnerable to new Stagefright bugs (Dan Goodin) Drop-dead simple exploit completely bypasses Macs malware Gatekeeper (Dan Goodin) UN proposes massive Internet censorship (WashPo) Open Office on Ubuntu (SMB via PGN) Re: EPA v VW cheatware, AI & "machine learning" (Paul Fenimore) Re: VW Scandal (Pete Kaiser) Adblock sells out -- refuses to identify the buyer (NextWeb) The ad-block-alypse has arrived: a mobile carrier has for the first time begun blocking *all* ads on its customers' phones (Monty Solomon) Re: Ad-blocking (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 30 Sep 2015 10:13:42 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: NSA's Trojan Horse Scored Gold at Athens Olympics The NSA -- with the secret approval of the Greek govt -- installed a malware implant that utilized existing 'lawful intercept' capabilities of the Ericsson system to spy during the Athens Olympics. But since the 'lawful intercept' capabilities of the Ericsson system had never been legally approved or paid for, the logging function of the 'lawful intercept' system was never turned on. However, post-Olympics, the implants were not only not removed, but upgraded to subsequently spy on the the top officials of the Greek govt. The Ericsson telephone system in Greece became a *roach motel* -- the NSA implants checked in, but they never checked out. We now know why FBI Director Comey loves 'lawful intercept' capabilities of phone systems so much; they supply a substantial attack surface that's easy to subvert! Incredible irony: in the ancient Greek world, the "Olympic Truce" protected the Games from war-like behavior: https://en.wikipedia.org/wiki/Olympic_Truce 'During the Truce period (lasting up to three months), wars were suspended, armies were prohibited from threatening the Games, legal disputes were stopped, and death penalties were forbidden' '2004 Athens Summer Games: The Olympic Truce was promoted through Olympic Flame Relay [NSA's "Olympic Frame Relay" !?!] events. The UN supported the IOC in asking the nations of the world to stop all wars for 16 days during the Games.' Some quotes from this too-long article: ``The world will be watching and so will NSA!'' ``The key to the operation was hijacking a particular piece of software, the `lawful intercept' program.'' ``Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA.'' ``But without the IMS [logging] program there would be no audit trail.'' 'But less than a week later, long after the Olympic Torch had been extinguished, new malware was implanted.' ``They [NSA] said when the Olympics is over, we'll turn [the interception capability] off and take it away. And after the Olympics they turned it off but they didn't take it away and they turned it back on and the Greeks discovered it.'' ``They never [remove the malware implants]. Once you have access, you have access. You have the opportunity to put implants in, that's an opportunity.'' ``From the very start, according to a former senior Greek official involved in the investigation, there was no doubt within the highest levels of government that the U.S. was behind the bugging.'' Snowden docs pertinent to the Athens Olympic Trojan Horse: https://cryptome.org/2015/09/nsa-rogue-olympics.zip James Bamford, A Death in Athens: Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?, 29 Sep 2015 https://theintercept.com/2015/09/28/death-athens-rogue-nsa-operation/ Documents published with James Bamford's item: Another Successful Olympics Story Exploiting Foreign Lawful Intercept Roundtable Gold Medal Support for Olympic Games NSA Team Selected for Olympics Support SID Trains for Athens Olympics ------------------------------ Date: Tue, 29 Sep 2015 18:49:23 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Xerox "more secure" Supply Chain (Gizmodo) Some new technology comes out, which we are told is so much more secure than the prior alternatives, as to be fool proof, until history repeats with the new stuff. But we were also told something similar when the older technology first came out. We are now told that the following are no good: . Bar codes; . Holograms; . RFID chips. I do not see what, conceptually, the new Xerox printed memory, is doing which could not be done with RFID chips, other than maybe expense. I wonder how printers to generate such labels, compare in cost to other alternatives. In my former day job, we had a supply chain tracking label system which added $ 0.001 to unit product cost, but some supply chain participants opted out of even that, because lowest possible cost was more important to them than: supply chain tracking; counterfeit and defect avoidance; or inventory accuracy. Thin flexible memory chips are printed on a product label. This memory is re-writable via wi fi reader in a smart phone, or other hand held device, with or without Internet connection. Encryption theoretically limits access to the many thousands of business enterprises authorized to be in the supply chain, many of which have probably been hacked. We are not told about any back door which NSA may have requested. In theory, supply chain tracking tech, wants to help businesses keep track of their inventory, maximize quality at minimum cost, back trace defects to responsible parties, and not fall prey to actions of crooks, and other parties, interested in: . Selling counterfeits (Last year Uncle Sam confiscated $ 1.2 billion in counterfeit goods); . Manipulating prices (when store checkout uses price inside this tech, some people buy it almost for free); . Preventing shop lifting (consumer walks out door, with merchandise the check out person has not yet deactivated); . Finding new hacker pathways; . Delivering malware; . Violating privacy. Each upgrade needs to consider security against all risks, and consider all needs. Otherwise upgrading, for one purpose, can invite vulnerabilities in other areas. http://gizmodo.com/xeroxs-printable-memory-labels-can-store-data-to-combat-1731011329 http://www.pddnet.com/news/2015/09/xerox-introduces-counterfeit-opposing-printed-electronic-labels http://www.thinfilm.no/news/xerox-uses-thinfilm-memory-to-fight-counterfeiting/ This may be old news, but I just found out about it. ------------------------------ Date: Wed, 30 Sep 2015 0:54:04 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Newly found TrueCrypt flaw allows full system compromise IT World is reporting this! Recall that Truecrypt was WITHDRAWN by its developer(s), perhaps a year ago, under circumstances that were never quite clear. http://www.itworld.com/article/2987438/newly-found-truecrypt-flaw-allows-full-system-compromise.html ------------------------------ Date: Thu, 1 Oct 2015 08:53:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google's Cute Cars And The Ugly End Of Driving The main thing you should know about autonomous vehicles is that they are utterly inevitable. http://www.buzzfeed.com/mathonan/googles-cute-cars-and-the-ugly-end-of-driving#.yvrGvxNqOO Leaving aside technical, financial, and cultural issues for the moment, the question I'd really like to see us thinking about now -- before we really need the full answers -- is how we're going to prevent mass government abuse of these vehicles. The amount of video and other data these vehicles will be collecting will be immense. You can bet governments will want it, both in individual cases and en masse. Governments will want to know where every car is or was, every moment. They will make license plate scanners totally obsolete. They will want remote control capabilities. Whether or not vehicles can be started. Whether they will keep running or automatically pull over to the side of the road to await a police vehicle (or drive into the nearest police station, with the windows and doors locked?) if they believe a suspect is inside. Whether or not you can drive if you haven't been paying your bills or are having a legal dispute. They will want the ability to block all vehicles from areas where they don't want to be observed, and shoo all vehicles already there out of the area. This means individual and en masse remote control. Pretty powerful stuff. And remote control is likely to come irrespective of law enforcement, because it's the most practical way to deal with situations beyond the scope the car's AI (unusual weather or road conditions, accident and construction sites with authorities giving voice instructions to drivers, etc.), assuming a human driver capable of taking over in such situations is not present. Remote control capabilities for authorities are also likely to be mandated at some point due to LEO concerns (already being widely discussed) of unoccupied vehicles (the "vehicle on demand" scenario) being used in criminal or terrorist plots. Most of these issues have already been covered quite convincingly by prescient science fiction for many decades. Autonomous vehicle proponents would do well to consider how they're going to respond to government demands along these lines. 'Cause you can be sure that there are teams already in governments around the world brainstorming about their side of this equation. ------------------------------ Date: Wed, 30 Sep 2015 12:03:01 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Nerves rattled by highly suspicious Windows Update http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/ People around the world are receiving a highly suspicious software bulletin through the official Windows Update, raising concerns that Microsoft's automatic patching mechanism may be broken or, worse, has been compromised to attack end users. This Web search, which queries the random-appearing string included in the payload, suggests that it's being delivered to people in multiple regions. The same unexplained and almost certainly unauthorized patch is being reported in a variety of online posts, including this one hosted by Microsoft. The updates appear to be coming directly from servers that are cryptographically certified to be part of Microsoft's Windows Update system. Not clear what's going on here yet. ------------------------------ Date: Thu, 1 Oct 2015 21:13:31 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: France pushes for global surveillance (EFF) France's Government Aims to Give Itself--and the NSA--Carte Blanche to Spy on the World [EFF via NNSquad] https://www.eff.org/deeplinks/2015/09/frances-government-aims-give-itself-and-nsa-carte-blanche-spy-world By legalizing France's own plans to spy on the rest of the world, France would take a step to establishing the NSA model as an acceptable global norm. Passing the law would undermine France's already weak surveillance protections for its own citizens, including lawyers, journalists and judges. And it would make challenging the NSA's practices far more difficult for France and other states. You'll recall France is also pushing for its "Right To Be Forgotten" censorship to apply globally. ------------------------------ Date: Sat, 3 Oct 2015 08:04:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Michael Chertoff on encryption, etc. (HuffPost) http://www.huffingtonpost.com/entry/michael-chertoff-dhs-privacy-security_560ebd9de4b076812701c9f7 If you can't lock your door, you can't maintain the privacy of your home. If you can't encrypt your phone, you can't keep your personal data private, either. As tech companies and law enforcement agencies clash over encryption, security and privacy, a former Bush administration official is coming down forcefully on the side of technology that supports civil liberties rather than erodes them. Michael Chertoff, who served under President George W. Bush as the nation's second Secretary of Homeland Security, suggested to The Huffington Post that using encryption to keep your data or messages personal is like having a quiet, private conversation between friends. Chertoff is an interesting character. Given his actions in the Bush administration, one would not necessarily have predicted his current stance on these issues. ------------------------------ Date: Thu, 1 Oct 2015 17:54:18 -0400 From: "David Farber" <farber () gmail com> Subject: Experian hack exposes 15 million people's personal information (The Guardian and Ars Technica) *The Guardian*, 1 Oct 2015 http://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information <http://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information> [Also, Dan Goodin, Ars Technica, 1 Oct 2015: http://arstechnica.com/security/2015/10/highly-personal-data-for-15-million-t-mobile-applicants-stolen-by-hackers/ PGN] ------------------------------ Date: Fri, 2 Oct 2015 02:11:49 -0400 From: Monty Solomon <monty () roscom com> Subject: Gigabytes of user data from hack of Patreon donations site dumped online (Dan Goodin) Dan Goodin, Ars Technica, 1 Oct 2015 The inclusion of source code and databases suggest breach was extensive. http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack-of-patreon-donations-site-dumped-online/ ------------------------------ Date: Fri, 2 Oct 2015 02:17:46 -0400 From: Monty Solomon <monty () roscom com> Subject: A billion Android phones are vulnerable to new Stagefright bugs (Dan Goodin) Dan Goodin, Ars Technica, 1 Oct 2015 Stagefright 2.0 comes as Android users were still recovering from Stagefright 1. http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vulnerable-to-new-stagefright-bugs/ ------------------------------ Date: Fri, 2 Oct 2015 02:26:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Drop-dead simple exploit completely bypasses Macs malware Gatekeeper (Dan Goodin) Dan Goodin, Ars Technica, 30 Sep 2015 A key limitation makes it trivial for attackers to skirt Gatekeeper protections. http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-completely-bypasses-macs-malware-gatekeeper/ ------------------------------ Date: Fri, 2 Oct 2015 15:37:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: UN proposes massive Internet censorship (WashPo) The United Nations has a radical, dangerous vision for the future of the Web https://www.washingtonpost.com/news/the-intersect/wp/2015/09/24/the-united-nations-has-a-radical-dangerous-vision-for-the-future-of-the-web/ At one point toward the end of the paper, the U.N. panel concludes that "political and governmental bodies need to use their licensing prerogative" to better protect human and women's rights, only granting licenses to "those Telecoms and search engines" that "supervise content and its dissemination." In other words, the United Nations believes that online platforms should be (a) generally responsible for the actions of their users and (b) specifically responsible for making sure those people aren't harassers. Regardless of whether you think those are worthwhile ends, the implications are huge: It's an attempt to transform the Web from a libertarian free-for-all to some kind of enforced social commons. There's no way the UN vision could be implemented without mass global censorship. ------------------------------ Date: Tue, 29 Sep 2015 17:52:36 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Open Office on Ubuntu [Noted by Steve Bellovin, in the context of testing for VW misuse:] By chance, https://bugs.launchpad.net/ubuntu/+source/cupsys/+bug/255161 just drifted through my Twitter feed. To summarize: Open Office couldn't print on Tuesdays on some versions of Ubuntu because of a problem with the 'file' command. Testing is so accurate... ------------------------------ Date: Wed, 30 Sep 2015 06:24:40 -0600 From: Paul Fenimore <fenimore () swcp com> Subject: Re: EPA v VW cheatware, AI & "machine learning" I fail to see why there is no clear path forward after discovering VW engineered their vehicles to specifically defeat emissions regulations. Specifically defeating regulations, whether by selecting an adaptive algorithm or some other means, is an unlawful act. The path forward is called criminal and civil sanctions for the perpetrators; hiding the human actions behind a "learning" algorithm is a mis-direction. The car design process from year to year is under the close supervision of the manufacturer: there is no rogue software element here. This *human* responsibility is acutely important in the VW case: Vehicle emission regulations are life-safety regulations that address the major cause of mortality that arises from treating the open air as a sewer. In the USA, for example, air pollution results in vast numbers of premature deaths. <http://news.mit.edu/2013/study-air-pollution-causes-200000-early-deaths-each-year-in-the-us-0829> The real question is whether homicide charges are relevant when there is comparative uncertainty about the death of specific individuals as opposed to certainty that in aggregate large numbers of people have been killed by VW's deliberate violation of the law. ------------------------------ Date: Tue, 29 Sep 2015 19:34:23 +0200 From: Pete Kaiser <djc () resiak org> Subject: Re: VW Scandal In the 1980s I worked as a developer for a software company whose sole product was a big-ticket package sold largely to the US federal government, where the purchasing process included certain standard benchmarks. The complex inner workings of the package included self-checking, plausibility checks, recovery mechanisms, and so forth, and in normal operation those deep inner features couldn't be turned off. But secretly buried deep in the package by the original developer -- the company's sole owner -- was code that detected when it was running one of these standard benchmarks, and turned off all the integrity-checking and safety features, giving the performance a boost. I was stunned to find this, and foolishly brought it up to the owner, not with good results for me. ------------------------------ Date: Fri, 2 Oct 2015 13:58:19 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Adblock sells out -- refuses to identify the buyer The Next Web, 2 Oct 2015 [via NNSquad] Adblock extension with 40 million users sells to mystery buyer, refuses to name new owner http://thenextweb.com/apps/2015/10/02/trust-us-we-block-ads/ What's strange is that the company won't disclose who it's been sold to, why it was sold, or how much it was sold for. For the extension's claimed 40 million users this raises an interesting question: Can the extension continue to be trusted if the new proprietor is entirely anonymous? TNW contacted Adblock's remaining staff to ask if they'd disclose the buyer but the company refused, saying that the purchaser had specifically asked not to be named. The only thing the team would tell us is that the tool's creator Michael Gundlach will no longer have any relationship with the company -- that probably means he's cashed out. As you'll recall, this is the extension that requires most firms to pay extortion to bypass the extension's blocking. ------------------------------ Date: Thu, 1 Oct 2015 08:54:25 -0400 From: Monty Solomon <monty () roscom com> Subject: The ad-block-alypse has arrived: a mobile carrier has for the first time begun blocking *all* ads on its customers' phones ( http://www.businessinsider.com/digicel-becomes-first-mobile-carrier-to-sign-up-shine-ad-blocker-2015-9 ------------------------------ Date: 29 Sep 2015 20:24:36 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Ad-blocking (Ross, RISKS-28.96) I think the answer is really "because they can", or perhaps "because they think they can". People have ignored ads as long as there's been ads, and advertisers have always hated it. But until the Internet, they couldn't tell who was looking at the ads and who wasn't. Now the users are making it clear just how not interested in the ads they are, which is very bad for marketers' fragile egos. If I ever write an ad blocker, it's going to be the moral equivalent of going to the kitchen when the TV shows an ad, while leaving the TV on. It'll still fetch all the web ads in the background, but it won't display them. This will give the users what they want, while protecting the aforementioned fragile egos. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.01 ************************
Current thread:
- Risks Digest 29.01 RISKS List Owner (Oct 03)