RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 29.02

From: RISKS List Owner <risko () csl sri com>
Date: Tue, 6 Oct 2015 17:02:12 PDT
RISKS-LIST: Risks-Forum Digest  Tuesday 6 October 2015  Volume 29 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.02.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Your MRI machine has already been pwned (Scott Erven and Mark Collao via
  Henry Baker)
European court of Justice bans "Safe Harbor" decision (Thomas Koenig)
Top EU court says US privacy protections are inadequate in landmark
  ruling (Amar Toor)
How Many Deaths Did Volkswagen's Deception Cause in the U.S.? (NYTimes)
Engine Shortfall Pushed Volkswagen to Evade Emissions Testing (NYTimes)
Peeple Risks (Rob Slade)
The Athens Affair shows why we need encryption without backdoors
  (Trevor Timm, Dorothy Denning, Grady Booch)
Got 'Em! Researchers Steal Crypto Keys From Amazon Cloud (Fahmida Y. Rashid)
Identifying Problems With National Identifiers: Supposedly Encrypted
  Numbers Can Be Easily Decrypted (Harvard)
Study Rates UW CSE ... Most Practically Relevant (U.Wash)
US Customs collecting info on every Amtrak passenger (Al Mac)
Scottrade had no idea about data breach until the feds showed up (PCWorld)
Sherry Turkle's Reclaiming Conversation (NYTimes)
Business Technology Starts to Get Personal (NYTimes)
Re: Open Office on Ubuntu (Henry Crun)
Re: How to make the Internet worse for everyone except the slimeballs
  (David Canzi)
Putting Mobile Ad Blockers to the Test (NYTimes)
Re: Adblock sells out -- refuses to identify the buyer (Alan Ralph)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 06 Oct 2015 09:32:51 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Your MRI machine has already been pwned

FYI -- The next time you're lying on a gurney waiting to get an X-ray or MRI
scan, contemplate the probability that your X-ray or MRI machine has
*already been compromised*.  Scott Erven & Mark Collao set up similarly
configured honeypots & found them constantly under successful attack due to
massive numbers of unpatched vulnerabilities and hardwired credentials.

Scott & Mark think that many of these attackers didn't even realize the
types of machines that they had successfully attacked; these attacks are
apparently large-scale automated attacks on *every* Internet address looking
for vulnerable computers.  This means that *every* vulnerable machine
attached to the Internet will eventually be pwned because every known
exploit will eventually be tried on all of them.

X-ray and MRI machines have service technician screens including
"calibration" interfaces which could be used to override some of the
built-in safety mechanisms.

I shudder to even think about pwned Lasik machines...

https://www.youtube.com/watch?v=qX_dV6LUTdo

 - - - -

Break Me14 Medical Devices Pwnage and Honeypots Scott Erven Mark Collao
IronGeek, 27 Sep 2015

These are the videos from Derbycon 2015:
http://www.irongeek.com/i.php?page=videos/derbycon5/mainlist

Jeff Goldman, Thousands of Critical Medical Devices Exposed Online, 1 Oct 2015
http://www.esecurityplanet.com/network-security/thousands-of-critical-medical-devices-exposed-online.html

'These devices are getting owned repeatedly,' security researcher Mark
Collao said.

At the DerbyCon security conference in Louisville, Kentucky, security
researchers Scott Erven and Mark Collao recently stated that thousands of
critical medical devices are connected to the Internet and vulnerable to
attack, The Register reports.

At one unnamed U.S. healthcare organization with 12,000 staff and 3,000
physicians, Erven and Collao said, more than 68,000 devices are exposed
online, including 21 anaesthesia systems, 488 cardiology systems, 67 nuclear
medical systems, 133 infusion systems, 31 pacemakers, 97 MRI scanners, and
323 picture archiving and communications devices.

The researchers discovered the linked devices through the Shodan device
search engine.  "Once we [started] changing [search terms] to target
speciality clinics like radiology or podiatry or pediatrics, we ended up
with thousands with misconfiguration and direct attack vectors," Erven said.

MRI and defibrillator machine honeypots placed by Erven and Collao attracted
55,416 successful SSH and Web logins and 299 malware payloads.  As a result,
they said, it's reasonable to assume that there are infected medical devices
connecting to command and control servers on a regular basis.

"These devices are getting owned repeatedly, and now that more devices and
hospitals are Wi-Fi enabled, it's pretty prevalent," Collao said, SC
Magazinereports.  "Next time you're in a hospital and you're getting hooked
up to a machine and you see Ethernet going into a wall, it makes you think
twice -- is this connected to a command and control server somewhere?"

"The Internet of Things is already here, and some of its denizens are
already in critical condition," Tripwire director of IT security and risk
strategy Tim Erlin told eSecurity Planet by email.  "Embedded devices are
nothing new, and the expansion of Internet connectivity has turned networked
embedded devices, from energy to healthcare, into internetworked embedded
devices.  As the forward end of the industry works to bring the 'things' to
the Internet, the Internet has already been brought to the 'things' that
were out there."

"With embedded devices, it's often not as simple as applying the latest
updates," Erlin added.  "When those devices interact directly with a human
being in a therapeutic task, it's even more complicated to make changes.
This isn't a challenge that's likely to go away.  It's likely to get worse,
and make headlines, when someone hacks a medical device to make a point."

------------------------------

Date: Wed, 7 Oct 2015 00:00:28 +0200
From: Thomas Koenig <tkoenig () netcologne de>
Subject: European court of Justice bans "Safe Harbor" decision

The European Court of Justice has declared the "Safe Harbor" decision, under
which personal data of EU citizens could be handed over to US companies
provided these companies bound themselves to certain rules, illegal.  The
indiscriminate access of US authorities to this data is held to contradict
fundamental human rights to privacy and to judicial protection.

The court's arguments are very strongly worded, and are quite familiar to
anybody who has read RISKS for any length of time since 2013.  In the
argument given prior to the decision, the Advocate General specifically
cited PRISM as a reason why US privacy provisions were inadequate.  The US
government tried to counter this with a statement, but to no avail.

Apart from the human rights aspects, this is likely to have a severe impact
on Internet commerce.  Around 4500 companies transfer personal data of EU
citizens to the US for processing under the "Safe Harbor".  This legal basis
for this has now been removed.  Some companies have tried to use other legal
grounds for transferring data, but it is at the moment quite unclear which
of these are, in fact, legal.

Companies operating in Europe might be obliged to state in their conditions
of service that may be handed over to US intelligence indiscriminately.  Of
course, this might put them into the quandry that US law prohibits such
revelations.  The only way out might be for US Internet companies to move
their data centers to Europe, or to stop doing business with EU citizens
entirely.

As an aside, the negotiations about TTIP are also likely to be held up.

So, the NSA scandal is finally going to cost the US (and possibly other)
economies a *lot* of money.

The strategy of just ignoring the NSA scandal and hoping that it will all go
away if all participants simply close their eyes hard enough has not worked.

Today might also be remembered as a big step towards the break-up of the
Internet into regional networks, which is now a very real possibility
following the NSA scandal.

The press release itself can be found at

http://curia.europa.eu/jcms/jcms/P_180250/

Some key sentences (stressed parts marked with asterisks are from the
original):

  United States public authorities are not themselves subject to it
  [the agreement]. Furthermore, national security, public interest and
  law enforcement requirements of the United States prevail over the
  safe harbour scheme, so that United States undertakings are bound *to
  disregard, without limitation, the protective rules laid down by tha
  scheme where they conflict with such requirements.* The United States
  safe harbour scheme thus enables interference, by United States
  public authorities, with the fundamental rights of persons.

  [...] legislation permitting the public authorities to have access on
  a generalised basis to the content of electronic communications must
  be regarded as *compromising the essence of the fundamental right to
  respect for private life*.

  [...] legislation not providing for any possibility for an individual
  to pursue legal remedies in order to have access to personal data
  relating to him, or to obtain the rectification or erasure of such
  data, *compromises the essence of the fundamental right to effective
  judicial protection,* the existence of such a possibility being
  inherent in the existence of *the rule of law.*

------------------------------

Date: Tuesday, October 6, 2015
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: Top EU court says US privacy protections are inadequate in landmark
  ruling (Amar Toor)

Amar Toor, The Verge, 6 Oct 2015
Decision to invalidate data-transfer agreement could have far-reaching
implications for U.S. tech companies in Europe

http://www.theverge.com/2015/10/6/9460465/european-court-facebook-safe-harbor-ruling-data-transfer

Europe's highest court today ruled that Facebook cannot send personal
information on European users to data centers in the US, invalidating a
15-year trans-Atlantic data transfer agreement. In a decision that could
have far-reaching implications for many US tech companies, the European
Court of Justice said that the EU's Safe Harbor agreement with the US is
"invalid" because the country does not guarantee adequate privacy
protections. The agreement allows technology companies to transfer data from
Europe to the US, provided that certain privacy requirements are met.
According to *The Wall Street Journal* today's ruling could impact around
4,500 companies that currently rely on the laws to transfer data to the US.
<http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf>
<http://www.wsj.com/articles/eu-court-strikes-down-trans-atlantic-safe-harbor-data-transfer-pact-1444121361>,

The case was brought before Ireland's high court by Max Schrems, an Austrian
activist who argued that Facebook had violated his privacy by processing his
personal data in the US, citing recent revelations about the NSA's
surveillance programs. The Irish court rejected Schrems' complaint, pointing
to the European Commission's Safe Harbor decision, but the European court
today ruled that the agreement is invalid, and that EU regulators should be
able to restrict data flows as they see fit.

In a statement, the court said that Irish authorities are now "required to
examine Mr. Schrems' complaint with all due diligence," and can decide
whether "transfer of the data of Facebook's European subscribers to the
United States should be suspended on the ground that that country does not
afford an adequate level of protection of personal data."

A Facebook spokesperson did not immediately respond to a request for
comment.

------------------------------

Date: Sat, 3 Oct 2015 21:01:25 -0400
From: Monty Solomon <monty () roscom com>
Subject: How Many Deaths Did Volkswagen's Deception Cause in the U.S.?

http://www.nytimes.com/2015/09/29/upshot/how-many-deaths-did-volkswagens-deception-cause-in-us.html

Public health researchers have formulas to calculate the lives lost from excess pollution.

------------------------------

Date: Sun, 4 Oct 2015 12:26:46 -0400
From: Monty Solomon <monty () roscom com>
Subject: Engine Shortfall Pushed Volkswagen to Evade Emissions Testing

http://www.nytimes.com/2015/10/05/business/engine-shortfall-pushed-volkswagen-to-evade-emissions-testing.html

The carmaker installed emissions-cheating software in 2008 after realizing
that a new diesel motor could not meet pollution standards, people familiar
with an internal inquiry said.

------------------------------

Date: Sat, 3 Oct 2015 12:06:22 -0700
From: Rob Slade <rmslade () shaw ca>
Subject: Peeple Risks

  [Rob might become the Enemy-of-(the-)Peeple? PGN]

I am Rob not-of-Peeple.  But resistance is futile.  I will be assimilated,
whether I like it or not, if anyone knows my phone number.

As long as I don't sign up, I will remain in ignorance-is-blissful ignorance
of any negative "reviews," or other cyberbullying, taking place on the
system.  (At the moment I'd have to sign up through Facebook, which is
off-putting in any case.)

If any troll or malcontent does post anything negative about me, I have 48
hours to ask them nicely to rescind it.  If, for any reason, they decide not
to, there is absolutely nothing I can do about it.

Peeple. When you care enough to post the very worst.

https://nakedsecurity.sophos.com/2015/10/02/prepare-to-be-rated-on-a-5-star-scale-by-peeple-like-it-or-not/

Inquiring minds want to know:

Do they do any checking on the phone numbers?  Can I create an "account" for
someone just by putting in a random phone number?  Can you use someone's
work number?  Do they do any sanity checking?  Can I create someone with a
555 number?  Do they accept international phone numbers?  How do they deal
with Americans who know nothing about international phone number formats?

How hard would it be to mount a major cyberbullying campaign against the
founders of the system?

So far they are pushing babysitting and teaching, but how hard would it be
to create other categories on the system?  Could you create a
"generally-really-nasty- person" category and then rate people highly on
that?  Do they have any checks that would prevent you from using "bad words"
to create new categories?

Can you post pictures?  Video?  Fake ones?  Are they checking for copyright
violations?

rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/

------------------------------

Date: 4 Oct 2015 08:43
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: The Athens Affair shows why we need encryption without backdoors
  (Trevor Timm)

The Athens Affair shows why we need encryption without backdoors.
Revelations about the hack that allowed Greek politicians to be spied on in
2004 come at a time when the White House is set to announce its encryption
policy

Trevor Timm, *The Guardian*, 30 Sep 2015

http://www.theguardian.com/commentisfree/2015/sep/30/athens-affair-encryption-backdoors

Just as it seems the White House is close to finally announcing its policy
on encryption -- the FBI has been pushing for tech companies like Apple and
Google to insert backdoors into their phones so the US government can always
access users' data -- new Snowden revelations and an investigation by a
legendary journalist show exactly why the FBI's plans are so dangerous.

One of the biggest arguments against mandating backdoors in encryption is
the fact that, even if you trust the United States government never to abuse
that power (and who does?), other criminal hackers and foreign governments
will be able to exploit the backdoor to use it themselves. A backdoor is an
inherent vulnerability that other actors will attempt to find and try to use
it for their own nefarious purposes as soon as they know it exists, putting
all of our cybersecurity at risk.

In a meticulous investigation, longtime NSA reporter James Bamford reported
at the Intercept Tuesday that the NSA was behind the notorious Athens
Affair.  In surveillance circles, the Athens Affair is stuff of legend:
after the 2004 Olympics, the Greek government discovered that an unknown
attacker had hacked into Vodafone's ``lawful intercept'' system, the phone
company's mechanism of wiretapping phone calls. The attacker spied on phone
calls of the president, other Greek politicians and journalists before it
was discovered.

According to Bamford's story, all this happened after the US spy agency
cooperated with Greek law enforcement to keep an eye on potential terrorist
attacks for the Olympics. Instead of packing up their surveillance gear,
they covertly pointed it towards the Greek government and its people. But
that's not all: according to Snowden documents that Bamford cited, this is
a common tactic of the NSA. They often attack the ``lawful intercept''
systems in other countries to spy on government and citizens without their
knowledge:

Exploiting the weaknesses associated with lawful intercept programs was a
common trick for NSA. According to a previously unreleased top-secret
PowerPoint presentation from 2012, titled ``Exploiting Foreign Lawful
Intercept Roundtable'', the agency's ``countries of interest'' for this work
included, at that time, Mexico, Indonesia, Egypt and others. The
presentation also notes that NSA had about 60 ``Fingerprints'' -- ways to
identify data -- from telecom companies and industry groups that develop
lawful intercept systems, including Ericsson, as well as Motorola, Nokia and
Siemens.

It's the exact nightmare scenario security experts have warned about
when it comes to backdoors: they are not only available to those that
operate them `legally', but also to those who can hack into
them to spy without anyone's knowledge. If the NSA can do it, so can
China, Russia and a host of other malicious actors. [...]

------------------------------

Date: October 5, 2015 at 1:42:05 PM EDT
From: Dorothy Denning <dedennin () nps edu>
Subject: The 'Athens Affair' shows why we need encryption without backdoors

There was a good article about this in 2007 in IEEE Spectrum. At the time,
they didn't know who did it.

Vassilis Prevelakis and Diomidis Spinellis, The Athens Affair, IEEE
Spectrum, July 2007, http://www.spectrum.ieee.org/jul07/5280

------------------------------

Date: Oct 4, 2015 2:09 PM
From: Grady Booch <egrady () booch com>
Subject: The Athens Affair shows why we need encryption without backdoors

We did something similar at the end of World War II: having broken the
Enigma code, the US and the UK rounded up all the Enigma machines we could
find, and gave/sold them to many of our allies (but neglecting to tell them
the fact that Bletchly had broken the encryption).

------------------------------

Date: Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Got 'Em! Researchers Steal Crypto Keys From Amazon Cloud

Fahmida Y. Rashid, InfoWorld, 30 Sep 2015, via ACM TechNews, 5 Oct 2015

Worchester Polytechnic Institute (WPI) researchers have demonstrated how to
use one instance of Amazon EC2 to recover the full 2,048-bit RSA key from a
separate Amazon instance.  "We exploit the [last-level cache (LLC)] to
recover the secret key of a modern sliding-window exponentiation-based
implementation of RSA, across cores and without relying on deduplication,"
the researchers say.  They note malicious hackers could use this strategy to
intercept the targeted entity's encrypted communications and extract
potentially valuable information.  For this attack to work, both the
attacker's Amazon account and the target Amazon account containing the
private RSA key must be on the same hardware chip or chip set.  "Everything
must work in concert together and it is highly difficult to pull off," notes
Comodo's Robin Alden.  The researchers say their technique highlights the
need for deploying stronger isolation techniques in public clouds.  Experts
recommend providers patch the weaknesses that make these types of attacks
possible, and smarter cache management policies for hardware and software
could prevent side-channel leakages and future exploits.  "A more random
placement policy would make it tougher for attackers to land on the same
[central processing unit] or hardware as that of the intended target," says
Ciphercloud's Sundaram Lakshmanan.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d540x063483&;

------------------------------

Date: Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Identifying Problems With National Identifiers: Supposedly
  Encrypted Numbers Can Be Easily Decrypted

Harvard University, 29 Sep 2015, via ACM TechNews, Monday, October 5, 2015

Harvard University researchers have used a pair of experiments to show
Resident Registration Numbers (RRNs) used in South Korea can be decrypted to
reveal a range of personal information.  In the experiments, the researchers
were able to decrypt more than 23,000 RRNs using both computation and
logical reasoning.  The findings suggest that although such identifiers are
encrypted to protect privacy, they remain vulnerable to attack and must be
designed to avoid such weaknesses.  The researchers showed each number in
the RRN could be replaced with a letter in a recognizable pattern, which
could then be used to decrypt thousands of RRNs, which could reveal personal
information about their users.  They also found the final RRN digit is a
weighted sum of prior digits, meaning it is possible to decrypt the numbers
and then use arithmetic to confirm the accuracy of the information.  "Our
study shows that weak encoding systems, which refer to the very design of
the number, render encryptions as poor methods of protecting privacy," the
researchers note.  The findings are timely, because South Korea is currently
debating a redesign of RRNs and other nations, including the U.S., have
discussed the use of a single identifier for medical records, according to
Harvard professor Latanya Sweeney.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d544x063483&;

------------------------------

Date: Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Study Rates UW CSE ... Most Practically Relevant (U.Wash)

U.Wash via ACM TechNews, Monday, October 5, 2051

Study Rates UW CSE Software and Engineering Research Most Practically
Relevant of the Past Five Years, University of Washington News and
Information, 1 Oct 2015

A tool developed by University of Washington (UW) researchers to improve
collaboration between software developers has been judged the most
practically relevant software engineering research of the last five years.
The recognition comes from an industrial relevance study conducted by
Microsoft Research and Singapore Management University, which asked more
than 500 software developers to rate the relevance to their daily work of
571 research papers.  The greatest number of respondents rated the UW
project, which generated the Crystal collaboration tool, as an "essential"
addition to the practice of software development.  The UW research team, led
by professors Michael Ernst and the late David Notkin, developed Crystal as
a way to help developers who are working on a team in parallel avoid making
changes that might be in conflict with each other.  Crystal does this by
continuously merging every developer's changes into the software so
conflicts become apparent and can be quickly addressed.  Crystal prevents
wasting time returning to the code to rectify conflicts and problems after
the fact.  The paper on proactive conflict detection was part of the
speculative analysis project, led by Ernst at UW's Programming Languages &
Software Engineering group.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d547x063483&;

------------------------------

Date: Mon, 5 Oct 2015 15:00:15 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject:  US Customs collecting info on every Amtrak passenger

  (Papers Please & Mass Private via Black Listed)

US Customs is collecting the personal information of every Amtrak passenger
29 Sep 2015
Source: Mass Private I
http://massprivatei.blogspot.com/2015/09/us-customs-is-collecting-personal.html

According to Papers Please
<http://papersplease.org/wp/2015/09/23/does-cbp-have-access-to-domestic-amtr
ak-reservations/> :

Documents
<http://papersplease.org/wp/wp-content/uploads/2015/09/amtrak-21sep2015.pdf>
released by Amtrak suggest that since 2012, US Customs and Border Protection
(CBP) has had direct access to Amtrak's reservation system, possibly
including access to reservations for Amtrak passengers traveling entirely
within the USA.

The Amtrak documents

Papers Please received are the fourth in a continuing series of long-overdue
interim responses to a FOIA request they made in October 2014 for records
related to Amtrak's data-sharing and other collaboration with DHS and other
US and foreign law enforcement agencies:
<http://papersplease.org/wp/wp-content/uploads/2015/09/amtrak-21sep2015.pdf>
<http://www.papersplease.org/wp/2015/03/20/amtrak-lies-about-police-use-of-passenger-data/>
<http://www.papersplease.org/wp/2015/04/23/amtrak-formats-for-passenger-id-data-dumps-to-governments/>
<http://papersplease.org/wp/2015/06/21/more-on-amtrak-passenger-data-require
ments/> )
<http://papersplease.org/wp/wp-content/uploads/2014/10/amtrak-foia-29oct2014.pdf>
http://www.blacklistednews.com/US_Customs_is_collecting_the_personal_information_of_every_Amtrak_passenger/46407/0/38/38/Y/M.html

------------------------------

Date: Sun, 4 Oct 2015 03:29:43 -0400
From: Monty Solomon <monty () roscom com>
Subject: Scottrade had no idea about data breach until the feds showed up

When an organization gets hacked, ideally they'll realize it promptly and
warn their users right away. Take crowdfunding site Patreon, which was
hacked on Monday and has already informed the world about the problem.
Scottrade, an investment brokerage company, is different, and not in a good
way.

The company announced Friday that it suffered a security breach over a
period of several months from late 2013 to early 2014, affecting
approximately 4.6 million customers. But in a statement, Scottrade said it
had no idea that the breach had occurred until law enforcement officials
told them about it.

Remember: This is a company that is charged with storing real money and
managing investments. Let that sink in for a second.

http://www.pcworld.com/article/2988993/security/scottrade-had-no-idea-about-data-breach-until-the-feds-showed-up.html

------------------------------

Date: Sun, 4 Oct 2015 12:28:39 -0400
From: Monty Solomon <monty () roscom com>
Subject: Sherry Turkle's Reclaiming Conversation

http://www.nytimes.com/2015/10/04/books/review/jonathan-franzen-reviews-sherry-turkle-reclaiming-conversation.html

Jonathan Franzen reviews a new book based on interviews with people who say they feel controlled by new technologies.

------------------------------

Date: Mon, 5 Oct 2015 01:16:44 -0400
From: Monty Solomon <monty () roscom com>
Subject: Business Technology Starts to Get Personal

http://bits.blogs.nytimes.com/2015/10/04/business-technology-starts-to-get-personal/

Despite their very different companies, the chief executives of General
Electric and Apple have something in common: They believe businesses will
increasingly rely upon`personalized' technology to run their operations.

------------------------------

Date: Sun, 04 Oct 2015 04:58:59 +0300
From: Henry Crun <mike () rechtman com>
Subject: Re: Open Office on Ubuntu

Following https://bugs.launchpad.net/ubuntu/+source/cupsys/+bug/255161,
the bug report is dated 2008, so the bug is weird, slipped past checks,
but is slightly outdated.  Mike R.

------------------------------

Date: Sun, 4 Oct 2015 17:27:44 -0400
From: David Canzi <dmcanzi () uwaterloo ca>
Subject: Re: How to make the Internet worse for everyone except the slimeballs

Don't blame the ad-blockers or their users.

Attention is the resource from which marketers make their living.  It's a
limited resource.

When the volume of advertising is low, a marketer, by putting one more ad on
a web page, gets an increase in profits.  As the volume of advertising
increases, the profit the marketer gains from one more ad decreases, and the
ad decreases the amount of attention paid to other marketers' ads, reducing
their profits.  At some point the profit a marketer gains by placing one
more ad is less than the total loss that the ad causes to other marketers.
This scenario may sound familiar...

https://en.wikipedia.org/wiki/Tragedy_of_the_commons

The marketers who will survive are the ones who are willing to use the most
obnoxious tactics to take our attention.  Anybody with any decency will fail
or quit.  Web advertising will be dominated by slimeballs whether or not the
end users use ad-blockers.

------------------------------

Date: Mon, 5 Oct 2015 01:16:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: Putting Mobile Ad Blockers to the Test

http://www.nytimes.com/2015/10/01/technology/personaltech/ad-blockers-mobile-iphone-browsers.html

Two tests were carried out with ad blockers: one to measure how much loading
times were improved, and the second to study battery life.

------------------------------

Date: Sat, 3 Oct 2015 20:19:50 +0100
From: Alan Ralph <alan () alanralph co uk>
Subject: Re: Adblock sells out -- refuses to identify the buyer

Just to be clear, this is Adblock [1], not AdBlock Plus [2], that is the
subject of the article [3] that Lauren linked to.

Having said that, it's worth noting the following from said article :

What's interesting is six months ago Adblock changed its name suddenly [4]
to BetaFish Adblocker, claiming it was an `experiment'.

BetaFish is the name of Gundlach's holding company that owned Adblock and
around the same time had applied for a US trademark [5] on the word
`Adblock'.

Support staff claimed five months ago that the company was not being
purchased by someone or preparing for participation acceptable ad program,
but the move may have pre-empted today's deal.

The name was later changed back to simply Adblock, without further explanation.

Does that mean that AdBlock's new owners want to go after Eyeo [6], the
company that makes AdBlock Plus? I guess we'll find out soon enough!

[1] https://getadblock.com/
[2] https://adblockplus.org
[3] http://thenextweb.com/apps/2015/10/02/trust-us-we-block-ads
[4] 
http://support.getadblock.com/discussions/suggestions/998-why-did-you-change-adblock-name-to-betafish-adblocker/page/1#comment_36657836
[5] https://tsdr.uspto.gov/#caseNumber=86537340&caseType=SERIAL_NO&searchType=statusSearch
[6] https://eyeo.com/

Alan Ralph - Wearer Of Many Hats!  alan () alanralph co uk

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.02
************************
Previous By Date Next
Previous By Thread Next

Current thread: