Risks Digest 29.04

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Saturday 17 October 2015  Volume 29 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.04.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Flight MH17 downed by Russian-built missile (PGN)
ACARS pen-tester reports vulnerabilities according to EASA (PGN)
U.S. Navy teaching celestial navigation in case computers infected
  (Mark Thorson)
Lessons from Ten Years of IT Failure (Robert Charette)
How the NSA can break trillions of encrypted Web and VPN connections
  (Ars Technica quoting Alex Halderman and Nadia Heninger)
Reducing risks in national elections? (NYTimes)
Tesla Adds High-Speed Autonomous Driving to Its Bag of Tricks (NYTimes)
Software fault causes UK drivers to be banned from driving (The Guardian)
Robber uses Uber as getaway car (Mark Thorson)
UltraDNS Server Problem Pulls Down Websites, Including Netflix, for
  90 Minutes (NYTimes)
Compulsive Texting Takes Toll on Teenagers (NYTimes)
The Deception Behind Illegal Bets (NYTimes)
Art Forgers Beware: DNA Could Thwart Fakes (NYTimes)
Apple Is Said to Deactivate Its News App in China (NYTimes)
Majority of ISPs not ready for metadata laws that come into force
  (Australian ABC)
If you're not Flash Player "free" by now, you REALLY oughta be...
  (AppleInsider via Geoff Goodfellow)
Credit Rules (US gov via AlMac)
Video Explainer: How Criminals Can Easily Hack Your Chip & PIN Card
  (Gizmodo)
FBI's statement on microchip-enabled credit cards (Armando Stettner)
FBI takes down alert on chip credit cards after bankers complain
  (John Levine)
Social Media Abuse Stories to Shrivel Your Soul (NYTImes)
Re: Undercover New Hampshire police nab cellphone ban violators
  (Bob Frankston)
Apple removes Been Choice and other ad blockers from its app store
  (Monty Solomon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 13 Oct 2015 17:11:51 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Flight MH17 downed by Russian-built missile

Seemingly conclusive Dutch report via *The Guardian*
http://cdn.onderzoeksraad.nl/documents/report-mh17-crash-en.pdf

------------------------------

Date: Tue, 13 Oct 2015 16:24:49 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: ACARS pen-tester reports vulnerabilities according to EASA

The following article argues that a penetration tester was able to access
aircraft control systems through ACARS.

http://www.scmagazineuk.com/european-aviation-body-warns-of-cyber-attack-risk-against-aircraft/article/444487/

------------------------------

Date: Wed, 14 Oct 2015 15:59:31 -0700
From: Mark Thorson <eee () sonic net>
Subject: U.S. Navy teaching celestial navigation in case computers infected

Computer-based systems are not trusted, so the stars
are your backup.  Better keep a lodestone in your pocket.

http://www.sltrib.com/home/3062676-155/cybersecurity-fears-are-making-us-sailors

------------------------------

Date: Sat, 17 Oct 2015 12:39:43 -0400
From: "Robert Charette" <Charette () itabhi com>
Subject: Lessons from Ten Years of IT Failure

Back in September 2005, IEEE Spectrum magazine published my article "Why
Software Fails," that examined the underlying causes of notable IT project
failures. Then, in June 2007, I started writing the Risk Factor blog for the
magazine, with the goal of tracking information technology development and
operational failures/ooftas both large and small.  Since the beginning of
the year, my Spectrum colleague Josh Romero and I have been working quite
hard organizing, verifying and analyzing the data collected from over 1,750
Risk Factor blog posts (as well as other public information) and figuring
out a convenient way to display the most significant/interesting failures
that have happened since my 2005 article.  The project (somewhat ironically)
turned out to be a bit more complex and time consuming than planned, but we
are now finally done.

The landing page for our effort is now available here:
http://spectrum.ieee.org/static/lessons-from-a-decade-of-it-failures. More
links will be posted over the next few weeks. I hope you enjoy them.

------------------------------

Date: Thu, 15 Oct 2015 10:02:48 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: How the NSA can break trillions of encrypted Web and VPN connections

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

  "Since a handful of primes are so widely reused, the payoff, in terms of
  connections they could decrypt, would be enormous," researchers Alex
  Halderman and Nadia Heninger wrote in a blog post published Wednesday.
  "Breaking a single, common 1024-bit prime would allow NSA to passively
  decrypt connections to two-thirds of VPNs and a quarter of all SSH servers
  globally.  Breaking a second 1024-bit prime would allow passive
  eavesdropping on connections to nearly 20% of the top million HTTPS
  websites.  In other words, a one-time investment in massive computation
  would make it possible to eavesdrop on trillions of encrypted
  connections."

Not just NSA. Also all the other major powers East and West as well,
especially working in tandem.

------------------------------

Date: Mon, 12 Oct 2015 19:05:10 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Reducing risks in national elections? (NYTimes)

http://www.nytimes.com/2015/10/12/opinion/americas-aging-voting-machines.html

The federal government should play a big role in making national elections
run more smoothly.   [Amen!  PGN]

------------------------------

Date: Sat, 17 Oct 2015 09:44:11 -0400
From: Monty Solomon <monty () roscom com>
Subject: Tesla Adds High-Speed Autonomous Driving to Its Bag of Tricks
  (NYTimes)

After a $2,500 software download, Model S drivers can let the car take over
on the Interstate, the first car sold to consumers with such capabilities.
http://www.nytimes.com/2015/10/16/automobiles/tesla-adds-high-speed-autonomous-driving-to-its-bag-of-tricks.html

------------------------------

Date: Sat, 17 Oct 2015 16:53:48 +0100
From: Tom Gardner <tggzzz () gmail com>
Subject: Software fault causes UK drivers to be banned from driving

Over 600 drivers have been banned from driving even though the UK Driver
Vehicle Licencing Agency (DVLA) has admitted that equipment used to test
their eyesight between 2010 and 2015 was faulty. Around 80% of those who
agreed to be reassessed have since had their driving licences restored.

The tests in question are mandatory for some medical conditions, and involve
tracking random flashing lights on a screen while focusing on a target
straight ahead. A software fault in the equipment caused the lights to shine
less brightly than they should.

The DVLA denies responsibility because "this software issue originated at
the point of manufacture and not as a result of any action or inaction by
the DVLA".  An exclusive contract with a chain of opticians, Specsavers,
enables them to claim that "It is because we started doing all the official
tests that we had access to enough data to realise there were anomalies".

Using a strange definition of "rectified", Specsavers stated "The software
issue has been rectified and Specsavers has taken the decision to replace
the machine entirely".

http://www.theguardian.com/money/2015/oct/17/motorists-banned-dvla-eyesight-test-faulty-equipment
http://www.theguardian.com/money/2015/oct/17/motorists-banned-dvla-eyesight-test-faulty-equipment

  [Also noted by Clive Page at Leicester UK:
    Some of those affected want compensation, but it is hard to sue a
    government agency like the DVLA, and it refuses to say which brand of
    machine was at fault.
  PGN]

------------------------------

Date: Wed, 14 Oct 2015 16:01:16 -0700
From: Mark Thorson <eee () sonic net>
Subject: Robber uses Uber as getaway car (Mark Thorson)

He was caught.  Driver and another passenger were let go.

http://abcnews.go.com/US/armed-robbery-suspect-uber-getaway-car-police/
story?id=34388517

------------------------------

Date: Fri, 16 Oct 2015 08:15:23 -0400
From: Monty Solomon <monty () roscom com>
Subject: UltraDNS Server Problem Pulls Down Websites, Including Netflix, for
  90 Minutes (NYTimes)

UltraDNS Server Problem Pulls Down Websites, Including Netflix, for 90 Minutes
The problem stemmed from a malfunction in a server on the East Coast that is
part of the system of UltraDNS, a content delivery company.
http://www.nytimes.com/2015/10/16/technology/ultradns-server-problem-pulls-down-websites-including-netflix-for-90-minutes.html

------------------------------

Date: Thu, 15 Oct 2015 19:13:03 -0400
From: Monty Solomon <monty () roscom com>
Subject: Compulsive Texting Takes Toll on Teenagers (NYTimes)

Youngsters who check their phones constantly and snap if you interrupt them
may have a texting problem, a new study found.

------------------------------

Date: Thu, 15 Oct 2015 19:12:55 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Deception Behind Illegal Bets (NYTimes)

Cash Drops and Keystrokes: The Dark Reality of Sports Betting and Daily Fantasy Games
http://www.nytimes.com/interactive/2015/10/15/us/sports-betting-daily-fantasy-games-fanduel-draftkings.html
http://nyti.ms/1VTOQfz

------------------------------

Date: Fri, 16 Oct 2015 00:06:55 -0400
From: Monty Solomon <monty () roscom com>
Subject: Art Forgers Beware: DNA Could Thwart Fakes (NYTimes)

A new method of authenticating artwork uses manufactured DNA to give each
piece a unique identifier.
http://www.nytimes.com/2015/10/13/arts/design/developing-dna-as-a-standard-for-authenticating-art.html

------------------------------

Date: Tue, 13 Oct 2015 08:38:14 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple Is Said to Deactivate Its News App in China

http://www.nytimes.com/2015/10/12/technology/apple-is-said-to-deactivate-its-news-app-in-china.html

The app displays an error message instead of news articles, possibly in an
effort to avoid running afoul of Chinese censorship policies.

------------------------------

Date: Mon, 12 Oct 2015 21:52:32 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Majority of ISPs not ready for metadata laws that come into force

Australia's ABC via NNSquad
http://www.abc.net.au/news/2015-10-13/majority-of-isps-not-ready-to-start-collecting-metadata/6847370

  Craig runs a small ISP in regional Australia and his business will not be
  ready to collect metadata.  He said he had begun the lengthy process to
  explain to the Government how the data will be retained, but it was taking
  too much time and was putting the business at risk.  "We've now reached
  400 pages of this document [the DRIP]. It's a very complicated process and
  it's eating into our profitability," he said.  "The amount of time we're
  spending on it is so high that it has become an unviable thing to continue
  on.  "We have to look after our clients, customers and keep working."  He
  said he would be reducing the amount of services he offered clients
  because data retention regulations had made offering them non-profitable.
  "There are already parts of our business that we are going to have to just
  switch off the lights because of the data retention side of things," he
  said.  Mr Stanton said it was possible smaller ISPs would close down
  rather than struggle on.

------------------------------

Date: Thu, 15 Oct 2015 10:17:15 -1000
From: the keyboard of geoff goodfellow <geoff () iconia com>
Subject: If you're not Flash Player "free" by now, you REALLY oughta be...

http://appleinsider.com/articles/15/10/15/adobe-identifies-major-flash-player-vulnerability-says-exploit-being-used-in-real-world-attacks

http://9to5mac.com/2015/10/15/adobe-flash-critical-vulnerability/

------------------------------

Date: Tue, 13 Oct 2015 12:04:01 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Credit Rules (US gov)

With the US credit debit card industry switching to chip technology, the US
gov has updated a web site with THE RULES for people doing business with
merchants, and merchants doing business with the gov.  There are more rules
here than I was previously aware of, and some of these rules are a changing.

https://www.usa.gov/expand-business#item-211583

------------------------------

Date: Thu, 15 Oct 2015 11:50:09 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Video Explainer: How Criminals Can Easily Hack Your Chip & PIN Card

http://gizmodo.com/video-explainer-how-criminals-can-easily-hack-your-chi-1736669839

  In this video explainer from Computerphile, Professor Ross Anderson from
  the Computer Laboratory at the University of Cambridge explains how
  criminals can compromise the Chip & PIN system. At first glance it seems
  much harder to overcome than the humble old magnetic strip but, as he
  explains, crooks are smart and have found plenty of ways to circumnavigate
  the difficulties.

------------------------------

Date: Oct 13, 2015 1:17 PM
From: "Armando Stettner" <aps () ieee org>
Subject: FBI's statement on microchip-enabled credit cards

  [via Dave Farber]

The FBI statement on microchips, before it disappears again.

October 13, 2015
Alert Number
I-100815(REVISED)-PSA

Questions regarding this PSA should be directed to your local *FBI Field
Office*.

Local Field Office Locations: www.fbi.gov/contact-us/field
<http://www.ic3.gov/egress.aspx?u=http%3a%2f%2fwww.fbi.gov%2fcontact-us%2ffield&h=700C10174DA8E715FAA9E2937F48C0D91FA20372019A6642D5E367C0BD5AEF6D>

NEW MICROCHIP-ENABLED CREDIT CARDS MAY STILL BE VULNERABLE TO EXPLOITATION
BY FRAUDSTERS

By October 2015, many U.S. banks will have replaced hundreds of millions of
traditional credit and debit cards, which rely on data stored on magnetic
strips, with new payment cards containing a microchip known as an EMV chip.
While EMV cards offer enhanced security, the FBI is warning law enforcement,
merchants, and the general public that no one technology eliminates fraud
and cybercriminals will continue to look for opportunities to steal payment
information.

TECHNICAL DETAILS

*What is an EMV credit card?* [image: EMV Chip] The small gold chip found in
many credit cards is most often referred to as an EMV chip. Cards containing
this chip are known as EMV cards, as well as chip-and-signature,
chip-and-pin, or smart cards. The name EMV refers to the three originators
of chip-enabled cards: Europay, MasterCard, and Visa. EMV chips are now the
global standard for credit card security.

With traditional credit cards, the magnetic strip on the back of the card
contains static personal information about the cardholder. This information
is used to authenticate the card at the point of sale (PoS) terminal, before
the purchase is authorized. When a consumer uses an EMV card at a chip PoS
terminal, that transaction is protected using the technology in the
microchip. Additionally, consumers will be able to continue to use the
magnetic strip on the EMV card at retailers who have not yet implemented
chip PoS terminals. When the card is equipped with a personal identification
number (PIN), which is known only to the cardholder and the issuing
financial institution, issuers will be able to verify the user's
identity. Currently, not all EMV cards are issued to consumers with the PIN
capability and not all merchant PoS terminals can accept PIN entry. EMV
transactions at chip PoS terminals provide more security of consumers'
personal data than magnetic strip PoS transactions. In addition, EMV card
transactions transmit data between the merchant and the issuing bank with a
special code that is unique to each individual transaction. This provides
the cardholder greater security and makes the EMV card less vulnerable to
criminal activity while the data is transmitted from the chip enabled PoS to
the issuing bank.

THREAT

Although EMV cards provide greater security than traditional magnetic strip
cards, an EMV chip does not stop lost and stolen cards from being used in
stores, or for online or telephone purchases when the chip is not
physically provided to the merchant, referred to as a card-not-present
transaction. Additionally, the data on the magnetic strip of an EMV card
can still be stolen if the merchant has not upgraded to an EMV terminal and
it becomes infected with data-capturing malware. Consumers are urged to use
the EMV feature of their new card wherever merchants accept it to limit the
exposure of their sensitive payment data.

DEFENSE

Consumers should closely safeguard the security of their EMV cards and
PINs. This includes being vigilant in handling, signing, and activating a
card as soon as it arrives in the mail, reviewing statements for
irregularities, and promptly reporting lost or stolen credit cards to the
issuing bank. Consumers should also shield the keypad from bystanders when
entering a PIN, as PINs are vulnerable to cybercriminals who work to steal
these numbers to commit ATM and cash-back crimes.

The FBI encourages merchants to handle the EMV card and its data with the
same security precautions they use for standard credit cards. Merchants
handling sales over the telephone or via the Internet are encouraged to
adopt additional security measures to ensure the authenticity of cards used
for transactions. At a minimum, merchants should use secure servers and
payment links for all Internet transactions with credit and debit cards, and
information should be encrypted, if possible, to avert hackers from
compromising card information provided by consumers. Credit card information
taken over the telephone or through online means should be protected by the
retailer to include encrypting digital information and securely disposing
written credit card information.

If you believe you have been a victim of credit card fraud, reach out to
your local law enforcement or FBI field office, and file a complaint with
the Internet Crime Complaint Center (IC3) at www.IC3.gov
<http://www.ic3.gov/>.

------------------------------

Date: Monday, October 12, 2015
From: John Levine <johnl () iecc com>
Subject: FBI takes down alert on chip credit cards after bankers complain

[In case people are still interested in chip cards ...]

Chip+pin isn't for you, it's for the bank.

If you're evaluating the risk of something, you need a security model.  From
everything I've heard, the main risk that chip+whatever defends against is
card skimming, copying enough information from the card to make a usable
clone card.  All chip cards defeat this, even the contactless ones you just
tap, by replacing the card info on the magstripe with a transaction-specific
packet of information computed by the chip.

Chip+pin is resistant against fraud where the physical card has been stolen,
but that turns out to be quite rare, perhaps 5% of all card fraud, so it's
not a big deal.  European banks love chip+pin because, as others have noted,
they have persuaded the regulators that a transaction that their system
claims was PIN validated (which turns out not to be the same as actually
having entered the PIN) is presumed to be real and it's up to prove to the
customer that it wasn't him, which he usually can't do.

In the US, the fraud rules haven't changed, if you challenge a transaction
it's still up to the bank to prove it was you, so there's no incentive to go
to the significant cost of upgrading the banks' cruddy old systems to handle
PINs.

------------------------------

Date: Tue, 13 Oct 2015 10:26:49 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Social Media Abuse Stories to Shrivel Your Soul

          http://lauren.vortex.com/archive/001132.html

Recently in "Research Request: Seeking Facebook or Other 'Real Name'
Identity Policy Abuse Stories" http://lauren.vortex.com/archive/001131.html
I requested that readers send me examples of social media abuses that have
targeted themselves or persons they know, with an emphasis on "identity"
issues such as those triggered by Facebook's "real name" policies.

These are continuing to pour in -- and please keep sending them -- but I
wanted to provide a quick interim report.

Executive summary: Awful. Sickening. I knew some of these would be bad,
but many are far worse than I had anticipated anyone being willing to
send me. It seems very likely -- though obviously I couldn't swear to
this under oath -- that these abuses have resulted in both suicides and
homicides.

And if we as an industry don't get a handle on these issues, we
ultimately risk draconian government crackdowns that will simply enable
more government censorship and create even more problems.

Here are some of the more obvious observations I can derive from the
messages I'm being sent (not in any particular order for now):

There is no longer any realistic dividing line between the online and
offline worlds. Abuse taking place online can quickly spill offline,
affecting targeted persons' physical lives directly and devastatingly.

Most forms of social media abuse are interconnected. That is, we cannot
realistically demarcate between "identity policy" abuses (e.g.,
Facebook's "real name" requirements), and other forms of social media
abuse (such as comment trolling, Gamergate, and far more).

Women are disproportionately targeted by social media abuse (as a male I
find this fact to be personally offensive), but yes, many men are also
attacked as well.

A lack of realistically useful and advanced moderation and abuse
report/flagging tools, and/or insufficient surfacing of these tools to
users, combined with "lackadaisical" (that's the most polite term I can
use) attention to these reports in many cases, exacerbates existing
problems.

Social media systems with strict "real name" requirements are especially
problematic and can be extremely dangerous. This particularly relates to
the 800-pound gorilla of Facebook in this context (Google+ wisely
dropped its real name requirements quite a ways back).

Facebook's identity "real name" policies have been effectively
"weaponized" by abusers. Many FB users who are already targeted and
marginalized in their offline lives (domestic violence victims, LGBT,
racial and religious minorities, and so many more) still need to use FB
to stay in contact, but (in an attempt to protect themselves) are using
"real appearing" pseudonyms instead of their real names. If one of their
protagonists discovers their FB identity, it is not uncommon for the
abuser to report the victim to FB (for example, as a twisted form of
"revenge") in an attempt to expose them online and offline, and to
destroy their ability to be safely online.

Social media firm reactions to flagging and abuse complaints --
particularly in the case of Facebook -- can be erratic and seemingly
arbitrary. Complaints that in one instance might target an innocent
person might cause an account suspension, but one targeting a guilty
person may be ignored. Innocent parties may be required by FB to jump
through a series of humiliating and embarrassing hoops to try regain
access, including persons whose protective pseudonyms have been exposed
and persons whose actual, real names have been falsely flagged as fakes.
In some cases, Facebook actually suggests to affected users that they go
to court and change their name legally to match FB's rules!

Governments in general (which tend to see censorship as a solution
rather than the problem it actually is) and law enforcement in
particular, usually make these matters worse, not better. The police
tend to be clueless at best, and often explicitly "stop wasting our
time" antagonistic. Victims of bullying and online threats to their
offline lives who go to the police are usually informed that there's
nothing to be done to help them, or victims are told to just "stop using
the Internet" as a proposed (inane) solution.

We could go on with this list, but I'm sure you get the idea.

I'm forced to add that not all of the reaction to my research request on
these topics has been positive. I've received some responses that
attempt to minimize the entire controversy. They've told me I'm wasting
my time. They've suggested that in a relative sense "so few" people are
actually victimized by these problems (compared with the billions using
these system) that it would be ridiculous for the companies involved to
make significant changes just to cater to to a small group of actual
victims and a much larger group of supposed malcontents.

I can't emphasize how forcefully I categorically reject that entire line
of reasoning.

The inherent suggestions that because "relatively" few persons might be
affected (and that still means vast numbers of warm bodies at these
scales) could somehow excuse the abysmal status quo -- are entirely and
completely unacceptable, untenable, and unethical.

It's true that we can't put precise numbers on the victims. After all,
most of these vulnerable persons are already trying to protect
themselves from exposure, being forced into essentially a "shadow"
universe of social media identities. And we'd expect that most would
also be understandably unwilling to discuss their situations with a
stranger such as myself.

But many have been so willing, and I thank them for their trust. And I
believe we can safely extrapolate to the reality that there are one hell
of a lot of people being victimized by these issues.

And in fact, the numbers shouldn't really matter at all. How many deaths
or lives otherwise ruined attributable at least significantly to social
media abuses are tolerable? I would assert that the answer in an ethical
sense at least is zero.

Does this mean we can quickly solve all these problems? Is there a magic
wand?

Of course not. But that doesn't mean we shouldn't try. And remember,
once politicians get their claws into these controversies, you can bet
that the kinds of "solutions" they push will aim to further their
agendas more than anything else.

These are problems we must ourselves work toward eliminating.

Obviously, education outreach must be a major part of this effort,
especially to law enforcement and other government agencies.

But we also need to have a much better handle on these situations as an
industry, because the problems are ultimately not isolated to single
firms.

There need to be individuals and teams within the involved firms who not
only are working internally on these issues, but who also participate
broadly in related public communications efforts. These companies need
to work together toward understanding the impacts of their ecosystems in
these contexts -- a formal or informal industry consortium to
specifically further such interactions would seem a useful concept for
consideration.

Most of all, it's crucial that we as individuals -- not just those of us
who have built and used the Internet for many years, but also users who
have so far only barely gotten their feet wet on the Web -- recognize
that it is intolerable for the Net to be turned into a tool for the
destruction of lives, and that it's up to us to pave the path toward
changes that will truly help the Net to flourish for the good of our
societies, rather than allowing the Net (and ourselves) to be shackled
by politically shortsighted restrictions.

Take care, all.

------------------------------

Date: 14 Oct 2015 19:46:42 -0400
From: "Bob Frankston" <bob2-53 () bob ma>
Subject: Re: Undercover New Hampshire police nab cellphone ban violators
  (Solomon, RISKS-29.03)

The other way to read this is that it's illegal to use any digital device
that may potential run a telephony app even if the car is stopped. Laws that
presume physical objects have one purpose are problematic in a world
(re)defined by software.

In a sense it's like the days when cities wanted to ban bolt cutters because
they could, potentially, be used to steal bicycles. Or banning video
recorders because one use could be to violate copyright.

------------------------------

Date: Wed, 14 Oct 2015 20:48:26 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple removes Been Choice and other ad blockers from its app store

Apple has dumped the ad blocker that blocked in-app ads from the App Store

Apple has removed an ad blocking app from its App Store that block ads in
other apps, as well as a number of other non-ad blocking apps that employ
similar "deep packet inspection" techniques, citing privacy concerns.

Apple's iOS 9 operating system saw the company approve ad blocking apps for
the first time. Most just block ads on the Safari web browser, but some
developers took the idea further by creating apps that installed root
certificates in order to block app-based ads. Apple's problem is that by
doing so, these kinds of apps (ad blockers, and some others) had sight of
everything a user was doing online, from browsing to making purchases.

The Safari team, however, had created a secure way to block content, which
doesn't allow for the ad blockers to track user behavior. Popular ad
blocking apps that block ads on Safari, including Crystal and Purify, are
not affected by Apple's latest move. It only affects apps that installed
root certificates on user's phones, which included some ad blockers and
other apps.

On the face of it, it had seemed bizarre that Apple had approved such ad
blockers in the first place, even aside from the clear privacy concerns.

http://www.businessinsider.com/apple-removes-been-choice-and-other-ad-blockers-from-its-app-store-2015-10

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.04
************************