RISKS Forum mailing list archives
Risks Digest 29.07
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 3 Nov 2015 11:57:28 PST
RISKS-LIST: Risks-Forum Digest Tuesday 3 November 2015 Volume 29 : Issue 07 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.07.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: UK: Internet firms to be banned from offering unbreakable encryption under new laws (The Telegraph) Weather radios down; severe weather a possibility (Ben Moore) Of cats and cliffs: the ethical dilemmas of the driverless car (Gabe Goldberg) Fyunch(click)-jacking [1]: The Internet of Ears (Daniel Dern) What We Know About the Computer Formulas Making Decisions in Your Life (Lauren Kirchner via Judy Clark) Chase Fraud *Protection*? (HASM) Risks of banks not practising what they preach (Steve Loughran) RushCard outage (Alister Wm Macintyre) $1 million iPhone Zero-day Bounty (Henry Baker) World's biggest tech companies get failing grade on data-privacy rights ... from me! (Tim Libert) S.Korea pulls plug on government-mandated child surveillance app (USNews via Lauren Weinstein) Wikipedia and Deepak Chopra: Open-Source Character Assassination (HuffPost) ISIS Hackers can target Critical Infrastructure? (IHLS) Arbitration Everywhere, Stacking the Deck of Justice (NYTimes) Re: E-mail encryption is still an oxymoron (Dimitri Maziuk, David E. Ross) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 3 Nov 2015 07:38:42 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: UK: Internet firms to be banned from offering unbreakable encryption under new laws (The Telegraph) *The Telegraph* via NNSquad http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet-firms-to-be-banned-from-offering-out-of-reach-communications-under-new-laws.html Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to under the Investigatory Powers Bill ... It will also require Internet companies to retain the web browsing history of their customers for up to a year. ... It came as David Cameron, the Prime Minister, pleaded with the public and MPs to back his raft of new surveillance measures. [This is evidently David Cameron's next attempt, following on after previously wanting to ban *all* cryptography. COMMENTS: * John Day noted in Dave Farber's forum: When you outlaw encryption without backdoors, only outlaws will have encryption without backdoors. * Henry Baker commented: The UK has suspended the laws of algebra and logic. Good luck with that! PGN] ------------------------------ Date: Mon, 2 Nov 2015 22:01:22 -0600 From: Ben Moore <benmoore () desotonet com> Subject: Weather radios down; severe weather a possibility No one's weather radio is working in the entire Mid-South. The problem has been going on for a week. http://www.wbrc.com/story/30414750/weather-radios-down-severe-weather-expected MEMPHIS, TN (WMC) "It has saved my life two or three times," Weather radio user Shirley Son said. Son has relied on her weather radio for ten years, but now all she hears is static. No warnings, no weather. [...] ------------------------------ Date: Fri, 30 Oct 2015 17:47:37 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Of cats and cliffs: the ethical dilemmas of the driverless car Odd decision table compares saving lives of two cats being equivalent to saving lives of four dogs, and values a horse even less. https://theconversation.com/of-cats-and-cliffs-the-ethical-dilemmas-of-the-driverless-car-49778 [I guess it would be a boonDOGgle CATaloguing the fiNAGled relative merits of different species, RACCOONoitering among various POSSUMbilities SQUIRRELed away among roadkill alternatives. However, some of the analysis needs to address risks more broadly: not just trading off damage to different animal species, but also to passengers, vehicles that might have been commanDEERed by a huge buck, and potentially also to the environment. The tradeoffs also become interesting (for example) for a driverless safari vehicle that is remotely piloted by a well-sheltered guide and electronically locked to keep its passengers from exiting when confronted by angry beasts. You would not want to become RHINOckwurst. However, now that we have HORSEless carriages, perhaps it was certainly logical that we would get to DRIVERless and PASSENGERless vehicles (e.g., drones and robots). On the other hand, if we still had PASSENGER PIGEONS, we might have conceived of them pecking at the touch-sensitive screen to control a car (as was apparently done with missiles in WW II). However, nothing in the foregoing to the contrary notwithstanding, now that we seem to believe we can trust untrustworthy computers controlling autonomous entities, perhaps we don't need the less reliable members of the animal kingdom any more. End of technosarcasm/rant/whatever it might be. PGN] ------------------------------ Date: Fri, 30 Oct 2015 16:34:57 -0400 (EDT) From: Daniel Dern <dern () pair com> Subject: Fyunch(click)-jacking [1]: The Internet of Ears [Browse on "Fyunch Click" if you are not a Facebookworm and don't understand the reference. PGN] Earlier this week, my (Android) phone was next to the radio when this NPR story came on, "OK Google: Where Do You Store Recordings Of My Commands?" <http://www.npr.org/sections/alltechconsidered/2015/10/29/451981811/ok-google-where-do-you-store-recordings-of-my-commands> and when the radio played the first search question, including the "get phone's attention" keyword, within half a sentence, my phone was chiming in, like a backup singer. Startling, to say the least. I'm sure I'm not the only listener this happened to... And I think I saw a news item within the past week on how [hackers] are directly voice commands at other peoples' phones. Time to see if there's a way to customize the "attention" word for my phone. [1] From Niven & Pournelle, THE MOTE IN GOD'S EYE, and THE GRIPPING HAND, of course. (This was also a minor (non-tech) plot point in Grant Morrison's Justice League WORLD WAR III, over a decade ago, with the kid who inadvertently got Johnny Thunderbolt's pen with the Bandeisian Thunderbolt (stuck) in it, where reciting "Say you love Satan" included the release phrase ("ceie-u") for said Band. Thund.) (Great stuff, I heartily recommend Morrison's Justice League run. All avail in trade book format.) And, as a member of the list I'd posted to has subsequently noted, there's the (apocryphal) tale of a speech input demo at a lecture, where someone from the back of the crowd shouted out FORMAT C COLON RETURN [Something like that was in RISKS perhaps 20 years ago, and then again in RISKS-19.65: NCR phone instruction for Tower Star multiport removal: pronouncing "execute rm -r star". But I've always wondered about how ambiguity-resolving punctuation might be treated in voice-actuated systems. Perhaps Victor Borge had the answer to that when he developed explicit audibles for punctuation. PGN] ------------------------------ Date: November 2, 2015 at 4:17:26 PM EST From: Hendricks Dewayne <dewayne () warpspeed com> Subject: What We Know About the Computer Formulas Making Decisions in Your Life (Lauren Kirchner via Judy Clark) [Note: This item comes from friend Judi Clark. DLH](via Dave Farber) Lauren Kirchner, ProPublica, 30 Oct 2015 http://www.propublica.org/article/what-we-know-about-the-computer-formulas-making-decisions-in-your-life We reported yesterday on a study of Uber's dynamic pricing scheme that investigated Uber's surge pricing patterns in Manhattan and San Francisco and showed riders how they could potentially avoid higher prices. The study's authors finally shed some light on Uber's black box, the algorithm that automatically sets prices but that is inaccessible to both drivers and riders. That's just one of a nearly endless number of algorithms we use every day. The formulas influence far more than your Google search results or Facebook newsfeed. Sophisticated algorithms are now being used to make decisions in everything from criminal justice to education. But when big data uses bad data, discrimination can result. Federal Trade Commission chairwoman Edith Ramirez recently called for *algorithmic transparency*, since algorithms can contain "embedded assumptions that lead to adverse impacts that reinforce inequality." Here are a few good stories that have contributed to our understanding of this relatively new field. [...] ------------------------------ Date: Fri, 30 Oct 2015 19:01:09 -0700 From: HASM <risks () martins cc> Subject: Chase Fraud *Protection*? After hours purchase on the Home Depot website. Entered my Chase credit card number at checkout. Transaction complete. A couple minutes later I got two emails. One from Home Depot, with a card denied message. Why they didn't wait for approval before confirming is a mystery. And then there is no option on the website to re-enter another card. After calling in, a new order number was generated which wasn't tied to my online account with them, resulting in a zombie transaction on the account. The second one was from Chase. It tells me that the transaction was denied, lists the transaction and asks "Do you recognize this charge? Then, if I allowed my email agent to display images, it would have showed me two buttons with http links for YES and NO, which would have directed me to the appropriate page on their website. As I don't generally allow images to be displayed, it showed me the ALT tags of such images, which were YES and ... YES! And YES, I did choose YES if you're wondering. ------------------------------ Date: Sat, 31 Oct 2015 12:57:51 +0000 From: Steve Loughran <steve.loughran () gmail com> Subject: Risks of banks not practising what they preach It was with some irony that I read the entry in RISKS-29.06 of a Merryl Lynch article warning that "Cybersecurity is one of the top global risks today." Irony, because 10 minutes earlier I'd been trying to safely handle an email asserting to be from Merryl Lynch: From: Feedback, Bol <bolfeedback () ml com> Date: 27 October 2015 at 13:40 To: "steve.loughran () gmail com" <steve.loughran () gmail com> You have received a secure message from Bank of America Merrill Lynch If you have concerns about the validity of this message, please contact the sender directly. Messages will expire after 90 days. This message can be read from a computer or mobility device as follows: *To view this secure message from a computer:* 1. Click the *securedoc.html* attachment to open (download) the secure message. For best results, save the file first and open it from the saved location using a Web browser. 2. *First-time recipients* may need to register after opening the *securedoc.html* attachment. 3. * Existing recipients*, enter current password. 4. Click the *Open* button. If you are unable to open the message, select the *Open Online* link. *To view this secure message from a mobile device (e.g. smartphone, tablets):* 1. Forward this message with the *securedoc.html* attachment to mds () bankofamerica com. You will receive a new email containing a link to access the secure message. 2. *First-time recipients* may need to register after opening the link. If you have not previously registered, click the *Open* button to initiate registration. *Additional Information* - First-time recipients are advised to read the Recipient Guide <http://securemsg.bankofamerica.com/Secure_Email_Recipient_Guide_en.pdf> - Review the Help, FAQs and Guides <http://securemsg.bankofamerica.com/> As I was actually expecting a message, I did actually d/l and view it, initially in text editor and then in a disposable Linux VM. Needless to say, it contains a large amount of unreadable Javascript code [omitted by PGN] This is pretty much exactly the checklist of what you'd expect from phishing: an email from a bank saying "read this", with the "this" being an HTML page containing obfuscated javascript and a binary payload. If Merryl Lynch are *rightly* concerned about security, perhaps they should look at their own processes for communicating with customers and consider whether it encourages safe practises from their customers, or simply gets them to expect banks to given them HTML messages with scripted payloads so leads them wide open to phishing attacks ------------------------------ Date: Sun, 1 Nov 2015 21:43:42 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: RushCard outage (Sources: USA Today, Verge, Week) If our economy, bank ATMs, and Internet, all crashed tomorrow, for how many days do you have cash for emergencies, and kitchen reserves, before you are flat broke, and out of food? For thousands of Americans, this happened to them in October. RushCard failed Oct-12 and took almost 2 weeks to get fixed. It operates outside the consumer protections of standard debit and credit cards. Now US gov agencies are looking into imposing regulations and oversight over this formerly underground economy. The outage was allegedly triggered the company changing over to a new processing provider. Did they believe in testing? Even after announcements that the problems had been fixed, may customers report a string of nightmares proving that they are not able to access their money, and customer service has absurdly long wait times. Didn't it dawn on them to increase customer service bandwidth after an outage? RushCard is for the poorest Americans, who do not have access to traditional banking services, so many RushCard customers did not have cash for basic needs. According to The Week Nov-6 issue: . 17 million Americans are "unbanked" without any bank accounts. . 58 million Americans are "under banked" without debit cards or savings accounts. These poorest of the poor rely on payday-loans, check cashers, pawn shops, and other services with high service charges, like the RushCard. RushCard is now offering "fee free" from Nov-1 to Feb-29, to compensate customers inconvenienced by the 10+ day outage. Also a fund is being setup to compensate customers who had extra expenses to cope financially during the outage. http://www.theverge.com/2015/10/30/9646864/rushcard-outage-russell-simmons-compensate-card-holders-losses http://www.usatoday.com/story/money/columnist/tompor/2015/11/01/rushcards-glitch-puts-prepaid-cards-spotlight/74888816/ Examples of nightmares for RushCard customers, which continued AFTER RushCard claimed the problem had been fixed. http://thinkprogress.org/economy/2015/10/30/3717811/rushcard-announcement/ US Consumer Financial Protection Bureau (CFPB) statement about the RushCard situation: http://www.consumerfinance.gov/newsroom/statement-by-cfpb-director-richard-cordray-on-rushcard-prepaid-card-incident/ ------------------------------ Date: Mon, 02 Nov 2015 14:59:24 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: $1 million iPhone Zero-day Bounty FYI -- Zerodium is the quicker sticker upper: At $1 million, Zerodium is 2x more exorbitant, so it can handle any iMess that comes its way. At least these bug bounties are finally getting near a market-clearing price; companies will finally now be able to "afford" to build high-quality software code. Funny thing -- these same companies couldn't "afford" to build quality code when the bounties cost only $10,000. These zero-day bounties are all fun-and-games today, but this whole bounty market will end in big tears, when software developers learn that they can "build in" bugs that they (or their friends) can later sell to reap the bounties. http://thehill.com/policy/cybersecurity/258883-1m-bounty-paid-for-iphone-hack Katie Bo Williams, The Hill, 2 Not 2015 Hackers get $1M bounty for breaking into iPhone A security firm that hunts for undiscovered software bugs is paying out $1 million to a hacking group for breaking into Apple's mobile operating system. The company, Zerodium, compiles what are known as zero days, or security flaws that are unknown to the software manufacturer. It announced in September that it would pay $1 million for jailbreaking Apple's newly-released iOS 9. The reward is the largest such bounty ever offered. "Our iOS #0day bounty has expired, and we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!" Zerodium tweeted on Monday. According to the terms of the bounty, the iPhone exploit must "be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page" or reading a text message. Bug bounties are becoming increasingly popular as companies struggle to keep up with an onslaught of cyber intrusions. In May, United Airlines began offering free miles to people who uncover security flaws in its websites and digital infrastructure. Zerodium's offer required hackers not to disclose the vulnerability to Apple, so that its customers can use the hack in secret. Critics say that Zerodium's tactics could lead to zero-day flaws falling into the hands of governments with poor human rights records that would use the information as a surveillance tool. [...] ------------------------------ Date: November 3, 2015 at 4:22:37 AM EST From: Tim Libert <tim () timlibert me> Subject: World's biggest tech companies get failing grade on data-privacy rights...from me! [From Jonathan M. Smith via Dave Farber] After a lifetime of saying tech companies suck, I've now helped make it official exactly how much they suck by spending three years assisting in designing and implementing a complex scoring system on human rights, free expression, and privacy. Today those rankings have been released. You can see the front-page The Guardian story here: http://www.theguardian.com/technology/2015/nov/03/data-protection-failure-google-facebook-ranking-digital-rights - or visit our site for more detail and interactive data: https://rankingdigitalrights.org/2015/11/03/index-now-online/ ------------------------------ Date: Sun, 1 Nov 2015 19:21:40 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: S.Korea pulls plug on government-mandated child surveillance app Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that "Smart Sheriff" has been removed from the Play store, Google's software marketplace, and that existing users are being asked to switch to other programs. The government plans to shut down the service to existing users "as soon as possible," he said. Smart Sheriff's maker, an association of South Korean mobile operators called MOIBA, declined comment. Smart Sheriff's disappearance is a blow to South Korea's contentious effort to keep closer tabs on the online lives of its youngest citizens. Less than a year ago, the government and schools sent letters to students and parents to encourage them to download Smart Sheriff. A law passed in April requires all new smartphones sold to those 18 and under to be equipped with software which parents can use to snoop on their kids' social media activity. Smart Sheriff, the most popular of more than a dozen state-approved apps, was meant to keep children safe from pornography, bullying and other threats, but experts say its abysmal security left the door wide open to hackers and put the personal information of some 380,000 users at risk. http://www.usnews.com/news/business/articles/2015/11/01/apnewsbreak-south-korea-pulls-plug-on-child-monitoring-app ------------------------------ Date: Mon, 2 Nov 2015 18:15:01 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Wikipedia and Deepak Chopra: Open-Source Character Assassination http://www.huffingtonpost.com/ryan-castle/wikipedia-deepak-chopra-o_b_8449394.html Worth reading this entire article. The body of editors who are dominating Deepak Chopra's biography page are a dozen or so skeptics* who are so extreme in their views that they resort to online activism, many of whom consider the concept of spirituality or a mind-body connection to be a threat to human intelligence. They consider Deepak Chopra to be the embodiment of these concepts and so treat his biography as an opportunity to explain how foolish and dangerous his beliefs are. These editors are no more empowered than any other volunteer editor, but their ideological zeal and willingness to viciously attack any opposing editor has driven off most impartial editors. After all, Wikipedia is 100% volunteer, so why would someone voluntarily spend their time being called a moron and facing endless opposition to every neutral edit? There is no one to report to, as a collaborative platform Wikipedia has no formal management structure, even when collaboration turns into mob mentality. ------------------------------ Date: Sat, 31 Oct 2015 13:03:30 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: ISIS Hackers can target Critical Infrastructure? (IHLS) Different professionals disagree whether ISIS is or is not how serious a cyber threat to our critical infrastructure. Connecting everything to the Internet, without solid security, when we usually have serious enemies in the world, is asking for trouble. There have been worrisome incidents with cyber and physical attacks on our power grid, and other critical infrastructure, where the industries have been resistant to spending money to beef up their security. The FBI says that highly capable hacking software is available for purchase on the black market and could be used to hack networks associated with energy companies, fuel refineries, or water-pumping stations. http://www.securityweek.com/isis-cyber-ops-empty-threat-or-reality http://i-hls.com/2015/10/can-isis-attack-our-infrastructure/ http://i-hls.com/2015/10/is-now-a-cyber-watershed-for-isis/ http://gwtoday.gwu.edu/isis-cyber-security-threat http://thehill.com/policy/cybersecurity/242280-isis-preps-for-cyber-war ------------------------------ Date: Sat, 31 Oct 2015 23:53:43 -0400 From: Monty Solomon <monty () roscom com> Subject: Arbitration Everywhere, Stacking the Deck of Justice With a clause in complex contracts that few people read, corporations have insulated themselves from lawsuits and locked Americans into a system where arbitrators overwhelmingly favor business. http://www.nytimes.com/2015/11/01/business/dealbook/arbitration-everywhere-stacking-the-deck-of-justice.html ------------------------------ Date: Fri, 30 Oct 2015 15:56:28 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: E-mail encryption is still an oxymoron (Baker, RISKS-29.06) It's probably worth noting that if you want to protect your e-mail, you need to encrypt end-to-end and hope that nobody has a backdoor to the encryption you used. "Top mail providers" using various DMARCs and STARTTLSes at some of the hops is, by definition, "not it". ------------------------------ Date: Fri, 30 Oct 2015 14:00:01 -0700 From: "David E. Ross" <david () rossde com> Subject: Re: E-mail encryption is still an oxymoron (RISKS-29.06) It must be noted that, when Thunderbird sends an E-mail message after it has been composed, it alters the message's line-lengths. This invalidates any OpenPGP encryption or digital signature applied during composition. An encrypted message cannot then be decrypted, and a digital signature cannot be verified. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.07 ************************
Current thread:
- Risks Digest 29.07 RISKS List Owner (Nov 03)