RISKS Forum mailing list archives
Risks Digest 29.36
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 18 Mar 2016 14:59:19 PDT
RISKS-LIST: Risks-Forum Digest Friday 18 March 2016 Volume 29 : Issue 36 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.36.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: China bans wordplay in attempt at pun control (Tania Branigan) Pentagon skips tests on key component of U.S.-based missile defense system (David Willman) Microsoft servers to bottom of ocean (I-HLS) U.S. war on Tor encryption (I-HLS) Brazen Heist of Millions Puts Focus on the Philippines (NYTimes) Denver Police Caught Misusing Databases Got Light Punishments (NYTimes) Where Computers Defeat Humans, and Where They Can't (NYTimes) How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest (The Register) Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist (NYTimes) This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA (Ars Technica) CRYPTO-GRAM, March 15, 2016 (Bruce Schneier) Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million (NYTimes) Re: Hackers steal $81M from Bangladesh (John Levine) Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank ... (Bob Frankston) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 16 Mar 2016 18:51:59 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: China bans wordplay in attempt at pun control Chinese is a language that to Westerners seems rife with puns, with many words pronounced similarly (if you ignore the four tones) that have quite different meanings and completely different ideograms. Many native Chinese may presume those different words that are phonetically confusing to foreigners may not be thought to be puns -- they are just different words. However, intentionally contrived puns in spoken Chinese languages that introduce clever ambiguities and humor apparently have been deemed threatening to Chinese culture. (Incidentally, quite intentional puns are rampant throughout many Shakespeare plays.) PGN Tania Branigan, *The Guardian*, 28 Nov 2014 [old item, but still timely] Officials say casual alteration of idioms risks nothing less than `cultural and linguistic chaos', despite their common usage. From online discussions to adverts, Chinese culture is full of puns. But the country's print and broadcast watchdog has ruled that there is nothing funny about them. It has banned wordplay on the grounds that it breaches the law on standard spoken and written Chinese, makes promoting cultural heritage harder, and may mislead the public -- especially children. The casual alteration of idioms risks nothing less than `cultural and linguistic chaos', it warns. Chinese is perfectly suited to puns because it has so many homophones. Popular sayings and even customs, as well as jokes, rely on wordplay. But the order from the State Administration for Press, Publication, Radio, Film and Television says: ``Radio and television authorities at all levels must tighten up their regulations and crack down on the irregular and inaccurate use of the Chinese language, especially the misuse of idioms.'' ... http://www.theguardian.com/world/2014/nov/28/china-media-watchdog-bans-wordplay-puns?CMP=share_btn_fb [Thanks to Laura S. Tinnel for pun-ting this one to me. PGN] ------------------------------ Date: Thu, 17 Mar 2016 12:21:09 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Pentagon skips tests on key component of U.S.-based missile defense system (David Willman) * From the government's perspective: If we don't test it, then we don't know that it won't work, so we don't have to include the cost of fixing it in our current budget. That way, the cost overruns won't have to be offset from other spending. * From the contractor's perspective: If they don't know it won't work, then we get paid. And when they find out later it won't work, we get paid again to fix it. [BTW, does anyone else recall that none of the U.S. submarine torpedoes in WWII worked until quite late into the war? I don't believe that it was acknowledged at the time -- due to secrecy -- and then after the war no one cared because we won. HB] David Willman, *LA Times*, 17 Mar 2016 Pentagon skips tests on key component of U.S.-based missile defense system http://www.latimes.com/nation/la-na-missile-defense-hot-fire-testing-20160317-story.html Against the advice of its own panel of outside experts, the U.S. Missile Defense Agency is forgoing tests meant to ensure that a critical component of the nation's homeland missile defense system will work as intended. The tests that are being skipped would evaluate the reliability of small motors designed to help keep rocket interceptors on course as they fly toward incoming warheads. The components, called alternate divert thrusters, are vital to the high-precision guidance required to intercept and destroy an enemy warhead traveling at supersonic speed -- a feat likened to hitting one speeding bullet with another. The interceptors, deployed in underground silos at Vandenberg Air Force Base in Santa Barbara County and at Ft. Greely, Alaska, are the backbone of the Ground-based Midcourse Defense system (GMD) -- the nation's main defense against a sneak attack by North Korea or Iran. The interceptors are multi-stage rockets, each with a 5-foot-long *kill vehicle* at its tip. The 150-pound kill vehicle is designed to separate from its rocket in space, fly independently at 4 miles per second and crash into an enemy warhead, destroying it. The performance of the divert thrusters, which are supposed to keep the kill vehicles on course during their final approach to their targets, has been a source of concern for several years. In response, the Missile Defense Agency oversaw development of a new and supposedly better version, the alternate divert thruster. An outside panel of experts privately advised the agency to put the alternate divert thrusters through *hot fire* testing, in which they would be revved up on the ground to see whether they burned smoothly and delivered adequate propulsion. But in order to stay on schedule for a planned expansion of the GMD system, none of the 40 thrusters that are being installed on 10 new interceptors will undergo hot-fire testing, government officials told the Los Angeles Times. Forgoing the tests ``increases the risk for reliability issues going undetected,'' according to a newly released report by the U.S. Government Accountability Office. The report says that such testing ``verifies proper performance and workmanship.'' [...] http://www.gao.gov/assets/680/675263.pdf ------------------------------ Date: Fri, 18 Mar 2016 12:53:40 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Microsoft servers to bottom of ocean (I-HLS) Microsoft has found that the bottom of the ocean is a good place for servers, because water at the bottom of an ocean usually stays at a stable relatively cold temperature, eliminating need for much of the vigorous cooling traditional data centers require. What could go wrong with server farms on the bottom of the ocean? Read science fiction if the answers are not obvious. In Missing Man novel, cyber attack takes out an under-water city, by tampering with the air-conditioning controls. https://sciencefictionruminations.wordpress.com/2011/10/08/book-review-missing-man-katherine-maclean-1976/ Sea Floor datacenters had better have good off-site (on land) backup, in case of a leak taking them out of commission, and good insurance if human technicians are to be sent down there to maintain the hardware (How severe risk of the bends, and are there sharks down there?). How difficult would it be for a drone submarine to hack their contents? (We know drug smugglers use narco-subs to transport drugs from the shores of Columbia to the inland rivers of North America.) http://i-hls.com/2016/02/68173/ The team behind the project is also looking to wave power generating equipment to harvest the hydrokinetic energy of the sea, further reducing operating costs. That is another area of risk. If we muck with ocean currents, that could undermine their path, and if Europe loses the warmth of the Gulf Stream, that is tantamount to an act of weather war. https://en.wikipedia.org/wiki/Gulf_Stream [Don't forget that certain sea creatures might be attracted to the differential warmth, just as squirrels have knocked out SRI's power on multiple occasions -- more recently at the junction between our co-generation plant and PG&E. PGN] ------------------------------ Date: Fri, 18 Mar 2016 12:18:06 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: U.S. war on Tor encryption (I-HLS) A federal judge confirmed that the Software Engineering Institute (SEI <http://www.sei.cmu.edu/> ) of Carnegie Mellon University (CMU) was commissioned by the US government to break ultra-secure Tor network encryption, according to court documents. <https://assets.documentcloud.org/documents/2719591/Farrell-Weds.pdf> PDF Prior to this confirmation, the FBI was able to deny or cover up some of the facts, and people, who believed the FBI, drew erroneous conclusions about what was going on. There were also some suspicions when these researchers canceled a presentation on this topic. That sometimes happens when there is a court order to shut up. This project may have destroyed CERT <http://www.cert.org/> Coordination Center (CERT/CC) reputation both as an honest broker in protecting cyber-security, and having the integrity of academic standards that human beings privacy and civil rights should never be violated by research or other means, without informed consent, or National Security Letter (NSL), or proper court approval. If it was an NSL, recipients may go through their lawyer to protest it, and SEI-CMU administrators should have realized the potential damage to their reputations by accepting this mission. The US has spent $1.73 billion on this? DoD organized the project, while the FBI got the advantage from it, leading to some people speculating that the FBI had conducted this hacking operation. Perhaps SEI-CMU has decided to exit the Cert/CC service, and go into different fields of specialty. US defendants have a right to face their accusers, which includes how the evidence was obtained, so when the government's evidence was obtained by new technologies they want to keep secret, they have a choice: * Use only evidence obtained by means they do not want to keep secret; * Use the formerly secret evidence gathering, knowing that the trial will reveal it; * Do not prosecute those people; * Seek secret trial. As statements come out in court as to how the IP addresses of the defendants were uncovered, Tor thinks a vulnerability has been identified, that they can patch, to prevent that from ever happening again. http://i-hls.com/2016/03/carnegie-mellon-tor-attack-confirmed/ http://thehackernews.com/2016/02/tor-hack.html https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html https://www.deepdotweb.com/2016/02/28/court-documents-confirm-cmu-paid-by-government-in-tor-attacks/ http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security-researchers/ https://blog.torproject.org/blog/statement-tor-project-re-courts-february-23-order-us-v-farrell https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation ------------------------------ Date: Thu, 17 Mar 2016 03:18:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Brazen Heist of Millions Puts Focus on the Philippines The country's lightly regulated casinos and tough bank secrecy laws had prompted warnings from the United States and money-laundering experts before the theft. http://www.nytimes.com/2016/03/17/business/dealbook/brazen-heist-of-millions-puts-focus-on-the-philippines.html ------------------------------ Date: Thu, 17 Mar 2016 09:22:01 -0400 From: Monty Solomon <monty () roscom com> Subject: Denver Police Caught Misusing Databases Got Light Punishments The mining of criminal justice databases for personal use has raised questions on privacy abuse in cases across the country. http://www.nytimes.com/2016/03/18/us/denver-police-criminal-databases-personal-use.html ------------------------------ Date: Thu, 17 Mar 2016 09:26:51 -0400 From: Monty Solomon <monty () roscom com> Subject: Where Computers Defeat Humans, and Where They Can't http://www.nytimes.com/2016/03/16/opinion/where-computers-defeat-humans-and-where-they-cant.html Why it matters that Google's program defeated the world's best [human] Go player. ------------------------------ Date: Fri, 18 Mar 2016 11:53:58 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest Windows users who decline to use it find it is repeatedly reintroduced. The language of the counter-malware industry is more appropriate than the language of enterprise IT for GWX. GWX subverts a channel intended for one purpose (security hotfixes) for another (advertising); it changes its *attack vectors*, it uses *polymorphic* techniques; and it consistently overrides users' actions and permissions. http://www.theregister.co.uk/2016/03/17/microsoft_windows_10_upgrade_gwx_vs_humanity/ ------------------------------ Date: Thu, 17 Mar 2016 14:12:41 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist (NYTimes) If the F.B.I. wins its court fight to force Apple's help in unlocking an iPhone, the agency may run into yet another roadblock: Apple's engineers. Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees. Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives. http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html?partner=rss&emc=rss [Monty Solomon noted: The potential resistance adds a wrinkle to a very public fight over access to an iPhone used by one of the San Bernardino attackers. PGN] ------------------------------ Date: Thu, 17 Mar 2016 13:58:10 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA http://arstechnica.com/information-technology/2016/03/this-is-the-phone-nsa-suggested-clinton-use-a-4750-windows-ce-pda/ When former Secretary of State Hillary Clinton was pushing to get a waiver allowing her to use a BlackBerry like President Barack Obama back in 2009, the National Security Agency had a very short list of devices approved for classified communications. It was two devices built for the Secure Mobile Environment Portable Electronic Device (SME PED) program. In fact, those devices were the only thing anyone in government without an explicit security waiver (like the one the president got, along with his souped-up BlackBerry 8830) could use until as recently as last year to get mobile access to top secret encrypted calls and secure e-mail. Despite $18 million in development contracts for each of the vendors selected to build the competing SME PED phones (or perhaps because of it), the resulting devices were far from user-friendly. The phones -- General Dynamics' Sectéra Edge and L3 Communications' Guardian -- were not technically *smart phones*, but instead were handheld personal digital assistants with phone capability, derived from late 1990s and early 2000s technology that had been hardened for security purposes -- specifically, Windows CE technology. ------------------------------ Date: Tue, 15 Mar 2016 02:03:58 -0500 From: Bruce Schneier <schneier () schneier com> Subject: CRYPTO-GRAM, March 15, 2016 (Bruce Schneier) [I often excerpt from Bruce's Crypto-Gram. This issue is so full of goodies that I'm just listing the Table of Contents. PGN] In this issue: Data Is a Toxic Asset The FBI vs. Apple: Decrypting an iPhone Lots of News and Essays about the FBI vs. Apple The Importance of Strong Encryption to Security News Security Implications of Cash WikiLeaks Publishes NSA Target List Schneier News Resilient Systems News: IBM to Buy Resilient Systems Cheating at Professional Bridge Simultaneous Discovery of Vulnerabilities Bruce Schneier, CTO, Resilient Systems, Inc. https://www.schneier.com Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Resilient Systems, Inc. Copyright (c) 2016 by Bruce Schneier. For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>. ------------------------------ Date: Thu, 17 Mar 2016 09:33:39 -0400 From: Monty Solomon <monty () roscom com> Subject: Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million (NYTimes) http://www.nytimes.com/2016/03/16/world/asia/bangladesh-bank-chief-resigns-after-cyber-theft-of-81-million.html ------------------------------ Date: 16 Mar 2016 23:14:31 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Hackers steal $81M from Bangladesh (RISKS-29.35) [was: Typo thwarts hackers in $1 billion cyber heist] *Thwarts* is rather an overstatement, since the crooks stole $101M -- of which only $20M has been retrieved, and $81M is a lot of money for a country as poor as Bangladesh. The $81M went to banks in the Philippines -- $50M to accounts belonging to casinos, and $30M in cash to a man in Manila. It's a political issue there, as well. ($30M in $100 bills weighs over 600 pounds, so it's not like the guy walked out of the bank with a briefcase.) Bangladesh's well-regarded finance minister has resigned, and several of his subordinates were fired (and probably more) for trying to cover up the theft and not telling him about it. According to the *Financial Times*, they were SWIFT transfer requests that were fully authenticated at the New York end. The FT says that the current assumption is that Bangladeshi computers were compromised by malware, and a lot of people would like to know the details. Another question is why the thefts, which happened a month ago, have just become public now. https://next.ft.com/content/4275601e-be2d-3529-a5f0-702e635e02ca [Clearly, no one should be allowed to have meaningfully secure computers and strong crypto -- not even the U.S. Government! That would solve problems such as this one, even if it is not yet April Fools' Day. PGN] ------------------------------ Date: 17 Mar 2016 22:45:45 -0400 From: "Bob Frankston" <Bob2 () bob ma> Subject: Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank ... (RISKS-29.35) The interesting question is what does ``The spokesman said the payment instructions were 'fully authenticated' using standard methods.'' mean given the amounts involved? ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.36 ************************
Current thread:
- Risks Digest 29.36 RISKS List Owner (Mar 18)