RISKS Forum mailing list archives
Risks Digest 29.22
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 24 Jan 2016 11:52:40 PST
RISKS-LIST: Risks-Forum Digest Sunday 24 January 2016 Volume 29 : Issue 22 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.22.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Roger Kemp on the Lancaster Floods (Peter Bernard Ladkin) Nest Thermostats Are Having Battery Problems and There's No Fix Yet (Kate Knibbs) The Internet of Things that Talk About You Behind Your Back (Bruce Schneier) Automakers increasing efforts to enhance safety and defend against cyberattacks (Gabe Goldberg) Affinity sues Trustwave (security news media) Why no secure architectures in commodity systems? (Nick Sizemore) Overhaul Puts Pentagon in Charge of Protecting Federal Security Clearance Data (Damian Paletta) French seem to have rejected crypto/security backdoors (The Register) Royal Melbourne Hospital virus attack (The Age) Virus hits TRMC computers (PGN) As More Pay by Smartphone, Banks Scramble to Keep Up (NYTimes) Rarely Patched Software Bugs in Home Routers Cripple Security (WSJ) Android bug (Martin Schaef) "Windows 10 Spying is worse than I ever imagined" (Gene Wirchenko) Instagram negatively impacting survival of big cats in the wild (Kaleigh Rogers) Facebook vs Indian Internet regulators (Prashanth Mundkur) Pakistan lifts ban on Youtube after launch of own version (Lauren Weinstein) "Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan" (Lauren Weinstein) 74% of leading US 2016 Presidential Candidates flunk privacy & data security (Trust Alliance) Linux bug imperils tens of millions of PCs, servers, Android phones (Ars Technica) ColoSpgs NCIC national hub for cybersecurity (Warren Pearce) Why do people keep coming to this couple's home looking for lost phones (Kashmir Hill) Time Inc. Is in the Midst of a Replyallpocalypse (Monty Solomon) Risks of impostors (Dave Kristol) The resolution of the Bitcoin experiment (Mike Hearn) Pound vs. Dollar vs. ASCII (Dan Jacobson) Re: Ballot Battles: The History of Disputed Elections in the U.S. (Mark E. Smith) Re: Michigan IT security audit (Dimitri Maziuk) Re: USC students required to detail sexual history before registering for classes (John Levine) Privacy, Safety, Security & Healthcare --> Seeking Your Scholarship (Robert Mathews) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 24 Jan 2016 18:08:38 +0100 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Roger Kemp on the Lancaster Floods On 5th December, 2015, the River Lune in the city of Lancaster in northwest England overflowed its banks. The flood took out an electricity substation on Caton Road, on the banks of the river, which blacked out the entire city centre. The distinguished engineer Roger Kemp lives in the affected area and wrote a fascinating short account. Roger kindly agreed to let my RVS group publish it on our WWW pages. "Power cuts - a view from the affected area" is the item from 24 January 2016 under http://www.rvs.uni-bielefeld.de/publications/#WhatsNew I think it is one of the most important notes on engineered-systems resilience which I have ever read. Fifty years ago in the UK, during a power cut you would lose the lights, and the TV if you had one. Heating wasn't affected (except for the affluent few), neither was cooking or telephone communications or your transistor radio for information and entertainment, and young people did what they always did, which apart from playing table tennis was mostly without lights. Your local pub could still pull a pint and it was more fun by candlelight. (A decade earlier, though, you'd have lost the radio as well. Thank you Messrs. Bardeen, Brattain and Shockley.) Nowadays, .... well, read about it! Is it progress to replace critical independent systems with interdependent systems subject to single points of failure? Almost every standard for critical systems warns you not to do it, but that's what we've done. Prof. Peter Bernard Ladkin, University of Bielefeld, 33594 Bielefeld, Germany ------------------------------ Date: Thu, 14 Jan 2016 10:32:12 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Nest Thermostats Are Having Battery Problems and There's No Fix Yet (Kate Knibbs) Kate Knibbs, Gizmodo, 8 Jan 2016 A Gizmodo reader told us that his Nest had a software bug that caused his battery to drain -- which caused Nest to shut off and leave him with a frigid home. This is, of course, exactly the opposite of what you want a smart thermostat to do. Nest has admitted that people are having problems with its batteries. A Nest spokesperson told Gizmodo. ``We are aware of a low-battery issue impacting some Nest Thermostat owners. In some cases, this may cause the device to respond slowly or become unresponsive, We are actively investigating the issue and working on a solution. In the meantime, performing a manual restart of the thermostat will help until a fix is put in place.'' http://gizmodo.com/nest-thermostats-are-having-battery-problems-and-theres-1751800309 ------------------------------ Date: Fri, 15 Jan 2016 02:35:56 -0600 From: Bruce Schneier <schneier () schneier com> Subject: The Internet of Things that Talk About You Behind Your Back CRYPTO-GRAM, January 15, 2016 Bruce Schneier (CTO, Resilient Systems, Inc.) https://www.schneier.com SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones picks up the signals, and then uses cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer. Your computerized things are talking about you behind your back, and for the most part you can't stop them -- or even learn what they're saying. This isn't new, but it's getting worse. Surveillance is the business model of the Internet, and the more these companies know about the intimate details of your life, the more they can profit from it. Already there are dozens of companies that secretly spy on you as you browse the Internet, connecting your behavior on different sites and using that information to target advertisements. You know it when you search for something like a Hawaiian vacation, and ads for similar vacations follow you around the Internet for weeks. Companies like Google and Facebook make an enormous profit connecting the things you write about and are interested in with companies trying to sell you things. Cross-device tracking is the latest obsession for Internet marketers. You probably use multiple Internet devices: your computer, your smartphone, your tablet, maybe your Internet-enabled television -- and, increasingly, "Internet of Things" devices like smart thermostats and appliances. All of these devices are spying on you, but the different spies are largely unaware of each other. Start-up companies like SilverPush, 4Info, Drawbridge, Flurry, and Cross Screen Consultants, as well as the big players like Google, Facebook, and Yahoo, are all experimenting with different technologies to "fix" this problem. Retailers want this information very much. They want to know whether their television advertising causes people to search for their products on the Internet. They want to correlate people's web searching on their smartphones with their buying behavior on their computers. They want to track people's locations using the surveillance capabilities of their smartphones, and use that information to send geographically targeted ads to their computers. They want the surveillance data from smart appliances correlated with everything else. This is where the Internet of Things makes the problem worse. As computers get embedded into more of the objects we live with and use, and permeate more aspects of our lives, more companies want to use them to spy on us without our knowledge or consent. Technically, of course, we did consent. The license agreement we didn't read but legally agreed to when we unthinkingly clicked "I agree" on a screen, or opened a package we purchased, gives all of those companies the legal right to conduct all of this surveillance. And the way US privacy law is currently written, they own all of that data and don't need to allow us to see it. We accept all of this Internet surveillance because we don't really think about it. If there were a dozen people from Internet marketing companies with pens and clipboards peering over our shoulders as we sent our Gmails and browsed the Internet, most of us would object immediately. If the companies that made our smartphone apps actually followed us around all day, or if the companies that collected our license plate data could be seen as we drove, we would demand they stop. And if our televisions, computer, and mobile devices talked about us and coordinated their behavior in a way we could hear, we would be creeped out. The Federal Trade Commission is looking at cross-device tracking technologies, with an eye to regulating them. But if recent history is a guide, any regulations will be minor and largely ineffective at addressing the larger problem. We need to do better. We need to have a conversation about the privacy implications of cross-device tracking, but -- more importantly -- we need to think about the ethics of our surveillance economy. Do we want companies knowing the intimate details of our lives, and being able to store that data forever? Do we truly believe that we have no rights to see the data that's collected about us, to correct data that's wrong, or to have data deleted that's personal or embarrassing? At a minimum, we need limits on the behavioral data that can legally be collected about us and how long it can be stored, a right to download data collected about us, and a ban on third-party ad tracking. The last one is vital: it's the companies that spy on us from website to website, or from device to device, that are doing the most damage to our privacy. The Internet surveillance economy is less than 20 years old, and emerged because there was no regulation limiting any of this behavior. It's now a powerful industry, and it's expanding past computers and smartphones into every aspect of our lives. It's long past time we set limits on what these computers, and the companies that control them, can say about us and do to us behind our backs. This essay previously appeared on Vice Motherboard. https://motherboard.vice.com/en_ca/read/the-internet-of-things-that-talk-about-you-behind-your-back SilverPush: http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/ Surveillance is the business model of the Internet: https://www.schneier.com/books/data_and_goliath/ Cross-device tracking: http://www.campaignlive.com/article/why-cross-device-tracking-latest-obsession-marketers/1361742 https://www.ftc.gov/news-events/events-calendar/2015/11/cross-device-tracking https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf Smartphone apps that follow us around: http://blogs.wsj.com/wtk-mobile/ License plate data collection: https://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-safety-agencies-responded-massive Ethics of our surveillance economy: http://www.ft.com/cms/s/0/69d6f4ae-a8b4-11e5-9700-2b669a5aeb83.html ------------------------------ Date: Tue, 19 Jan 2016 18:39:52 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Automakers increasing efforts to enhance safety and defend against cyberattacks The U.S. Transportation Department and 17 automakers have reached agreement on efforts to enhance safety, including sharing information to thwart cyber-attacks on their increasingly wired vehicles, according to Bloomberg. "Automakers including General Motors Co., Ford Motor Co. and Toyota Motor Corp. also agreed to reform the way they report fatalities, injuries and warranty claims to the government," Jeff Plugis writes. "The companies agreed to keep meeting regularly to exchange information and identify emerging safety issues." ------------------------------ Date: Tue, 19 Jan 2016 16:58:42 -0600 From: Alister Wm Macintyre <macwheel99 () wowway com> Subject: Affinity sues Trustwave (security news media) Trustwave disputes some of the following story, from Affinity. https://www.trustwave.com/home/ Different news media have different dates for some events. We may need to use data from the law suit to clarify. Here is the law suit: http://668781195408a83df63a-e48385e382d2e5d17821a5e1d8e4c86b.r51.cf1.rackcdn.com/external/trustwave-complaint_24dec2015.pdf https://cdn.arstechnica.net/wp-content/uploads/2016/01/trustwave-complaint.pdf Casino company Affinity Gaming learned about an Oct 2013 data breach and card malware outbreak from customers and local law enforcement. Affinity, HQ in Las Vegas NV, operates 11 casinos in 4 US states, also runs hotels and restaurants. Affinity immediately informed card issuers, and their Cyber Security Insurance company = ACE. Card companies had to re-issue cards for the approx 300,000 customers impacted. ACE told Affinity that they should hire a digital forensic investigation firm, of which Trustwave (based in Chicago IL) was one ACE recommended. [Truncated for RISKS. Lots more... PGN] ------------------------------ Date: Thu, 14 Jan 2016 21:46:02 -0700 From: Nick Sizemore <bolshev () theriver com> Subject: Why no secure architectures in commodity systems? This message is addressed to the RISKS group as a whole, though the primary target is the group of security researchers who often post here. I read only the digests -- and those, grouped together, at intervals, when I want to catch up on recent events and developments. Folks with substantive responses are encouraged to email me personally, as well as the newgroup. Just yesterday I received my letter from OPM regarding the records compromise, and directing me to their website to avail myself of the identity protection services they're offering under contract through "ID Experts". This prompted me to pose a question that has vexed me for some time. In the late seventies researchers working on or associated with Multics came to the conclusion that truly secure computing was possible only with direct hardware support. In the following decade, I saw at least two proposed commercial ventures to build SW/HW architectures with at least the beginnings of such hardware support. Oddly enough, neither venture found sufficient interest. Of course, at the time such added hardware would have been prohibitively expensive for all but the largest organizations with extremely sensitive information. Still, it seemed to me that at least some government agencies and defense contractors would have been eager customers. Of course, with today's miniaturization, boutique silicon architecture shops, and foundries, implementing basic features, or even a full secure kernel, would be straightforward, though establishing user-friendly configuration mechanisms, or suitable default configurations for different markets, would still be somewhat of a challenge. Equally obviously, the formal design, proof, and testing would be expensive. Presumably some consortium of government and corporate organizations could fund the initial work on the premise that as volume rose on marketing these relatively secure systems at commodity scale, the revenues and security benefits would reward their efforts handsomely It's possible that at some point researchers determined that security through software alone was at least possible, if, perhaps, really difficult, but I never encountered reports of such a discovery. If this has happened, I would appreciate one or more pointers to the relevant literature. If not, perhaps some among you who have had greater insight into related design and marketing decisions could share what rationale has prevented relatively secure architectures from appearing in commodity systems. It's my perception that such HW/SW architectures, reasonably configured and deployed, would increase the difficulty - in resource costs - of what, for want of a better phrase, I will call 'routine hacking' by at least an order of magnitude. For systems configured for intensive use of security hardware features, or a security kernel, the increase might be two or three orders of magnitude. Of course, we'd still need much more attention to security-aware software engineering for systems handling life-critical and mission-critical systems, but there's already some awareness of that, and it seems to be increasing, albeit with agonizing slowness. Nonetheless, unless someone has shown that security is achievable on commodity architectures in software alone, it seems extremely wasteful to push more security-aware software engineering, anti-malware software, and security appliances out into an architectural environment that is severely handicapped at its lowest levels. Perceptual corrections welcome. Nicky L. Sizemore (retired), bolshev (at) theriver (dot) com Agent, 2nd Class, The Turing Authority ;) ------------------------------ Date: Friday, January 22, 2016 From: *Richard Forno* <rforno () infowarrior org> Subject: Overhaul Puts Pentagon in Charge of Protecting Federal Security Clearance Data (Damian Paletta) http://blogs.wsj.com/washwire/2016/01/22/pentagon-to-protect-encrypt-federal-security-clearance-data/ The White House Friday announced an overhaul of the government's security clearance system, creating a new division to handle screenings and directing the Pentagon to protect the data. The creation of the National Background Investigations Bureau -- and its close partnership with the Department of Defense -- is the latest change to come after the sweeping cyber attack that hit the Office of Personnel Management last year. In that breach, which U.S. officials have said likely emanated from Chinese hackers, more than 20 million background check records and millions of fingerprint reports were stolen. Many lawmakers were astonished after the breach to find that none of the background check records were encrypted, making it much easier for thieves to potentially use the information. The NBIB will be a division of OPM, but the responsibility for protecting the information will shift to the Pentagon. The NBIB will incorporate an existing agency -- the Federal Investigative Service -- which already conducts background checks for more than 100 federal agencies. The NBIB's chief will be appointed by the president and [is] expected to have a higher profile than its predecessor. Richard Hale, the Pentagon's deputy chief information officer for cyber security, said Friday that ``we will use encryption everywhere [*} that [is] appropriate'' and will look closely at what information should remain online and what records will be essentially disconnected from this network. ``We intend to apply the best practices that we've been able to apply at the Pentagon, said Marcel Lettre, the Defense Department's under secretary for intelligence. The U.S. government conducts more than 600,000 security clearance checks each year for a wide range of agencies, including posts within the military and law enforcement. [* Encryption everywhere, with backdoors so that it can easily be exploited by everyone else? By the way, if you received a letter from OPM offering free security/privacy services as compensation for your having been included in the purloined data, you might find that if you subscribe to the offered services, you will be asked many of the questions the answers to which were already in the compromised OPM data source! PGN] ------------------------------ Date: Mon, 18 Jan 2016 8:54:54 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: French seem to have rejected crypto/security backdoors http://www.theregister.co.uk/2016/01/15/france_backdoor_law/ [Thanks to Steven M. Bellovin. PGN] ------------------------------ Date: Mon, 18 Jan 2016 21:58:45 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Royal Melbourne Hospital virus attack ``Patient safety has always been our highest priority and has been maintained ... Elective surgeries and outpatient appointments are continuing as normal.'' http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-damaging-computer-virus-20160118-gm8m3v.html ------------------------------ Date: Sat, 23 Jan 2016 10:08:24 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Virus hits TRMC computers [Thanks to Richard I Cook MD] http://www.dailytribune.net/news/virus-hits-trmc-computers/article_ec2e44bc-bf83-11e5-97be-7fdbf276996d.html ------------------------------ Date: Sat, 23 Jan 2016 11:51:59 -0500 From: Monty Solomon <monty () roscom com> Subject: As More Pay by Smartphone, Banks Scramble to Keep Up (NYTimes) http://www.nytimes.com/2016/01/19/technology/upstarts-are-leading-the-fintech-movement-and-banks-take-heed.html A millennial-led shift to digital financial services could upend the consumer banking industry. ------------------------------ Date: Tue, 19 Jan 2016 13:15:38 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Rarely Patched Software Bugs in Home Routers Cripple Security (WSJ) WSJ via NNSquad http://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-security-1453136285 The reason: A component maker had included the 2002 version of Allegro's software with its chipset and hadn't updated it. Router makers used those chips in more than 10 million devices. The router makers said they didn't know a later version of Allegro's software fixed the bug. The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked. The flaw's creator must develop a fix, or "patch." Then it often must alert millions of technically unsophisticated users, who have to install the patch. The chain can break at many points: Patches aren't distributed. Users aren't alerted or neglect to apply the patch. Hackers exploit any weak link. ------------------------------ Date: Wed, 20 Jan 2016 19:27:30 +0000 From: Martin Schaef <martin.schaef () sri com> Subject: Android bug Nice bug in linux/android: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ The question is, how would you detect something like this? ------------------------------ Date: Mon, 18 Jan 2016 09:16:38 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Windows 10 Spying is worse than I ever imagined" https://www.youtube.com/watch?v=RVzc5wK2-pc ------------------------------ Date: Tue, 19 Jan 2016 11:31:16 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Instagram negatively impacting survival of big cats in the wild (Kaleigh Rogers) Kaleigh Rogers, Cheetahs are Hard, Motherboard, 11 Jan 2016 http://motherboard.vice.com/read/cheetahs-are-hard Adam Roberts, the CEO of Born Free USA, posits that the biggest threat right now is the capture of wild cheetahs as exotic pets. From the article: Around the world, but in particular the Middle East, pet cheetahs have become a status symbol and getting your hands on exotic pets in some areas is ``as easy as acquiring a cupcake.'' With Instagram making it convenient to flaunt cheetahs-as-accessories, the market for big cats is growing. ------------------------------ Date: Thu, 21 Jan 2016 10:36:17 -0800 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: Facebook vs Indian Internet regulators Facebook is facing an unusually stiff resistance from Indian regulators in offering its Free Basics service. India's Internet regulator just called Facebook's Free Basics campaign 'crude' and 'dangerous'; Rohan Venkataramakrishnan, Scroll.in, 19 Jan 2016 http://scroll.in/article/802128/indias-internet-regulator-just-called-facebooks-free-basics-campaign-crude-and-dangerous Anuj Srivas, Net Neutrality Standoff Escalates As TRAI Hauls Facebook Over the Coals in New Letter, The Wire, 19 Jan 2016 http://thewire.in/2016/01/19/free-basics-standoff-scales-new-height-as-trai-hauls-facebook-over-the-coals-in-new-letter-19658/ Although reports in the US press (e.g., below) implied the battle was over, it continues. Vindu Goel, Indian Regulators Suspend Facebook's Free Basic Services, *The New York Times*, 23 Dec 2015, http://bits.blogs.nytimes.com/2015/12/23/indian-regulators-suspend-facebooks-free-basic-services/ ------------------------------ Date: Mon, 18 Jan 2016 18:56:03 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Pakistan lifts ban on Youtube after launch of own version [subject to government censorship] (via NNSquad) http://www.reuters.com/article/us-pakistan-youtube-idUSKCN0UW1ER "On the recommendation of PTA, Government of Pakistan has allowed access to recently launched country version of YouTube for Internet users in Pakistan," the ministry said. "Google has provided an online web process through which requests for blocking access of the offending material can be made by PTA to Google directly and Google/YouTube will accordingly restrict access to the said offending material for users within Pakistan." Blasphemy is a highly sensitive subject in Pakistan, where angry mobs have killed many people accused of insulting Islam. The crime of blasphemy can carry the death penalty, although a death sentence has never been carried out. Pakistan has blocked thousands of web pages it deems undesirable in the last few years as Internet access spreads, but activists say the government sometimes blocks sites to muzzle liberal or critical voices. Government-censorship-enabled YouTube. Not the first time, but an extremely notable case and potentially the current example with the broadest implications for creating a slippery slope of ever expanding government censorship demands made of Google by governments around the planet. Google must obey national laws where they choose to operate -- but voluntary participation in such politically-oriented censorship regimes as the price of doing business in such countries -- even with the benefits to users there that limited access to YouTube or other Google services can bring -- still remains highly problematic to say the least. ------------------------------ Date: Tue, 19 Jan 2016 10:02:37 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Lauren's Blog: "Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan" Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan http://lauren.vortex.com/archive/001146.html Literally within hours of the horrifying and sickening news of a 15-year-old boy in Pakistan who cut off his own right hand after he was the target of hysterical false accusations of blasphemy, comes word that Google -- in a successful bid to get a three year YouTube ban in Pakistan lifted -- will be permitting government officials in that country -- apparently all the way down to the local level -- essentially unfettered rights to censor and block individual YouTube videos from view in Pakistan. This is an enormously troubling development for free speech advocates around the world, particularly because it's impossible to overlook the relationship between the boy's actions and the upcoming Pakistan/YouTube censorship system. [...] The powers being ceded to the government there to censor Google at the individual YouTube video level -- arguably even worse than the EU's awful "Right To Be Forgotten" (RTBF) scheme -- continues our acceleration down the slippery slope of permitting governments to demand rights to micromanage information for their own political benefit and the personal enrichment (politically and in some cases financially) of their leaders and other politicians. I like to think of myself as a "responsible" free speech advocate. That is, I strongly assert the importance of free speech, but acknowledge that sometimes, in carefully delineated circumstances that must be minimized as completely as possible, some restrictions are necessary. So, for example, I generally strongly support Google/YouTube's global Terms of Service that prohibit videos that are directly violent -- such as videos that show physical abuse of people or other animals. And I have nothing but respect for the Google policy and legal teams that must deal with these complex multinational situations. Similarly, the work done by Google engineers on politically neutral abuse detection systems and that of the human teams that help apply YouTube anti-abuse rules are also all exemplary. I've explicitly noted the exceptional circumstances of videos that incite terrorism, e.g., recently in my discussion of "A Proposal for Dealing with Terrorist Videos on the Internet" ( http://lauren.vortex.com/archive/001139.html ). But in Pakistan the concepts of (for example) blasphemy and government control are intertwined -- accusations of the former are frequently used for purposes of the latter -- and any discussions that the government there feels are blasphemous (by their own broad and self-serving definitions) -- or speaking out against the government in any manner -- are key targets for abusive censorship. With Google now explicitly buying into this censorship regime as the price of removing an overall Pakistan block on YouTube -- and note that the Pakistani government apparently will be setting the standards under which YT videos will be judged in violation -- the situation in my view becomes much worse for the population there than would be the case without access to YT at all (yes, we know that some relatively small number of people have always gotten through with VPNs and proxies, but that's largely irrelevant to the overall population). The Pakistan version of Google-enabled national censorship isn't as straightforward as say, a relatively "simple" ban against Nazi memorabilia-related materials in France. In Pakistan, Google has become much more of a direct partner in the government's very broad, politically-motivated and personally suppressing censorship actions. The kind of YT censorship that will be enabled in Pakistan is much more akin to how China censors its population -- where what will or will not be allowed to be seen in any media is carefully chosen and restricted to promote the government line and muzzle dissenting points of view. I absolutely understand the pragmatic realities of having to obey laws in those countries in which Google chooses -- voluntarily -- to operate, but I find the newly announced and apparently Google-endorsed government controls over YouTube content in Pakistan to be extremely disturbing, and a horrific precedent for other countries going forward. ------------------------------ Date: Mon, 18 Jan 2016 18:45:41 -0600 From: "Alister Wm Macintyre" <macwheel99 () wowway com> Subject: 74% of leading US 2016 Presidential Candidates flunk privacy & data security (Trust Alliance) On Line Trust Alliance ranked top US 2016 Presidential Candidates on privacy and data privacy practices. 74% flunked. 26% got excellent grades. There was no middle ground. Since these scores, some have dropped out of the race, failed to keep their good scores. https://otalliance.org/2016-presidential-candidates-online-trust-audit 4 Candidates had no privacy policy. Several were silent on data sharing. Several reserved the right to share or sell data. 44% of the candidates used secret domain ownership, making it impossible for ordinary consumers to distinguish them from criminal look-alikes. Only 26%, of US presidential candidates making the honor roll, is not the worst. In past audits, it was 20% for IoT and 8% for News. Overall failing grades by sector: 80% News 76% IoT 74% 2016 US Pres 54% US Fed 49% US FDIC 41% IR 100 38% Social The US Presidential candidates audit: https://otalliance.org/system/files/files/initiative/documents/2015_ota_honor_roll_-_candidates_9-18.pdf [long message truncated for RISKS. PGN] ------------------------------ Date: Tue, 19 Jan 2016 13:20:30 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Linux bug imperils tens of millions of PCs, servers, Android phones Ars Technica via NNSquad http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions-of-pcs-servers-and-android-phones/ For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years. The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel. ------------------------------ Date: Sun, 17 Jan 2016 16:27:55 -0700 From: Warren Pearce <wwpearce () comcast net> Subject: ColoSpgs NCIC national hub for cybersecurity The opening of a National Cyber Intelligence Center in Colorado Springs is expected to accelerate efforts to make the city a national hub for cybersecurity that will help the thriving local industry grow more quickly, officials say. Source: *Colorado Springs Gazette*, 17 Jan 2016 http://gazette.com/national-cybersecurity-center-could-become-huge-economic-driver-for-colorado-springs/article/1567957 W. Warren Pearce, wwpearce () comcast net, Colorado Springs, Col. 1-719-548-1748 ------------------------------ Date: Thu, 21 Jan 2016 13:32:28 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Why do people keep coming to this couple's home looking for lost phones (Kashmir Hill) January 21, 2016 5:00 a.m. "It started the first month that Christina Lee and Michael Saba started living together. An angry family came knocking at their door demanding the return of a stolen phone. Two months later, a group of friends came with the same request. One month, it happened four times. The visitors, who show up in the morning, afternoon, and in the middle of the night, sometimes accompanied by police officers, always say the same thing: their phone-tracking apps are telling them that their smartphones are in this house in a suburb of Atlanta." "The most frustrating thing for Saba and Lee is that there's no definite answer for why it's happening, no government agency willing to take ownership over the issue, and so no way to get it to stop. Since Lee's parents own the house, moving isn't an option, said Saba." http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/ ------------------------------ Date: Fri, 22 Jan 2016 09:14:53 -0500 From: Monty Solomon <monty () roscom com> Subject: Time Inc. Is in the Midst of a Replyallpocalypse There is almost never a good reason to hit *reply all*. Especially not when *all* includes a listserv that goes out to thousands of employees at Time Inc., the country's largest magazine publisher. http://deadspin.com/time-inc-is-in-the-midst-of-a-replyallpocalypse-1754078898 ------------------------------ Date: Mon, 18 Jan 2016 16:41:39 -0500 From: Dave Kristol <dmk () acm org> Subject: Risks of impostors I was co-editor of two RFCs regarding HTTP Cookies, RFC 2109 and RFC 2965. I also wrote a paper about the evolution of the cookie RFCs [1]. I don't usually go ego surfing, but I was drawn to the Wikipedia article on HTTP Cookies [2] by a remark and reference in an IETF mailing list email. I proceeded to read the article's History section and learned to my surprise that "... the group, headed by Kristol himself and Aron Afatsuom, soon decided to use the Netscape specification...". I have never heard of Aron Afatsuom (Lou Montulli was my collaborator), but his name has proliferated around the web as people have more or less copied the (erroneous) text from the Wikipedia article. I have an edit pending to correct the error on Wikipedia, at least. The most obvious risk is that people believe what they read on the Internet. Another is that this person might use the search results for personal puffery. I'd love to know when, how, and why that name got into the Wikipedia article. [1] <http://arxiv.org/abs/cs.SE/0105018> [2] <https://en.wikipedia.org/wiki/HTTP_cookie> [Aron Afatsuom = Nora Moustafa reversed? PGN] ------------------------------ Date: Thu, 14 Jan 2016 14:25:08 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: The resolution of the Bitcoin experiment via NNSquad https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7#.443qscsws Mike Hearn writes: "I've spent more than 5 years being a Bitcoin developer. The software I've written has been used by millions of users, hundreds of developers, and the talks I've given have led directly to the creation of several startups. I've talked about Bitcoin on Sky TV and BBC News. I have been repeatedly cited by the Economist as a Bitcoin expert and prominent developer. I have explained Bitcoin to the SEC, to bankers and to ordinary people I met at cafes. From the start, I've always said the same thing: Bitcoin is an experiment and like all experiments, it can fail. So don't invest what you can't afford to lose. I've said this in interviews, on stage at conferences, and over email. So have other well known developers like Gavin Andresen and Jeff Garzik. But despite knowing that Bitcoin could fail all along, the now inescapable conclusion that it has failed still saddens me greatly. The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards. I will no longer be taking part in Bitcoin development and have sold all my coins." ------------------------------ Date: Fri, 22 Jan 2016 22:37:29 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Pound vs. Dollar vs. ASCII (Re: Baker, 29.21) We read: London's City Airport also recently won \243800,000 of funding Hmmm, $ unicode pound U+00A3 POUND SIGN UTF-8: c2 a3 UTF-16BE: 00a3 Decimal: £ Octal: \0243 $ unicode dollar U+0024 DOLLAR SIGN UTF-8: 24 UTF-16BE: 0024 Decimal: $ Octal: \044 So a pound is worth 243/44 times as much as a dollar. Actually more, as a dollar is ASCII and thus safe from getting mangled... ------------------------------ Date: Thu, 14 Jan 2016 18:18:02 -0800 From: "Mark E. Smith" <mymark () gmail com> Subject: Re: Ballot Battles: The History of Disputed Elections in the U.S. Luthor Weeks wrote: "There is no easy solution. It would likely require a Constitutional Amendment." After several years as an election integrity researcher and activist, I came to a similar but more far reaching conclusion. I think election integrity in the US would require not just a Constitutional Amendment, but an entirely new Constitution, one that vested supreme power over government in the hands of the people rather than in the hands of an unelected supreme court or any other government officials, branches, or agencies. Such a Constitution would require that all votes be counted, that the electoral process be transparent and verifiable, and that disputes be resolved only by recourse to the voters themselves--since they alone would have the supreme power to resolve such disputes. It would also establish that all elected officials could quickly and directly be held accountable by the voters who elected them if said officials failed to represent their constituents, and that all ultimate policy decisions be put to a public vote rather than being decided by elected officials without regard to the wishes of the people who elected them. Coincidentally, the vesting of supreme power over government in the hands of the people happens to be a primary dictionary definition of a democratic form of government. In other words, the problem is not what author Edward B. Foley called, "...a failure of American government to operate as a well-functioning democracy," but the failure of the Constitution to have established a democratic form of government in the first place. In a democratic form of government, voters do not delegate their power to those they elect, in the form of a blank check or a full power of attorney, but merely delegate to elected officials the duties of carrying out the wishes of the people. As long as we do not have a democratic form of government, our elections are not likely to be democratic in nature either. ------------------------------ Date: Fri, 15 Jan 2016 13:47:29 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Michigan IT security audit (AlMac, RISKS-29.21)
The State of Michigan had an IT audit, with poor results.
Whether cybersecurity is real or a bubble about to burst, it has at least a few bubbly features: it's where the jobs are so it's where "teach yourself IT security in 14 days" professionals get employed. It's also where investors invest -- and expect an ROI back. I've seen a couple of audits and met an auditor or two. Comments based on that very limited experience:
Critical state operations are on 30 unsupported (obsolete) versions of
UNIX. I'm having a hard time naming 30 versions of UNIX. A typical security audit reports a version of a software as "obsolete bright red security hole" because the assessment is: check reported version string against a list of -- typically "known good" -- version strings. It does not take into account for example vendor's patches.
90 % of the servers are not kept current with patches. If they get hacked, they don't have the controls to detect that. (very unhealthy)
If they're all obsolete and unsupported, how come 10% of them are still receiving patches? In real life turnkey systems don't get patched because it'll void your warranty. Ditto for installing "un-vetted" software like said controls. So you defend them at the perimeter instead -- far from ideal, but that the best you can do. I've never seen an audit take that into account.
84% of the servers had not had passwords changed in a timely fashion, with one had not been changed in nine years. (I have seen worse.)
There's been plenty said in this forum and elsewhere about how forced password changes make passwords worse. Sadly, useless metrics are a very common feature of IT security audits.
47% of the tested servers had had no vulnerability scans in over a month.
Well, if you have a system that hasn't been updated in 10 years, the only new vulnerabilities are if the hackers got in installed backdoors. In that scenario periodic vulnerability scans are only useful as part of an intrusion detection system. Out of context that metric is of questionable value. In other words,
$2.9 million had been spent on a security tool, not installed on all servers, for which this tool was paid for.
I'm having difficulties with that idea. I mean, if there is a security tool capable of running on 30 different obsolete versions of unix, $2.9M would be a fair price tag. I strongly suspect that in reality the tool was for "80% untested Windows servers" and had nothing to do with the rest of the bullet points. ------------------------------ Date: 15 Jan 2016 02:28:02 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: USC students required to detail sexual history before registering for classes (Anthony Gockowski) I wonder how many students answer truthfully. From what I can see of the sample screens, you'll get through the online course a lot faster if you answer all the questions zero, never, and none. ------------------------------ Date: Sun, 17 Jan 2016 14:22:57 -0500 From: "Robert Mathews (OSIA)" <mathews () hawaii edu> Subject: Privacy, Safety, Security & Healthcare --> Seeking Your Scholarship Springer [Berlin-Heidelberg] takes great pleasure in announcing that its peer-reviewed Health & Technology Journalintends to publish a Special Issue on a subject of vital significance; the topic of Privacy, especially as it pertains to Healthcare. This issue will be published during the latter half of 2016. The Journal Special Issue aims to produce a volume that will be prodigious in its scope of inquiry, and contents; beginning with one's understanding of, and a clarity into the subject of Privacy, and a noticeable command of its many working components. Please accept a Letter of Invitation. [https://www.hawaii.edu/csati/SI-LoI.pdf] Dr. Robert Mathews, D.Phil., Office of Scientific Inquiry & Applications University of Hawai'i, 1 703 655 7124 ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.22 ************************
Current thread:
- Risks Digest 29.22 RISKS List Owner (Jan 24)