RISKS Forum mailing list archives
Risks Digest 29.55
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 7 Jun 2016 14:46:27 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 7 June 2016 Volume 29 : Issue 55 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.55.html> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: An expensive Pivot Table (Patrick O'Beirne) Nanaimo hospital health-care system problems (dkross) Hackers disrupt Russian Internet Primaries (RT) "Push for encryption law falters despite Apple case spotlight" (via John Gilmore) "FBI pushes for more power to crush your privacy" (Caroline Craig) Yahoo Announces Public Disclosure of National Security Letters (LW) "Judge sends two to prison for 7 years for H-1B fraud" (Patrick Thibodeau) App to get PII from CAC card (Jeremy Epstein) "Android gets patches for serious flaws in hardware drivers and mediaserver" (Lucian Constantin) Geopolitical Hedging as a Service (JEBruner) TeamViewer users are being hacked in bulk, and we still don't know how (Ars Technica) Dutch Firm Trains Eagles to Take Down High-Tech Prey: Drones (NYTimes) Dodgers using a global positioning device to situate their fielders (NYTimes) This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip (Andy Greenberg) Password app developer overlooks security hole to preserve ads (Engadget) Facebook, Twitter, YouTube and Microsoft agree to remove hate speech across the EU (techcrunch) Samsung: Don't install Windows 10. REALLY (The Register) Phones and Badges, whatever could go wrong...wrong....wrong (David Lesher) "Oracle employee says she was sacked for refusing to fiddle cloud accounts" (John Ribeiro) "NSW government playing Big Brother with citizens' data" (Asha Barbaschow) "Right to be forgotten" extends to newspaper archives (Flanders Today) Holiday Fun_"glitch" at Kennedy_pen and paper check in (dkross) OPM and US gov breach theater (Alister Wm Macintyre) Re: Major Cell Phone Radiation Study Reignites Cancer Questions (David Brodbeck) Re: The risk of blaming the messenger (Jay Libove) Re: France's Guillotining of Global Free Speech (Chris Drewe) The Oracle Effect: 'isis' (Daily WTF, PGN) Re: Microsoft accused of Windows 10 upgrade "nasty trick" (Jack Christensen) Re: Another Risk of Self-Driving Cars; Clogged Highways?!? (Craig Burton) Re: Connected Car Security (John Levine) Re: In Oracle v. Google, a Nerd Subculture Is on Trial (John Levine) Re: Theoretical Breakthrough Made in Random Number Generation (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 1 Jun 2016 12:09:59 +0100 From: "Patrick O'Beirne" <pob () sysmod com> Subject: An expensive Pivot Table Recently discussed on the Eusprig (European Spreadsheet Risk Interest Group) mail list: A hospital trust in Blackpool (pop. 145,000) in the UK was fined 185,000 GBP for leaking sensitive information via an Excel Pivotable. https://ico.org.uk/media/action-weve-taken/mpns/1624118/blackpool-nhs-trust-monetary-penalty-notice.pdf It is a problem of the sorcerer's apprentice - knowing enough to be dangerous. To paraphrase Barry Boehm, "[EUC gives] many who have little training or expertise in how to avoid or detect high-risk defects tremendous power to create high-risk defects. " The key point is "The Trust knew or ought to have envisaged those risks and it did not take reasonable steps to prevent the contravention." So: if they OUGHT to have known, by what means were they expected to envisage those risks? What guidance is available that describes that issue? Is it part of any accredited training materials? The answer I think is here: "It is worth noting that the Commissioner' s office issued two monetary penalty notices on 30 July 2012 (Torbay NHS Trust) and 20 August 2013 (Islington Council) which raised awareness about the issue of data that could be hidden in pivot tables. The Commissioner's office also published a blog on 28 June 2013 entitled The Risk of Revealing Too Much. https://iconewsblog.wordpress.com/2013/06/28/ico-blog-the-risk-of-revealing-too-much/ This shows the pivot table feature in question. Just to explain, if the pivotcache is present then even if the original data sheet is deleted, the data can be recreated by a simple double-click on a pivotable cell. They reference: https://iconewsblog.wordpress.com/2015/11/13/the-dangers-of-hidden-data/ https://www.mysociety.org/2013/06/13/whatdotheyknow-team-urge-caution-when-using-excel-to-depersonalise-data/ Read the "Five Key Messages" at the end. This is of course just one such example. The hidden rows in the Barclay's bid for Lehman assets, or the summary chart in a paper on hospital treatments which had the entire Excel spreadsheet embedded in it, are more. Patrick O'Beirne, Systems Modeling http://www.sysmod.com http://ie.linkedin.com/in/patrickobeirne ------------------------------ Date: Mon, 30 May 2016 17:39:12 +0000 From: "Deank..vzw" <dkross () vzw blackberry net> Subject: Nanaimo hospital health-care system problems http://www.theprovince.com/health/local-health/nanaimo+doctors+electronic+health+record+system/11947563/story.html But nine weeks after startup, physicians in the Nanaimo hospital's intensive-care and emergency departments reverted to pen and paper this week *out of concern for patient safety*. Doctors said the system is flawed -- generating wrong dosages for the most dangerous of drugs, diminishing time for patient consultation, and losing critical information and orders... ...But doctors complain the new technology is slow, overly complicated and inefficient. ``The iHealth computer interface for ordering medications and tests is so poorly designed that not only does it take doctors more than twice as long to enter orders, even with that extra effort, serious errors are occurring on multiple patients every single day,'' wrote one physician at the Nanaimo hospital. `` Tests are being delayed. Medications are being missed or accidentally discontinued.'' Doctors can't easily find information entered by nurses, the physician wrote. ------------------------------ Date: Mon, 30 May 2016 16:23:38 -0400 From: Jeremy Epstein <jeremy.j.epstein () GMAIL COM> Subject: Hackers disrupt Russian Internet Primaries https://www.rt.com/politics/344827-voters-personal-data-leaked-online/ Opposition PARNAS party cancels primaries over massive leak of voters' personal data, RT, 30 May 2016 The Russian Party of People's Freedom, PARNAS, has had to suspend its Internet primaries after a file with personal details of all participants was placed on the party's website. Top party officials blame unidentified hackers for the privacy breach. PARNAS was holding primaries in order to finalize its list of candidates for the September parliamentary elections. Ninety-six candidates and about 24,000 voters registered for the procedure, but the number of those who actually voted was much lower. The file containing logins and passwords of everyone who had taken part in the primaries was posted on the PARNAS website on Sunday afternoon. The data was real and allowed anyone to see full details of any voter -- including name, emails and phone numbers, as well as the people they voted for. Site administrators had to shut down the Internet voting earlier than planned and recommended that their supporters urgently change all their passwords. ------------------------------ Date: Sun, 29 May 2016 23:17:50 -0700 From: John Gilmore <gnu () toad com> Subject: "Push for encryption law falters despite Apple case spotlight" (Volz et al.) http://www.reuters.com/article/us-usa-encryption-legislation-idUSKCN0YI0EM Dustin Volz, Mark Hosenball and Joseph Menn, Reuters, 27 May 2016 After a rampage that left 14 people dead in San Bernardino, key U.S. lawmakers pledged to seek a law requiring technology companies to give law enforcement agencies a "back door" to encrypted communications and electronic devices, such as the iPhone used by one of the shooters. Now, only months later, much of the support is gone, and the push for legislation dead, according to sources in congressional offices, the administration and the tech sector. Draft legislation that Senators Richard Burr and Dianne Feinstein, the Republican and Democratic leaders of the Intelligence Committee, had circulated weeks ago likely will not be introduced this year and, even if it were, would stand no chance of advancing, the sources said. Key among the problems was the lack of White House support for legislation in spite of a high-profile court showdown between the Justice Department and Apple Inc over the suspect iPhone, according to Congressional and Obama Administration officials and outside observers. "They've dropped anchor and taken down the sail," former NSA and CIA director Michael Hayden said. ------------------------------ Date: Mon, 06 Jun 2016 09:32:13 -0700 From: Gene Wirchenko <genew () telus net> Subject: "FBI pushes for more power to crush your privacy" (Caroline Craig) Caroline Craig, InfoWorld, 3 Jun 2016 The FBI continues its push to greatly expand government surveillance and exempt that spying from constitutional safeguards and privacy rules http://www.infoworld.com/article/3078179/privacy/fbi-pushes-for-more-power-to-crush-your-privacy.html opening text: Like living in a police state much? The FBI is pushing on multiple fronts to greatly expand its surveillance powers and exempt that spying from constitutional safeguards and privacy rules. Many in Congress are only too happy to help. With a treasure trove of digital information tantalizingly within reach, the FBI doesn't want to be slowed down by inconveniences like Fourth Amendment protections. So frustrated is FBI chief James Comey by constitutional limits that he told the Senate Intelligence Committee that the FBI's difficulty in getting its hands on Americans' online communications resulted from a "typo" in the law that should be changed. He may get his wish. ------------------------------ Date: Sun, 5 Jun 2016 15:33:00 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Yahoo Announces Public Disclosure of National Security Letters https://yahoopolicy.tumblr.com/post/145258843473/yahoo-announces-public-disclosure-of-national As part of our ongoing commitment to transparency, Yahoo is announcing today the public disclosure of three National Security Letters (NSLs) that it received from the Federal Bureau of Investigation (FBI). This marks the first time any company has been able to publicly acknowledge receiving an NSL as a result of the reforms of the USA Freedom Act. We're able to disclose details of these NSLs today because, with the enactment of the USA Freedom Act, the FBI is now required to periodically assess whether an NSL's nondisclosure requirement is still appropriate, and to lift it when not. We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data. ------------------------------ Date: Mon, 06 Jun 2016 10:14:16 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Judge sends two to prison for 7 years for H-1B fraud" (Patrick Thibodeau) Patrick Thibodeau, Computerworld, 4 Jun 2016 Company ran 'a captive stable of cheap labor,' say U.S. officials http://www.computerworld.com/article/3079224/it-careers/judge-sends-two-to-prison-for-7-years-for-h-1b-fraud.html opening text: Two brothers were sentenced Friday to 87 months in prison for running an H-1B fraud scheme intended to create a low cost, on-demand workforce, federal law enforcement officials said. ------------------------------ Date: Fri, 3 Jun 2016 10:10:53 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: App to get PII from CAC card US Department of Defense employees use Common Access Cards (typically, and redundantly, called "CAC Cards"). Depending on the specific parts of DoD, these are used both as ID badges and access cards (e.g., to get into buildings or to access computers), etc. Since in many places these are the ID badges, they are typically worn on a necklace or on a pocket or belt, but in general in a place that's highly visible. Employees are generally instructed not to have their badges visible outside their work location, but that rule is honored in the breach. (For example, on the subway, or in restaurants near DoD offices at lunchtime.) The CAC Card has a 2D barcode, which apparently includes the person's name, SSN, and other information, in an unencypted form. Someone developed a mobile phone app (call CACscan) which retrieves this information from a photo. [See https://www.reddit.com/r/AirForce/comments/4l6tui/just_got_this_email_about_the_google_play_app/ for a discussion.] The response to this app has been interesting - basically broken into recommendations to protect (e.g., don't leave your card visible when outside work, watch for people taking photographs) and foolish (e.g., don't download the app - which doesn't solve the problem). [The latter can be found at https://ellsworthafrc.org/2016/05/25/attention-android-device-owners-do-not-use-cac-scan-app/ ] Surprisingly - or not - I've not seen anything discussing *fixing* the problem - or maybe it's effectively impossible to do anything in the short term, given the number of cards that would need to be reissued, systems that would need to be revised to deal with encrypted bar codes, etc. ------------------------------ Date: Mon, 06 Jun 2016 15:33:02 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Android gets patches for serious flaws in hardware drivers and mediaserver" (Lucian Constantin) Google has fixed more than 30 vulnerabilities in Android. A statue for Google's Android Marshmallow operating system sits on the Google campus Lucian Constantin, InfoWorld, 6 Jun 2016 http://www.infoworld.com/article/3079791/android/android-gets-patches-for-serious-flaws-in-hardware-drivers-and-mediaserver.html opening text: The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers. The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. ------------------------------ Date: Fri, 3 Jun 2016 10:14:26 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Geopolitical Hedging as a Service (JEBruner) http://jebruner.com/2016/06/geopolitical-hedging-as-a-service/ Google and Microsoft have found themselves embroiled in some awkward geopolitical disputes as they've made their mapping services available around the world, and they've found a brilliant diplomatic workaround to the demands of dogmatic politicians: they give each country the map that its government wants, serving it seamlessly to domestic users by reckoning the locations of their IP addresses. It's possible to force these services to display the map corresponding to a particular country, though, and I've done that here in order to compare the maps that they serve to different constituencies. Try out some examples of delicate sensibilities by clicking the links below, or explore the map comparisons by using the drop-down menus. Click the [=>] symbol for more background on each disagreement. Obi-Wan: "Luke, you're going to find that many of the truths we cling to depend greatly on our own point of view." ------------------------------ Date: Sun, 5 Jun 2016 12:09:07 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: TeamViewer users are being hacked in bulk, and we still don't know how (Ars Technica) http://arstechnica.co.uk/security/2016/06/teamviewer-users-hacked-but-how/ For more than a month, users of the remote login service TeamViewer have taken to Internet forums to report their computers have been ransacked by attackers who somehow gained access to their accounts. In many of the cases, the online burglars reportedly drained PayPal or bank accounts. No one outside of TeamViewer knows precisely how many accounts have been hacked, but there's no denying the breaches are widespread. TeamViewer has also long been the favored tool of fake support scammers. ------------------------------ Date: Sun, 29 May 2016 02:10:10 -0400 From: Monty Solomon <monty () roscom com> Subject: Dutch Firm Trains Eagles to Take Down High-Tech Prey: Drones (NYT) When small, off-the-shelf models pose security or other threats, birds have the advantage of grounding them without a potentially dangerous crash. http://www.nytimes.com/2016/05/29/world/europe/drones-eagles.html ------------------------------ Date: Sun, 29 May 2016 02:28:24 -0400 From: Monty Solomon <monty () roscom com> Subject: Dodgers using a global positioning device to situate their fielders Chase Utley, Missed by a Pitch, Burns the Mets With Two Home Runs http://www.nytimes.com/2016/05/29/sports/baseball/chase-utley-missed-by-noah-syndergaard-pitch-burns-the-mets.html The Mets reportedly complained to Major League Baseball about the Dodgers using a global positioning device to situate their fielders. "We observed some members of the Dodgers organization using technology to establish defensive positions, presumably for use during the game. Major League Baseball is going to look at that issue.'', Mets General Manager Sandy Alderson told ESPN. The Dodgers did not deny using such a device as a positioning and scouting aid, though they said it was not employed during a game. There is no MLB rule outlawing the method. The Dodgers reportedly asked the Mets if they could paint lines on the Citi Field grass as markers for their fielders, but Alderson denied the request. ------------------------------ Date: Sunday, June 5, 2016 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip (Andy Greenberg) Andy Greenberg, *WiReD*, 1 Jun 2016 <https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/ <http://postlink.www.listbox.com/2136039/117dfea62fed4761ac9bec0c5f5d50d1/125086/546f591f?uri=aHR0cHM6Ly93d3cud2lyZWQuY29tLzIwMTYvMDYvZGVtb25pY2FsbHktY2xldmVyLWJhY2tkb29yLWhpZGVzLWluc2lkZS1jb21wdXRlci1jaGlwLw>> Security flaws in software can be tough to find. Purposefully planted ones' hidden backdoors created by spies or saboteurs' are often even stealthier. Now imagine a backdoor planted not in an application, or deep in an operating system, but even deeper, in the hardware of the processor that runs a computer. And now imagine that silicon backdoor is invisible not only to the computer's software, but even to the chip's designer, who has no idea that it was added by the chip's manufacturer, likely in some far-flung Chinese factory. And that it's a single component hidden among hundreds of millions or billions. And that each one of those components is less than a thousandth of the width of a human hair. In fact, researchers at the University of Michigan haven't just imagined that computer security nightmare; they've built and proved it works. In a study that won the best paper award at last week's IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory. ``Detecting this with current techniques would be very, very challenging if not impossible,'' says Todd Austin, one of the computer science professors at the University of Michigan who led the research. It's a needle in a mountain-sized haystack.'' Or as Google engineer Yonatan Zunger wrote after reading the paper: ``This is the most demonically clever computer security attack I've seen in years.'' [... The paper considers inserting analog devices as simple as a capacitor. PGN] ------------------------------ Date: Sat, 4 Jun 2016 21:26:39 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Password app developer overlooks security hole to preserve ads http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/ Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users. ------------------------------ Date: Tue, 31 May 2016 07:43:33 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook, Twitter, YouTube and Microsoft agree to remove hate speech across the EU (techcrunch) http://techcrunch.com/2016/05/31/facebook-twitter-youtube-and-microsoft-agree-to-remove-hate-speech-across-the-eu/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 Facebook, Twitter, Google's YouTube, Microsoft as well as the European Commission unveiled a new code of conduct to remove hate speech according to community guidelines in less than 24 hours across these social media platforms. The EU has ramped up efforts leading to this code of conduct following the recent terrorist attacks in Brussels and Paris. Also: Beware the Global Net Police - http://archive.wired.com/politics/law/news/2002/12/56916 (2002 in "Wired" by yours truly) A Proposal for Dealing with Terrorist Videos on the Internet http://lauren.vortex.com/archive/001139.html (Dec 2015 from my legacy blog) ------------------------------ Date: Wed, 1 Jun 2016 08:54:25 -0700 From: "PFIR \(People For Internet Responsibility\) Subject: Samsung: Don't install Windows 10. REALLY http://www.theregister.co.uk/2016/05/31/windows_10_samsung_fail/ Samsung is advising customers against succumbing to Microsoft's nagging and installing Windows 10. The consumer electronics giant's support staff have admitted drivers for its PCs still don't work with Microsoft's newest operating system and told customers they should simply not make the upgrade. That's nearly a year after Microsoft released Windows 10 and with a month to go until its successor - Windows 10 Anniversary Update - lands. Samsung's customers have complained repeatedly during the last 12 months of being either unable to install Microsoft's operating system on their machines or Windows 10 not working properly with components if they do succeed. However, with the one-year anniversary fast approaching it seems neither of these tech giants have succeeded in solving these persistent problems. ------------------------------ Date: Sun, 05 Jun 2016 16:38:48 -0400 From: David Lesher <wb8foz () panix com> Subject: Phones and Badges, whatever could go wrong...wrong....wrong Kastle Systems, a supplier of access control systems, has a new application to turn your cell phone into your building access badge. We don't need no syncing badges! I can't imagine anything would ever go wrong. No one's phone ever gets cracked, no OS upgrade breaks existing apps, phones are never stolen, and the batteries last forever! <https://www.washingtonpost.com/business/capitalbusiness/with-new-hands-free-system-kastle-is-investing-big-in-office-security/2016/06/03/3f018a0a-2429-11e6-9e7f-57890b612299_story.html> [Also noted by Geoff Goodfellow. PGN] ------------------------------ Date: Fri, 03 Jun 2016 11:27:22 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Oracle employee says she was sacked for refusing to fiddle cloud accounts" (John Ribeiro) John Ribeiro, InfoWorld, 2 Jun 2016 There are lies, damned lies, statistics, damned statistics, and then there are CPU benchmark scores. To this, we might add market share: Svetlana Blackburn says she was terminated from her job as senior finance manager because she threatened to blow the whistle on accounting principles she considered unlawful http://www.infoworld.com/article/3078071/cloud-computing/oracle-employee-says-she-was-sacked-for-refusing-to-fiddle-cloud-accounts.html selected text: A senior finance manager in Oracle's cloud business has complained to a federal court that she was terminated from her job because she refused to go along with accounting principles she considered unlawful. Blackburn alleges that upper management was trying to fit "square data into round holes" in a bid to boost the financial reports of the cloud services business, which would be "paraded" before company leaders and investors. ------------------------------ Date: Fri, 03 Jun 2016 12:02:47 -0700 From: Gene Wirchenko <genew () telus net> Subject: "NSW government playing Big Brother with citizens' data" Asha Barbaschow, ZDnet, 3 Jun 2016 The New South Wales government has undertaken a project in Sydney's south to determine who lives where and with whom, with the intention of reducing monitoring residents' movements to 30-minute intervals. http://www.zdnet.com/article/nsw-government-playing-big-brother-with-citizens-data/ ------------------------------ Date: Mon, 30 May 2016 19:19:59 -0700 From: Lauren Weinstein <lauren () vortex com> Subject:"Right to be forgotten" extends to newspaper archives http://www.flanderstoday.eu/business/right-be-forgotten-extends-newspaper-archives The "right to be forgotten", which allows members of the public to have references to their private life removed from Internet searches, also extends to newspaper archives, the Cassation Court has ruled ... The Rossel group said it regretted the ruling, which it said "opens the door to the rewriting of history". Now they're going after primary sources, not restricted to search results. This is an Orwellian nightmare in the making. ------------------------------ Date: Mon, 30 May 2016 17:08:05 +0000 From: "Deank..vzw" <dkross () vzw blackberry net> Subject: Holiday Fun_"glitch" at Kennedy_pen and paper check in Shutdowns are front page news when at airports...but at hospitals, not. http://www.post-gazette.com/news/transportation/2016/05/30/Computer-glitch-resolved-at-JFK-Airport-after-massive-delays-memorial-day-new-york-Verizon/stories/201605300091 Mr. Buccino said a server providing wireless Internet and other computer services had problems at about 4 p.m. Sunday, which required manual check-in. An airport official said the services were provided by Verizon, which did not offer a comment when reached on late Sunday. Mr. Buccino said Terminal 7 is operated by British Airways, which leases space to other carriers. He said at one point Sunday night, more than 1,000 passengers were waiting in line to get checked in. A line of frustrated economy-class passengers could be seen stretching out the terminal doors, snaking up the sidewalk all the way back onto the elevated roadway that leads to the terminal. Inside, airline employees were writing boarding passes by hand, sometimes in pencil. Sent from my Verizon Wireless BlackBerry ------------------------------ Date: Fri, 3 Jun 2016 07:39:32 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: US gov breach theater With many organizations, as soon as any employee detects that a breach, or other cyber intrusion is in progress, that individual captures evidence of what's going on, and informs upper management. If upper management believes the employee report, then the exposed material is shut down from Internet to prevent further leakage, unless the organization already has some plan in place to let the leakage continue, because law enforcement can track the perpetrators, and more likely to catch them if the leak continues. Sometimes security personnel are authorized to do the shut down, without waiting on upper management approval. That is the normal process, but there are exceptions. OPM breach, new info I learned, thanks to a post on a Linked In cyber security group: The breach was first discovered April 15 or 16, 2015 by an OPM contract engineer, with CSRA, using a Cylance tool. Within a day, OPM sought help with this situation from U.S.-Computer Emergency Readiness Team. (US-CERT) A week later, April 22, it was re-discovered by CyTech Services demo of cyber breach detection software. It appears that OPM was more interested in comparing cyber security detection products, than fixing known vulnerabilities. CyTech says they helped OPM clean up the vulnerability, thanks to an oral contract with OPM, for which they are owed $ 600,000.00. OPM denies this. http://democrats.oversight.house.gov/sites/democrats.oversight.house.gov/files/documents/2016-05-26.EEC%20to%20HPSCI%20Re.CyTech.pdf http://fedscoop.com/how-the-opm-breach-was-really-discovered https://fcw.com/articles/2016/05/26/cummings-letter-opm-breach.aspx Manchurian chip is when hardware & software is purchased from nations which are not good friends, so there is a risk that they will come supplied with spy tech to help our adversaries. Many gov tech buyers have not yet learned that lowest bidder increases risk of this. It amazes me that our US State Dept buys computer stuff from Iran, China, Russia and North Korea. Sounds like the division, which identifies threats, is not on speaking terms with the one which figures out where to buy stuff. That tends to support my notion that Clinton server was safer than gov server. Clinton e-mail server story has not changed, except for a few additions, latest -- it had an Internet-based printer. http://krebsonsecurity.com/2016/05/did-the-clinton-email-server-have-an-internet-based-printer/ I think the bigger political tech story will be when MSNM starts covering the trial, where on the very first day of the Republican Convention, Donald Trump is scheduled to be in court to answer charges of fraud with his Trump University. Which of the two places will he show up at? If he fails to appear at the trial, will federal marshals be sent to drag him away from the convention? DHS recently did a penetration test of SSA, and had no trouble getting into everything. The test was at the request of the Social Security Administration, which did not think the problem warranted notification of Inspector General. Congressional oversight not happy, but will they budget $ to fix this? I doubt it. http://www.politico.com/tipsheets/morning-cybersecurity/2016/05/credit-for-discovering-the-opm-breach-electronic-communications-transaction-records-fight-unfolds-united-states-and-brazil-no-good-on-botnets-214527 OPM Breach - we previously learned that this was one of the worse breaches for the federal government, and it was thanks to NSA injecting vulnerabilities into software sold to the feds. NSA believes that they can spy on anything they please this way, without anyone other than NSA using the vulnerabilities they deliver all over the place. Many people have pointed out that they are wrong, but they continue to be in denial. Ditto many national leaders which support FBI doing the same thing. So it does not matter what OPM did to fix that breach, they can be sure that thanks to NSA FBI and other government intelligence and law enforcement agencies, there will be more vulnerabilities delivered in the future. https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach Panama Papers group: https://www.linkedin.com/groups/8508998 ------------------------------ Date: Mon, 30 May 2016 17:40:05 -0700 From: David Brodbeck <david.m.brodbeck () gmail com> Subject: Re: Major Cell Phone Radiation Study Reignites Cancer Questions One thing that immediately stood out for me, in the cell phone study, was they claim to have found a link between cell phone radiation and cancer for CDMA signals, but not for GSM signals. If there were a link, I would expect it to potentially be sensitive to power level or frequency band, but definitely not to the protocol in use. To me this is a big red flag that the results may be statistical noise and not a sign of an actual effect. ------------------------------ Date: Mon, 30 May 2016 19:01:22 -0700 To: David Brodbeck <david.m.brodbeck () gmail com> Subject: Re: Major Cell Phone Radiation Study Reignites Cancer Questions - notsp Keep in mind that traditional CDMA is spread spectrum and traditional GSM is not. ------------------------------ Date: Sun, 29 May 2016 18:11:48 +0000 From: Jay Libove <libove () felines org> Subject: Re: The risk of blaming the messenger While I agree with Rogier Wolff's basic premise, I think that the specific example of the OKCupid dataset release is not appropriate. It's one thing when "data is public", e.g., a single query can dump a shouldn't-have-been-accessible database. It's quite another to put in the effort of harvesting information (thousands, millions of queries), analyse it, create a report about its contents, and then publish it. While one can reasonably criticise OKCupid profile holders for being upset that they could be discovered, and we must case blame on developers and system engineers who leave systems vulnerable through common errors and negligence, one must criticise a "researcher" who violates the intended use, Terms of Service, privacy, and almost surely law in a case such as this. It was irresponsible and unethical, civilly culpable, and quite probably criminal. Jay Libove, CISSP, CIPP/US, CIPT, CISM Barcelona, Spain ------------------------------ Date: Sat, 04 Jun 2016 21:45:32 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: France's Guillotining of Global Free Speech (RISKS-29.54) By chance I have a book to hand called the "Shorter Illustrated History Of The World" by J M Roberts (pub 1993). The section on the French Revolution includes this: '... the revolution was a was a touchstone of political opinions. If you were for the revolution... you probably believed in free speech and the wickedness of press censorship... if you were against the revolution, you looked for strong government... you believed it was wicked to allow the spread of harmful opinion, and you thought discipline and good order more important than personal freedom.' So it seems that the world is divided into those who feel that liberty is a nice idea as long as it doesn't get too much in the way of the government running things, and those who feel that protecting liberty should be what government is all about. By the way, as many RISKS readers will know, we in the UK are due to have a referendum on June 23rd about our membership of the EU. Much of the debate has been about financial matters, but personally I feel that a big problem is the culture clash between us Brits and our 'Anglo-Saxon' ways, and the other European countries (e.g. RTBF). ------------------------------ Date: Thu, 2 Jun 2016 09:13:44 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The Oracle Effect: 'isis' The Daily WTF via NNSquad http://thedailywtf.com/articles/the-oracle-effect Even simple rituals can feed into this Oracle Effect. For example, PayPal doesn't want to handle transactions for ISIS, which isn't unreasonable, but how do you detect which transactions are made by honest citizens, and which by militants? What about just blocking transactions containing the letters "isis"? This seems like a pretty simple algorithm, but think about the amount of data flowing through it, and suddenly, it picks up the air of ritual- we have a magic incantation that keeps us from processing transactions for militants. Using algorithms and decision-support systems isn't bad. It's not even bad if they're complicated! They're solving a complicated problem, and we'd expect the resulting system to reflect at least some of that complexity. A recent conference hosted at NYU Law spent time discussing how we could actually avoid biases in policing by using well-designed algorithms, despite also pointing out the risks and dangers to human rights. These sorts of decision-making tools can make things better- or worse. They're just a tool. ------------------------------ Date: Sat, 4 Jun 2016 15:47:48 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Re: The Oracle Effect: 'isis' How about these words, ending in "isis", all verboten! anaclisis anacrisis anagnorisis anticrisis aphanisis arthrocleisis arthroclisis bronchiocrisis bronchophthisis cardioschisis celioschisis chorisis corocleisis craniorhachischisis cranioschisis crisis cystophthisis cystoschisis decisis diacrisis diaschisis eccrisis enclisis enterocleisis enteroclisis enterophthisis epicrisis erythrocytoschisis gastrophthisis gastroschisis hemophthisis heterogenisis hisis hypocrisis hysterocleisis iridencleisis isis karyoschisis laryngophthisis lithophthisis merisis minicrisis myelophthisis nephrophthisis ophthalmophthisis otocleisis pachisis palatoschisis panmyelophthisis parisis phthisis plasmaphoresisis pneumonophthisis proclisis prosoposchisis pylorocleisis rachischisis serophthisis splenocleisis spondyloschisis staphyloschisis syncrisis synezisis thoracoceloschisis thoracogastroschisis thoracoschisis tracheoschisis trichoschisis uranoschisis urophthisis ------------------------------ Date: Thu, 2 Jun 2016 08:03:39 -0400 From: Jack Christensen <christensen.jack.a () gmail com> Subject: Re: Microsoft accused of Windows 10 upgrade "nasty trick" (Risks 29:54) I've used Steve Gibson's "Never 10" utility on a half-dozen Windows 7 and 8.1 machines. It works as advertised and seems to be nicely implemented. https://www.grc.com/never10.htm ------------------------------ Date: Sun, 29 May 2016 21:12:35 +1000 From: Craig Burton <craig.alexander.burton () gmail com> Subject: Re: Another Risk of Self-Driving Cars; Clogged Highways?!? (Shapir, RISKS-29.53)
The main trouble is that when a main road is blocked, GPS may direct drivers through side streets -- which would quickly block much worse if hundreds of cars pour into them, all following the same instructions.
I agree - this would then block up those alternative ways as well and the routing algorithm would not know what to do. This should not apply to self-driving cars. Ideally the car-router should learn to bunch up groups of self-driving cars and take control of the traffic lights(!) to interleave car groups and keep them moving (one known strategy). I wonder if more of the traffic system being centrally automated will make it better or worse. I suspect people driving cars introduces a lot of entropy which would be removed by self-driving cars. This would seem to raise the risk of a pile of classic problems to do with lack of damping, to say the least? ------------------------------ Date: 29 May 2016 14:28:31 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Connected Car Security (Goldberg, RISKS-29.54)
Now, experts say, the same connectivity may also offer a solution to this cybersecurity problem, in the form of over-the-air updates. ...
Gack, choke. See Harold Feld's long but very well informed piece on DSRC. It's all about the spectrum squatting and monetizing your data, hardly if at all about car safety. Car companies have a history of completely failing at cybersecurity and the NHTSA which is mandating DSRC is no better. http://www.wetmachine.com/tales-of-the-sausage-factory/how-dsrc-makes-us-less-safe-privacy-and-cybersecurity-part-1/ ------------------------------ Date: 29 May 2016 13:49:17 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: In Oracle v. Google, a Nerd Subculture Is on Trial (RISKS-29.53) By the way, Google won. The jury found that Google's use of Oracle's APIs were protected by fair use. Oracle of course says they'll appeal. http://arstechnica.com/tech-policy/2016/05/google-wins-trial-against-oracle-as-jury-finds-android-is-fair-use/ If this ridiculous screed by one of Oracle's lawyers is any indication, Google doesn't have much to worry about. http://arstechnica.com/tech-policy/2016/05/op-ed-oracle-attorney-says-googles-court-victory-might-kill-the-gpl/ (Latter piece and its inanity also noted by LW.) ------------------------------ Date: 29 May 2016 13:44:54 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Theoretical Breakthrough Made in Random Number Generation
I believe you are referring to pseudorandom numbers, not random numbers. Big difference.
A few moments spent looking at the article confims that they're talking about actual random numbers. To get random numbers, you need to start with an entropy source, but it's hard to find high quality sources, particularly if you need a lot of random numbers. This paper describes a new way to take two low quality sources and create a high-quality source from them. https://threatpost.com/academics-make-theoretical-breakthrough-in-random-number-generation/118150/ ------------------------------ Date: Tue, 10 May 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => OFFICIAL ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html --> VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.55 ************************
Current thread:
- Risks Digest 29.55 RISKS List Owner (Jun 07)