RISKS Forum mailing list archives
Risks Digest 29.61
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 15 Jul 2016 16:14:23 PDT
RISKS-LIST: Risks-Forum Digest Friday 15 July 2016 Volume 29 : Issue 61 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.61.html> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Continuing to catch up. Backlog was over 120 submissions. PGN] New Micro-Cameras... Pose Surveillance Concerns (SlashDot) Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks (SlashDot) UK surveillance bill includes powers to limit end-to-end encryption (Techcrunch) UK cops routinely raided police databases to satisfy personal interest or make money on the side (BoingBoing) America Expands Its Freedom of Information Act (SlashDot) China restricts online news sites from sourcing stories on social media (Ars Technica) American Cities Are Installing DHS-Funded Audio Surveillance (Christian Science Monitor) Europol's online censorship unit is haphazard and unaccountable says NGO (Ars Technica) Facebook/Twitter/YouTube blocked in Turkey during coup attempt (Techcrunch) "Facebook wins appeal over tracking non-members in Belgium" (Peter Sayer) Bulgaria Got a Law Requiring Open Source (Bozhidar Bozhanov via Henry Baker) "US courts didn't reject a single wiretap request in 2015" (Zack Whittaker) "Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze" (Martyn Williams) "Eyefi leaves some card owners stranded, highlighting IoT hazards" (Stephen Lawson) Liability of Internet 'intermediaries' in developing countries {Science Daily) Spam filters and state departments and Clintons--oh, my! (Rob Slade) FBI director says Guccifer admitted he lied about hacking Hillary Clinton's email (Daily Dot) Re: "We mustn't open a chasm with Europe on data protection" (Chris Drewe) Re: "Over half of world's top domains weak against email spoofing" (John Levine) Re: Great, Now Someone Can Steal Your Car Using A Laptop Computer (Lars Poulsen) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 29 Jun 2016 21:48:52 +0200 From: Werner <werneru () gmail com> Subject: New Micro-Cameras... Pose Surveillance Concerns (SlashDot) Micro-Camera Can Be Injected With A Syringe -- May Pose Surveillance Concerns <https://science.slashdot.org/story/16/06/28/2041249/micro-camera-can-be-injected-with-a-syringe----may-pose-surveillance-concerns> (Posted by BeauHD on Tuesday June 28, 201) Taco Cowboy quotes a report from ABC Online: German engineers have created a camera no bigger than a grain of salt <http://www.abc.net.au/news/2016-06-28/3d-printed-injectable-micro-camera/7548966> ...that could change the future of health imaging -- and clandestine surveillance. Using 3D printing, researchers from the University of Stuttgart built a three-lens camera, and fit it onto the end of an optical fiber the width of two hairs. Such technology could be used as minimally-intrusive endoscopes for exploring inside the human body, the engineers reported in the journal Nature Photonics. <http://www.nature.com/nphoton/journal/vaop/ncurrent/full/nphoton.2016.121.html> The compound lens of the camera is just 100 micrometers (0.1 millimeters) wide, and 120 micrometers with its casing. It could also be deployed in virtually invisible security monitors, or mini-robots with "autonomous vision." The compound lens can also be printed onto image sensor other than optical fibers, such as those used in digital cameras. The researchers said it only took a few hours to design, manufacture and test the camera, which yielded "high optical performances and tremendous compactness." <http://phys.org/news/2016-06-micro-camera-syringe.html> They believe the 3D printing method -- used to create the camera -- may represent "a paradigm shift." ------------------------------ Date: Wed, 29 Jun 2016 21:04:08 +0200 From: Werner <werneru () gmail com> Subject: Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks (SlashDot) (Posted by BeauHD on Monday June 27, 2016) <https://news.slashdot.org/story/16/06/27/2157204/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks> "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. <http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml> The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. <https://hardware.slashdot.org/story/16/03/24/002255/cctv-dvr-vulnerabilities-traced-to-chinese-oem-which-spurned-researchers-advice> These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet ------------------------------ Date: Fri, 15 Jul 2016 10:28:20 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: UK surveillance bill includes powers to limit end-to-end encryption (Techcrunch) https://techcrunch.com/2016/07/15/uk-surveillance-bill-includes-powers-to-limit-end-to-end-encryption/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 The UK government has explicitly confirmed that a surveillance bill now making its way through the second chamber could be used to require a company to remove encryption. And even, in some circumstances, to force a comms service provider not to use end-to-end encryption to secure a future service they are developing. The details were revealed during debate of the Investigatory Powers Bill at a committee session in the House of Lords this week. That's "limit it for honest users, not for crooks or terrorists who will of course continue to use strongly end-to-end encrypted apps." Great work UK! Continue sliding down that razor blade you're straddling. ------------------------------ Date: Tue, 5 Jul 2016 12:21:19 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: UK cops routinely raided police databases to satisfy personal interest or make money on the side (BoingBoing) http://boingboing.net/2016/07/05/uk-cops-routinely-raided-polic.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 Between 2011-2015, there were more than 800 individual UK police personnel who raided official databases to amuse themselves, out of idle curiosity, or for personal financial gain; and over 800 incidents in which information was inappropriately leaked outside of the police channels. The incidents are reported in a new Big Brother Watch publication, which also reports that in most cases, no disciplinary action was taken against the responsible personnel, and only 3% resulted in criminal prosecution or conviction. ------------------------------ Date: Mon, 4 Jul 2016 22:57:38 +0200 From: Werner <werneru () gmail com> Subject: America Expands Its Freedom of Information Act (SlashDot) [ the RISKS of Finding Out more (the truth?) about those 'Interesting Years'...] America Expands Its Freedom of Information Act <https://yro.slashdot.org/story/16/07/04/0326207/america-expands-its-freedom-of-information-act> (Posted by EditorDavid on Monday July 04, 2016) An anonymous reader writes: As America headed into its "Independence Day weekend," the U.S. Congress passed -- and President Obama signed -- the "FOIA Improvements Act of 2016". <https://www.congress.gov/bill/114th-congress/senate-bill/337/> It now establishes a "presumption of disclosure" <https://www.whitehouse.gov/the_press_office/FreedomofInformationAct> ...by law, and will even allow the disclosure of "deliberative process" records after 25 years, meaning those records from the Reagan (and prior) administrations should now become open, according to the Washington Post. <https://www.washingtonpost.com/opinions/foia-at-50/2016/07/03/6283af88-3fb0-11e6-a66f-aa6c1883b6b1_story.html> In addition, the law also creates a comprehensive new "online request portal" for requesting records from all agencies, and even requires those agencies to make digital copies available for any records requested three or more times. "By updating FOIA for the digital age, our law puts more government information than ever before online <https://www.leahy.senate.gov/press/statement-of-senator-patrick-leahy-on-presidential-signing-of-s-337-the-foia-improvement-act-of-2015> ...in a format familiar and accessible to the American people," said Senator Leahy, who sponsored the legislation. On the 50th anniversary of America's original Freedom of Information Act, Leahy added that "a government of, by, and for the people cannot be one that is hidden from them... " EditorDavid comments: It's the law's 50th anniversary, and Leahy imagined a world 50 years in the future, when the next generation "will look back at this moment and gauge our commitment to the founding principles of our democracy. Let them see that we continued striving for a 'more perfect union' by strengthening the pillar of transparency that holds our government accountable to "We the People.' " ------------------------------ Date: July 4, 2016 at 11:22:52 AM EDT From: Lauren Weinstein <lauren () vortex com> Subject: China restricts online news sites from sourcing stories on social media (Ars Technica) China restricts online news sites from sourcing stories on social media http://arstechnica.com/tech-policy/2016/07/china-social-media-news-source-ban/ The latest crackdown on Internet media comes just days after Xu Lin, formerly the deputy head of the Cyberspace Administration of China, replaced his boss, Lu Wei, as the guardian of China's online world. The SCMP notes: "Xu is regarded as one of President Xi Jinping's key supporters," and this move is seen as a further tightening of Xi's grip on cyberspace. Back in February, Ars reported on new regulations that made it much harder for Western media to operate in China. Before that, wide-ranging powers were introduced in 2015 to increase the authorities' control over the Internet in the country. [Werner also noted this topic, cited by manishs on SlashDot posts:] <https://thestack.com/world/2016/06/28/china-tells-app-developers-to-increase-user-monitoring/> <http://betanews.com/2016/03/06/china-surveillance-anti-terrorism/> <http://betanews.com/2016/07/04/china-social-media-news-ban/> <http://betanews.com/2016/05/20/china-fake-social-media-posts/> ------------------------------ Date: Tue, 5 Jul 2016 00:00:00 +0200 From: Werner <werneru () gmail com> Subject: American Cities Are Installing DHS-Funded Audio Surveillance (Christian Science Monitor via SlashDot) (Posted by EditorDavid on Sunday July 03, 2016) <https://yro.slashdot.org/story/16/07/03/0913203/american-cities-are-installing-dhs-funded-audio-surveillance> "Audio surveillance is increasingly being used on parts of urban mass transit systems," reports the Christian Science Monitor. SlashDot reader itwbennett writes "It was first reported in April that New Jersey had been using audio surveillance on some of its light rail lines, raising questions of privacy. This week, New Jersey Transit ended the program, following revelations that the agency 'didn't have policies governing storage and who had access to data.'" <http://www.csoonline.com/article/3090502/security/big-brother-is-listening-as-well-as-watching.html> <http://nj1015.com/nj-transit-defends-use-of-audio-surveillance-on-some-trains/> <http://www.nj.com/traffic/index.ssf/2016/06/a_quiet_end_to_nj_transits_controversial_audio_surveillance_of_riders.html>
From the article:
New Jersey isn't the only state where you now have even more reason to want to ride in the quiet car. The Baltimore Sun reported in March that the Maryland Transit Administration has used audio recording on some of its mass transit vehicles since 2012. <http://www.baltimoresun.com/news/maryland/bs-md-transit-recording-20160302-story.html> It is now used on 65 percent of buses, and 82 percent of subway trains have audio recording capability, but don't use it yet, according to the Sun. And cities in New Hampshire, Connecticut, Michigan, Ohio, Nevada, Oregon and California have either installed systems or moved to procure them, in many cases with funding from the federal Department of Homeland Security. ------------------------------ Date: Mon, 4 Jul 2016 08:25:33 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Europol's online censorship unit is haphazard and unaccountable says NGO (Ars Technica) via NNSquad http://arstechnica.com/tech-policy/2016/07/europol-iru-extremist-content-censorship-policing/ However AccessNow a global digital rights organisation said Europe's approach to dealing with online extremism is "haphazard, alarming, tone-deaf, and entirely counter-productive." According to AccessNow, "the IRU is outside the rule of law on several grounds. First, illegal content is just that--illegal. If law enforcement encounters illegal activity, be it online or off, it is expected to proceed in dealing with that in a legal, rights-respecting manner. "Second, relegating dealing with this illegal content to a third private party, and leaving analysis and prosecution to their discretion, is both not just lazy--but extremely dangerous. Third, illegal content, if truly illegal, needs to be dealt with that way: with a court order and subsequent removal. The IRU's blatant circumvention of the rule of law is in direct violation of international human rights standards." ------------------------------ Date: Fri, 15 Jul 2016 13:49:56 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook/Twitter/YouTube blocked in Turkey during coup attempt (Techcrunch) Facebook, Twitter, and YouTube blocked in Turkey during reported coup attempt https://techcrunch.com/2016/07/15/facebook-twitter-and-youtube-blocked-in-turkey-during-reported-coup-attempt/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 The Turkish military have deployed in Istanbul and Ankara, and the government has apparently blocked social media in response to what is being reported as an attempted coup. Turkey Blocks, a Twitter account that regularly checks if sites are being blocked in the country, reported at 1:04 PM Pacific (11:04 PM Istanbul time) that Facebook, Twitter, and YouTube were all unresponsive, though Instagram and Vimeo remained available. ------------------------------ Date: Thu, 30 Jun 2016 11:18:53 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Facebook wins appeal over tracking non-members in Belgium" (Peter Sayer) Peter Sayer, ComputerWorld The court also ruled that Belgian courts have no jurisdiction over Facebook Ireland and its U.S. parent http://www.computerworld.com/article/3090085/internet/facebook-wins-appeal-over-tracking-non-members-in-belgium.html opening text: Facebook can resume tracking Belgians online even if they don't have an account with the social network, an appeals court has ruled. ------------------------------ Date: Mon, 04 Jul 2016 16:14:44 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Bulgaria Got a Law Requiring Open Source (Bozhidar Bozhanov) "... require all software written for the government to be open-source and to be developed as such in a public repository." "With opening the source we hope to reduce those [security] incidents, and to detect bad information security practices in the development process, rather than when it's too late." https://medium.com/@bozhobg/bulgaria-got-a-law-requiring-open-source-98bf626cf70a# Bozhidar Bozhanov Bulgaria Got a Law Requiring Open Source Less than two years after my presentation titled "Open source for the government", and almost exactly one year after I became advisor to the deputy prime minister of Bulgaria, with the efforts of my colleagues and the deputy prime minister, the amendments to the Electronic Governance Act were voted in parliament and are now in effect. The amendments require all software written for the government to be open-source and to be developed as such in a public repository. The text of the Electronic governance act can be found here. The particular article is 58a: Art. 58a. (New--SG. 50 of 2016, effective 01.07.2016) Upon preparation of technical and functional assignments for public procurement to develop, upgrade or implementation of information systems and e-services, administrative authorities must include the following requirements: 1. when the subject of the contract includes the development of computer programs: a) computer programs must meet the criteria for open source software; b) all copyright and related rights on the relevant computer programs, their source code, the design of interfaces and databases which are subject to the order should arise for the principal in full, without limitations in the use, modification and distribution; c) development should be done in the repository maintained by the Agency in accordance with Art. 7c pt. 18; That does not mean that the whole country is moving to Linux and LibreOffice, neither does it mean the government demands Microsoft and Oracle to give the source to their products. Existing solutions are purchased on licensing terms and they remain unaffected (although we strongly encourage the use of open source solutions for that as well). It means that whatever custom software the government procures will be visible and accessible to everyone. After all, it's paid by tax-payers money and they should both be able to see it and benefit from it. As for security--in the past "security through obscurity" was the main approach, and it didn't quite work --numerous vulnerabilities were found in government websites that went unpatched for years, simply because a contract had expired. With opening the source we hope to reduce those incidents, and to detect bad information security practices in the development process, rather than when it's too late. A new government agency is tasked with enforcing the law and with setting up the public repository (which will likely be mirrored to GitHub). The fact that something is in the law doesn't mean it's a fact, though. The programming community should insist on it being enforced. At the same time some companies will surely try to circumvent it. But in general, I think this is a good step for better government software and less abandonware and I hope other countries follow our somewhat "radical" approach of putting it in the law. [Also noted by Werner via manishs at SlashDot. PGN] ------------------------------ Date: Thu, 30 Jun 2016 11:06:32 -0700 From: Gene Wirchenko <genew () telus net> Subject: "US courts didn't reject a single wiretap request in 2015" (Zack Whittaker) Zack Whittaker for Zero Day, ZDNet, 30 Jun 2016 The number of wiretaps rocketed by 17 percent on the year prior. http://www.zdnet.com/article/us-courts-did-not-reject-a-single-wiretap-last-year-says-new-report/ selected text: The number of wiretaps authorized by the courts in 2015 rocketed compared to the year before, says a new report. But not a single wiretap request was rejected during 2015, the report showed. The report doesn't take into account classified national security requests, which typically involve terrorism, submitted to the Foreign Intelligence Surveillance Court, which were already reported earlier this year. The government received 1,457 requests from the National Security Agency and the Federal Bureau of Investigation to intercept phone calls and emails last year, but too did not reject a single order. ------------------------------ Date: Wed, 06 Jul 2016 10:11:23 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze" (Martyn Williams) Martyn Williams, PC World, 5 Jul 2016 Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze; Police arrest Oakland man near Google headquarters with pipe bomb, firearms in car. http://www.pcworld.com/article/3091864/internet-of-things/fearing-surveillance-man-allegedly-shot-at-google-and-set-self-driving-car-ablaze.html selected text: A man who told police he feared surveillance by Google has been arrested and charged with arson after one of the company's self-driving cars was destroyed in an attack in June. ... They became suspicious because his car matched that spotted at the scene of several attacks on the company over the preceding six weeks. The first, on May 19, saw several Molotov cocktails thrown at a Google Street View vehicle that was parked in a company lot in Mountain View. The resulting fire didn't damage the car because the bottles bounced off it, but the ground nearby was burnt. A second incident on June 4 occurred late at night when someone fired shots at a Google building in Mountain View. Police found five holes in windows and damage to window frames. The third happened on June 10 in the middle of the night when a male in a similar car used a squirt gun to set alight a Google self-driving car. The car was destroyed in the fire. Further linking the three crimes, the driver parked in the same spot as in the original incident and was in a similar car. ------------------------------ Date: Fri, 01 Jul 2016 14:58:55 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Eyefi leaves some card owners stranded, highlighting IoT hazards" (Stephen Lawson) Stephen Lawson, PC World, 30 Jun 2016 http://www.pcworld.com/article/3090513/eyefi-leaves-some-card-owners-stranded-highlighting-iot-hazards.html Eyefi leaves some card owners stranded, highlighting IoT hazards Ending support for some older Wi-Fi flash cards will make them nearly useless selected text: Older networked flash cards from Eyefi will become the next IoT devices to effectively die in consumers' hands when the company cuts off support for older models in September. The move came just days after Eyefi's cloud technology was acquired by camera and imaging company Ricoh. It sparked outrage among many users, some of them vowing never to buy another Eyefi product. ------------------------------ Date: Sun, 3 Jul 2016 15:59:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Liability of Internet 'intermediaries' in developing countries {Science Daily) via NNSquad https://www.sciencedaily.com/releases/2016/06/160630145018.htm If someone posts illegal content on your website, are you liable? A new project addresses that question by examining the potential liability faced by website owners and other online service providers in five countries - Brazil, Russia, India, China and Thailand. The project provides new insight on the murky area of Internet intermediary liability in developing countries. ------------------------------ Date: Wed, 29 Jun 2016 08:58:19 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Spam filters and state departments and Clintons--oh, my! In the past couple of weeks, I have noticed a huge number of "news" articles about spam filters being turned off while Hillary Clinton was Secretary of State. For example: http://arstechnica.com/information-technology/2016/06/clintons-private-e-mail-was-blocked-by-spam-filters-so-state-it-turned-them-off/ To summarize: Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off. I assume that this spate of articles is prompted by political motivations. I assume that, because this type of action is normal operating procedure for anyone involved in infosec. Spam filters stop legitimate email getting through? You stop those filters, until you can get better ones. Your door lock is broken? You leave the door unlocked until you can get a locksmith in. A safeguard, control, or countermeasure is preventing normal operations? You shut down that control and look for something better: something that will prevent attacks, but won't impede normal work. I am not surprised to see this type of furor in the general media. After all, we know that most reporters simply don't understand anything about security. However, I am astounded to see this report resurfacing and being recirculated by those who should know better. rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Thu, 7 Jul 2016 18:41:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: FBI director says Guccifer admitted he lied about hacking Hillary Clinton's email (Daily Dot) NNSquad http://www.dailydot.com/layer8/guccifer-clinton-server-hack-lie/ The Romanian hacker known as Guccifer admitted to the FBI that he lied to the public when he said he repeatedly hacking into Hillary Clinton's email server in 2013. Guccifer, real name Marcel Lehel Lazar, told Fox News and NBC News in May 2016 about his alleged hacking. Despite offering no proof, the claim caused a huge stir, including making headline news on some of America's biggest publications. FBI Director James Comey testified under oath before Congress on Thursday that Guccifer never hacked into Clinton's servers and in fact admitted that he lied. ------------------------------ Date: Fri, 01 Jul 2016 21:29:55 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: "We mustn't open a chasm with Europe on data protection" Item in newspaper about new EU data-protection law may be of interest ("Brexit" is the UK's referendum vote to leave the EU):
http://www.telegraph.co.uk/technology/2016/06/30/we-mustnt-let-brexit-open-a-chasm-with-europe-on-data-protection/ We mustn't let Brexit open a chasm with Europe on data protection =================================================================
In less than two years a massive new piece of EU data law, known as the General Data Protection Regulation, will come into force. The law, designed to replace the disparate collection of national data regimes, will enforce strict new rules and give new powers to data regulators. Businesses will have to obtain clear consent before processing citizens' information, disclose when data breaches occur, and could be fined up to 5pc of their global revenues for abuse of the regime. The law had been criticised for being too strict, but was set to be adopted wholeheartedly, and compliance would require a substantial investment at a time when budgets are squeezed.
...
European officials -- suspicious of the American Internet giants and their relationship with the US government -- have pushed for strong laws and fines on data protection and cybersecurity.
...
While technology has no borders, as one investor said last week, European law does have strict laws on transferring citizens' information outside of the bloc. Countries outside the EU that want data to freely flow across borders without complicated arrangements must convince Brussels that its privacy laws are up to scratch. Winning this approval is not easy, as the case of America's battle with the Austrian law student Max Schrems shows. Schrems successfully convinced the European Court of Justice last year to throw out Safe Harbour.
Not sure what this may mean for the big global Internet players like Google, Amazon, social-networking sites, and so forth -- if they have to make their entire operation EU-compliant OR have separate EU and non-EU operations and keep their EU data only in the EU part OR not have any business in the EU at all..? Looks like another culture clash between Europe and America. As I recall from working in telecomms, it's somewhat reminiscent of the Sarbanes-Oxley measures for accounting which had to be implemented about 12 years ago; they were required for US companies, but also any others with interests in the US, i.e. most big firms. The problem was that designing compliance with Sarbanes-Oxley into new systems was no big deal, but re-engineering existing systems to meet the requirements was quite a challenge. ------------------------------ Date: 29 Jun 2016 11:34:46 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: "Over half of world's top domains weak against email spoofing" (Charlie Osborne, RISKS-29.53,56)
By using only a few lines of Python, the firm's researchers found that over 50 percent of top 500 Alexa websites were vulnerable to spoofing -- either through having no authentication configured or by having settings misconfigured.
This is a rather silly article. It just summarizes a third-party report, and the author of the report doesn't understand the way that SPF works. He is under the misimpression that using the SPF "softfail" option is a bug. ------------------------------ Date: July 6, 2016 at 8:14:06 PM EDT From: Lars Poulsen <lars () beagle-ears com> Subject: Re: Great, Now Someone Can Steal Your Car Using A Laptop Computer [Via Dave Farber] http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html *The NY Times* says that one of the mechanisms for stealing newer cars (such as Prius) is to use an RF power amplifier to extend the reach of the key in your house (maybe in your pocket in the house, maybe on the kitchen counter). Normally the transceiver in the door handle has a range of a foot or so, but with the portable amplifier, this might be extended to 100 feet or more. This allows the thief to get in the car (with the key in your pocket, the door unlocks when you lift the door handle) then start the car (since the car thinks you have the key in your pocket). You can then drive away, but if the car is turned off, it will not start again (since the key is now too far away). Perfect for a teenage joyride. ------------------------------ Date: Tue, 10 May 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => OFFICIAL ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html --> VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.61 ************************
Current thread:
- Risks Digest 29.61 RISKS List Owner (Jul 15)