RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 30.04

From: RISKS List Owner <risko () csl sri com>
Date: Tue, 20 Dec 2016 14:53:30 PST
RISKS-LIST: Risks-Forum Digest  Tuesday 20 December 2016  Volume 30 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/30.04>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
U.S. House Encryption Working Group report (PGN)
Project Wycheproof -- Crypto Check Libraries (Google)
Russian Hackers Stole Millions a Day With Bots and Fake Sites (Vindu Goel)
UK Police must be given power to shut websites (The Standard via
  Chris Drewe)
Rail Crossing Warnings Are Sought for Mapping Apps (The New York Times)
California DMV Calls Uber's San Francisco Self-Driving Cars Illegal
  (Bloomberg)
The states of texting and driving in the U.S. (Ars Technica)
Inside LeakedSource and Its Database of Hacked Accounts (WiReD)
Integrity and correctness of Internet information (sur-behoffski)
Re: SHAME ON YOU, GOOGLE! (Martin Ward)
Re: U.S. feds cyberattack U.S. states (Dick Mills)
Re: Audi Cars Now Talk To Stop Lights In Vegas (Anthony Youngman)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 20 Dec 2016 13:40:49 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: U.S. House Encryption Working Group report

The U.S. House Judiciary Committee and House Energy and Commerce Committee
Encryption Working Group has released its Year-End Report.  It makes four
specific observations:

1. Any measure that weakens encryption works against the national interest.

2. Encryption technology is a global technology that is widely and
   increasingly available around the world.

3. The variety of stakeholders, technologies, and other factors create
   different and divergent challenges with respect to encryption and the
   ``going dark'' phenomenon, and therefore there is no one-size-fits-all
   solution to the encryption challenge.

4. Congress should foster cooperation between the law enforcement community
   and technology companies.

https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf

These observations are pithy and relevant to other nations as well.  The
Keys Under Doormats report (RISKS-28.75) appears to have had considerable
influence on the committee, and is cited on the first text page of their
report.

  [Reminder: The subsequent published version of that report is available
  online: Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh,
  Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau,
  Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier,
  Michael Specter, Daniel J. Weitzner, Keys Under Doormats: Mandating
  Insecurity by Requiring Government Access to All Data and Communications,
  published in the Journal of Cybersecurity, vol 1 no 1, Oxford University
  Press, 17 November 2015.
    http://www.cybersecurity.oxfordjournals.org/content/1/1/69
  The authors received the 2016 Pioneer Award (given annually by the
  Electronic Freedom Foundation) for the paper.]

------------------------------

Date: Mon, 19 Dec 2016 19:17:09 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Project Wycheproof -- Crypto Check Libraries (Google)

GoogleBlog via NNSquad
https://security.googleblog.com/2016/12/project-wycheproof.html

  We're excited to announce the release of Project Wycheproof, a set of
  security tests that check cryptographic software libraries for known
  weaknesses. We've developed over 80 test cases which have uncovered more
  than 40 security bugs (some tests or bugs are not open sourced today, as
  they are being fixed by vendors). For example, we found that we could
  recover the private key of widely-used DSA and ECDHC implementations.  We
  also provide ready-to-use tools to check Java Cryptography Architecture
  providers such as Bouncy Castle and the default providers in OpenJDK.

------------------------------

Date: Tue, 20 Dec 2016 12:56:52 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Russian Hackers Stole Millions a Day With Bots and Fake Sites
  (Vindu Goel)

Vindu Goel, *The New York Times*, via NNSquad
http://mobile.nytimes.com/2016/12/20/technology/forgers-use-fake-web-users-to-steal-real-ad-revenue.html

  In a twist on the peddling of fake news to real people, researchers say
  that a Russian cyberforgery ring has created more than half a million fake
  Internet users and 250,000 fake websites to trick advertisers into
  collectively paying as much as $5 million a day for video ads that are
  never watched.  The fraud, which began in September and is still going on,
  represents a new level of sophistication among criminals who seek to
  profit by using bots -- computer programs that pretend to be people -- to
  cheat advertisers.

------------------------------

Date: Tue, 20 Dec 2016 21:36:04 +0000
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: UK Police must be given power to shut websites (The Standard)

Item in London UK *The Standard* newspaper, 16 Dec 2016
http://www.standard.co.uk/news/crime/police-must-be-given-power-to-shut-websites-in-child-abuse-and-revenge-porn-fight-a3422131.html

Police need new powers to shut websites and curb access to social media to
fight the threat of child abuse and revenge porn attacks, a chief constable
said today.  Stephen Kavanagh, the National Police Chiefs Council lead on
digital crime, said officers should also be ready to push the boundaries of
the law and sometimes go beyond what the regulations or courts accept to
protect the public from Internet offending.  Mr Kavanagh said he was deeply
concerned at the scale of the problem and felt the privacy lobby had been
allowed to dominate discussions for too long at the expense of public
safety. He insisted that a tougher law enforcement response, including
updated legislation, was needed.

The Internet is a hugely witty broad set of opinions but that should
not be blurred with the ability to buy drugs or guns, harass, share
imagery without consent or, worse, engage in the industrialising of
child abuse imagery.

On powers to access Internet communications, Mr Kavanagh said critics were
wrong to label the legislation a Snoopers Charter and insisted existing
rules contained some of the best regulation of police intrusive powers in
the world.  He said, however, that officers should be prepared to risk
occasionally stepping beyond the limits of the law and added: Police tend to
be too cautious about how they can use those powers to protect the public.

  Um... what about sites outside the UK?

------------------------------

Date: Tue, 20 Dec 2016 07:43:06 -0500
From: Monty Solomon <monty () roscom com>
Subject: Rail Crossing Warnings Are Sought for Mapping Apps

http://www.nytimes.com/2016/12/19/technology/google-digital-maps-railroad-crossings-ntsb.html

The National Transportation Safety Board asked tech companies to add the
locations of grade crossings into digital maps and to provide alerts for
drivers.

------------------------------

Date: Tue, 20 Dec 2016 08:58:15 -0500
From: Monty Solomon <monty () roscom com>
Subject: California DMV Calls Uber's San Francisco Self-Driving Cars Illegal

https://www.bloomberg.com/news/articles/2016-12-15/california-dmv-calls-uber-s-san-francisco-self-driving-cars-illegal

------------------------------

Date: Mon, 19 Dec 2016 08:54:28 -0500
From: Monty Solomon <monty () roscom com>
Subject: The states of texting and driving in the U.S. (Ars Technica)

http://arstechnica.com/cars/2016/12/the-states-of-texting-and-driving-in-the-us/

------------------------------

Date: Tue, 20 Dec 2016 10:04:38 -0500
From: Monty Solomon <monty () roscom com>
Subject: Inside LeakedSource and Its Database of Hacked Accounts (WiReD)

https://www.wired.com/2016/12/inside-leakedsource-database-3-billion-hacked-accounts/

------------------------------

Date: Wed, 21 Dec 2016 06:22:13 +1030
From: sur-behoffski <sur_behoffski () grouse com au>
Subject: Integrity and correctness of Internet information

Here's the advice I give to people relating to interacting with Internet
resources:

  "There's lots of information on the Internet.  Some of it's even true!"

------------------------------

Date: Tue, 20 Dec 2016 13:21:05 +0000
From: Martin Ward <martin () gkc org uk>
Subject: Re: SHAME ON YOU, GOOGLE! (Burton, RISKS-30.03)


Either that or we all sit down and write competing web pages ...


If many people do this, then these hundreds of pages will all end up off the
top page of results since they will "split the vote".

To "game" Google so that your preferred answer to a question becomes the top
hit, you need to select *one* page with that answer and get as many people
as possible to link to that page.

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin () gkc org uk  http://www.cse.dmu.ac.uk/~mward/

------------------------------

Date: Tue, 20 Dec 2016 13:29:57 -0500
From: Dick Mills <dickandlibbymills () gmail com>
Subject: Re: U.S. feds cyberattack U.S. states (Al Mac, RISKS-30.03)


The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS
(Dept of Homeland Security).


It really gets dicey when this attribution is coupled with what is called
"active defense" or "hack back".  That is when a hacking victim invades the
hacker's computers to investigate, or to deter, or to claw back stolen
information.  Is hack-back a felony if the hacker is the US government?
What about when attribution goes to an enemy or allied foreign state?

I suspect that the reason that the US government seems so reluctant to
sanction foreign state hackers is that the US government is itself among the
worlds biggest hackers.  If we retaliate, we invite others to do the same to
us, and we are said to have the most to lose.

Apropos The long history of the U.S. interfering with elections elsewhere:

https://www.washingtonpost.com/news/worldviews/wp/2016/10/13/the-long-history-of-the-u-s-interfering-with-elections-elsewhere

------------------------------

Date: Tue, 20 Dec 2016 19:34:59 +0000
From: Anthony Youngman <antlists () youngman org uk>
Subject: Re: Audi Cars Now Talk To Stop Lights In Vegas (Bos, RISKS-30.03)

On 20/12/16 00:21, RISKS List Owner wrote:

Of course, there are already drivers who turn off their engines at traffic
lights.


And there are vehicles that automatically turn themselves off now ...

I've recently started driving an "ecotec" van, and when I stop at the lights
and engage neutral (as drivers should!) the engine will stop of its own
accord.  Pushing the clutch down to engage gear triggers an automatic
restart.  imho (as a user of this technology) this is not a problem, as a
properly functioning car (yes, I know ...) would restart without the
driver's active intervention.

------------------------------

Date: Wed, 17 Aug 2016 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 30.04
************************
Previous By Date Next
Previous By Thread Next

Current thread: