RISKS Forum mailing list archives
Risks Digest 30.04
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 20 Dec 2016 14:53:30 PST
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2016 Volume 30 : Issue 04 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.04> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: U.S. House Encryption Working Group report (PGN) Project Wycheproof -- Crypto Check Libraries (Google) Russian Hackers Stole Millions a Day With Bots and Fake Sites (Vindu Goel) UK Police must be given power to shut websites (The Standard via Chris Drewe) Rail Crossing Warnings Are Sought for Mapping Apps (The New York Times) California DMV Calls Uber's San Francisco Self-Driving Cars Illegal (Bloomberg) The states of texting and driving in the U.S. (Ars Technica) Inside LeakedSource and Its Database of Hacked Accounts (WiReD) Integrity and correctness of Internet information (sur-behoffski) Re: SHAME ON YOU, GOOGLE! (Martin Ward) Re: U.S. feds cyberattack U.S. states (Dick Mills) Re: Audi Cars Now Talk To Stop Lights In Vegas (Anthony Youngman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 20 Dec 2016 13:40:49 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: U.S. House Encryption Working Group report The U.S. House Judiciary Committee and House Energy and Commerce Committee Encryption Working Group has released its Year-End Report. It makes four specific observations: 1. Any measure that weakens encryption works against the national interest. 2. Encryption technology is a global technology that is widely and increasingly available around the world. 3. The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the ``going dark'' phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge. 4. Congress should foster cooperation between the law enforcement community and technology companies. https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf These observations are pithy and relevant to other nations as well. The Keys Under Doormats report (RISKS-28.75) appears to have had considerable influence on the committee, and is cited on the first text page of their report. [Reminder: The subsequent published version of that report is available online: Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, Daniel J. Weitzner, Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications, published in the Journal of Cybersecurity, vol 1 no 1, Oxford University Press, 17 November 2015. http://www.cybersecurity.oxfordjournals.org/content/1/1/69 The authors received the 2016 Pioneer Award (given annually by the Electronic Freedom Foundation) for the paper.] ------------------------------ Date: Mon, 19 Dec 2016 19:17:09 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Project Wycheproof -- Crypto Check Libraries (Google) GoogleBlog via NNSquad https://security.googleblog.com/2016/12/project-wycheproof.html We're excited to announce the release of Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. We've developed over 80 test cases which have uncovered more than 40 security bugs (some tests or bugs are not open sourced today, as they are being fixed by vendors). For example, we found that we could recover the private key of widely-used DSA and ECDHC implementations. We also provide ready-to-use tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK. ------------------------------ Date: Tue, 20 Dec 2016 12:56:52 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Russian Hackers Stole Millions a Day With Bots and Fake Sites (Vindu Goel) Vindu Goel, *The New York Times*, via NNSquad http://mobile.nytimes.com/2016/12/20/technology/forgers-use-fake-web-users-to-steal-real-ad-revenue.html In a twist on the peddling of fake news to real people, researchers say that a Russian cyberforgery ring has created more than half a million fake Internet users and 250,000 fake websites to trick advertisers into collectively paying as much as $5 million a day for video ads that are never watched. The fraud, which began in September and is still going on, represents a new level of sophistication among criminals who seek to profit by using bots -- computer programs that pretend to be people -- to cheat advertisers. ------------------------------ Date: Tue, 20 Dec 2016 21:36:04 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: UK Police must be given power to shut websites (The Standard) Item in London UK *The Standard* newspaper, 16 Dec 2016 http://www.standard.co.uk/news/crime/police-must-be-given-power-to-shut-websites-in-child-abuse-and-revenge-porn-fight-a3422131.html Police need new powers to shut websites and curb access to social media to fight the threat of child abuse and revenge porn attacks, a chief constable said today. Stephen Kavanagh, the National Police Chiefs Council lead on digital crime, said officers should also be ready to push the boundaries of the law and sometimes go beyond what the regulations or courts accept to protect the public from Internet offending. Mr Kavanagh said he was deeply concerned at the scale of the problem and felt the privacy lobby had been allowed to dominate discussions for too long at the expense of public safety. He insisted that a tougher law enforcement response, including updated legislation, was needed. The Internet is a hugely witty broad set of opinions but that should not be blurred with the ability to buy drugs or guns, harass, share imagery without consent or, worse, engage in the industrialising of child abuse imagery. On powers to access Internet communications, Mr Kavanagh said critics were wrong to label the legislation a Snoopers Charter and insisted existing rules contained some of the best regulation of police intrusive powers in the world. He said, however, that officers should be prepared to risk occasionally stepping beyond the limits of the law and added: Police tend to be too cautious about how they can use those powers to protect the public. Um... what about sites outside the UK? ------------------------------ Date: Tue, 20 Dec 2016 07:43:06 -0500 From: Monty Solomon <monty () roscom com> Subject: Rail Crossing Warnings Are Sought for Mapping Apps http://www.nytimes.com/2016/12/19/technology/google-digital-maps-railroad-crossings-ntsb.html The National Transportation Safety Board asked tech companies to add the locations of grade crossings into digital maps and to provide alerts for drivers. ------------------------------ Date: Tue, 20 Dec 2016 08:58:15 -0500 From: Monty Solomon <monty () roscom com> Subject: California DMV Calls Uber's San Francisco Self-Driving Cars Illegal https://www.bloomberg.com/news/articles/2016-12-15/california-dmv-calls-uber-s-san-francisco-self-driving-cars-illegal ------------------------------ Date: Mon, 19 Dec 2016 08:54:28 -0500 From: Monty Solomon <monty () roscom com> Subject: The states of texting and driving in the U.S. (Ars Technica) http://arstechnica.com/cars/2016/12/the-states-of-texting-and-driving-in-the-us/ ------------------------------ Date: Tue, 20 Dec 2016 10:04:38 -0500 From: Monty Solomon <monty () roscom com> Subject: Inside LeakedSource and Its Database of Hacked Accounts (WiReD) https://www.wired.com/2016/12/inside-leakedsource-database-3-billion-hacked-accounts/ ------------------------------ Date: Wed, 21 Dec 2016 06:22:13 +1030 From: sur-behoffski <sur_behoffski () grouse com au> Subject: Integrity and correctness of Internet information Here's the advice I give to people relating to interacting with Internet resources: "There's lots of information on the Internet. Some of it's even true!" ------------------------------ Date: Tue, 20 Dec 2016 13:21:05 +0000 From: Martin Ward <martin () gkc org uk> Subject: Re: SHAME ON YOU, GOOGLE! (Burton, RISKS-30.03)
Either that or we all sit down and write competing web pages ...
If many people do this, then these hundreds of pages will all end up off the top page of results since they will "split the vote". To "game" Google so that your preferred answer to a question becomes the top hit, you need to select *one* page with that answer and get as many people as possible to link to that page. Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin () gkc org uk http://www.cse.dmu.ac.uk/~mward/ ------------------------------ Date: Tue, 20 Dec 2016 13:29:57 -0500 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: U.S. feds cyberattack U.S. states (Al Mac, RISKS-30.03)
The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS (Dept of Homeland Security).
It really gets dicey when this attribution is coupled with what is called "active defense" or "hack back". That is when a hacking victim invades the hacker's computers to investigate, or to deter, or to claw back stolen information. Is hack-back a felony if the hacker is the US government? What about when attribution goes to an enemy or allied foreign state? I suspect that the reason that the US government seems so reluctant to sanction foreign state hackers is that the US government is itself among the worlds biggest hackers. If we retaliate, we invite others to do the same to us, and we are said to have the most to lose. Apropos The long history of the U.S. interfering with elections elsewhere: https://www.washingtonpost.com/news/worldviews/wp/2016/10/13/the-long-history-of-the-u-s-interfering-with-elections-elsewhere ------------------------------ Date: Tue, 20 Dec 2016 19:34:59 +0000 From: Anthony Youngman <antlists () youngman org uk> Subject: Re: Audi Cars Now Talk To Stop Lights In Vegas (Bos, RISKS-30.03) On 20/12/16 00:21, RISKS List Owner wrote:
Of course, there are already drivers who turn off their engines at traffic lights.
And there are vehicles that automatically turn themselves off now ... I've recently started driving an "ecotec" van, and when I stop at the lights and engage neutral (as drivers should!) the engine will stop of its own accord. Pushing the clutch down to engage gear triggers an automatic restart. imho (as a user of this technology) this is not a problem, as a properly functioning car (yes, I know ...) would restart without the driver's active intervention. ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.04 ************************
Current thread:
- Risks Digest 30.04 RISKS List Owner (Dec 20)