RISKS Forum mailing list archives
Risks Digest 30.06
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 30 Dec 2016 11:51:15 PST
RISKS-LIST: Risks-Forum Digest Friday 30 December 2016 Volume 30 : Issue 06 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.06> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Best wishes for the new year, sadly with lots more risks!] FBI/DHS Unclassified Summary Technical Report re Russian Hacking Attacks on U.S. (Documentcloud) How Russia Recruited Elite Hackers for Its Cyberwar (The NYTimes) Obama Strikes Back at Russia for Election Hacking (The NYTimes) It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe (Motherboard) Pixel Security: Better, Faster, Stronger (GoogleBlog) Advertising's Moral Struggle: Is Online Reach Worth the Hurt? (The NYTimes) White House: Robots may take half of our jobs (Henry Baker) "14 eyebrow-raising things Google knows about you" (JR Raphael) German Fake News debate: "False Opinion" destabilizes (Thomas Koenig) Facebook's Safety Check, Now Automated, Turns a Firecracker Into an Explosion (The NYTimes) Britney Spears reminds fans she's very much alive after death hoax (USAToday) Fake Academe, Looking Much Like the Real Thing (The NYTimes) OSCE security monitors targeted by hackers (BBC) Bid for Access to Amazon Echo Audio in Murder Case Raises Privacy Concerns (The NYTimes) For Millions of Immigrants, a Common Language: WhatsApp (The NYTimes) Why Some of Your Holiday Gifts Might Not Fly (The NYTimes) Re: MSFT $927M tech support contract (John Levine) Re: SHAME ON YOU, GOOGLE! (Bob Wilson) Re: Is no place sacred from surveillance? (on Jenna Wortham via HB) Scholarships for Women Studying Information Security (Jeremy Epstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Dec 2016 08:28:15 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: FBI/DHS Unclassified Summary Technical Report re Russian Hacking Attacks on U.S. (Documentcloud) Documentcloud via NNSquad https://assets.documentcloud.org/documents/3248260/DHS-FBI-analysis-of-Russian-hackers.pdf ------------------------------ Date: Thu, 29 Dec 2016 15:03:23 -0500 From: Monty Solomon <monty () roscom com> Subject: How Russia Recruited Elite Hackers for Its Cyberwar http://www.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html The government scouted a wide range of civilian programmers in recent years, even criminals, while expanding its cyberwarfare abilities. While much about Russia's cyberwarfare program is shrouded in secrecy, details of the government's effort to recruit programmers in recent years -- whether professionals like Mr. Vyarya, college students, or even criminals -- are shedding some light on the Kremlin's plan to create elite teams of computer hackers. ------------------------------ Date: Thu, 29 Dec 2016 15:03:01 -0500 From: Monty Solomon <monty () roscom com> Subject: Obama Strikes Back at Russia for Election Hacking http://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html The Obama administration said it was tossing out 35 intelligence operatives and imposing sanctions on Russian intelligence services and officers. [Editorial comment: We must always remember that the allegedly secure systems on which we must depend are nowhere near secure enough. Furthermore, security is often compromised by simple social engineering and other low-hanging bad fruit, irrespective of the technology. Nevertheless, nation-state hacking into other nations' systems is reprehensible. However, it is very likely to happen -- especially as long as one's system and network security is so weak, and one's overall national computer literacy is so inadequate. PGN] ------------------------------ Date: Tue, 27 Dec 2016 11:12:19 -0500 From: Monty Solomon <monty () roscom com> Subject: It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe http://motherboard.vice.com/read/global-travel-booking-systems-open-to-fraud-and-abuse [This involves a decades-old back-end Global Distribution system that is hopelessly vulnerable and is being regularly exploited. No meaningful authentication. Almost all you need is the six-character reservation code. Exploitable hacks were apparently being discussed on 27 Dec at the annual Chaos Communication Conference. Legacy, schmegacy! PGN] ------------------------------ Date: Mon, 26 Dec 2016 17:59:13 -0500 From: Monty Solomon <monty () roscom com> Subject: Pixel Security: Better, Faster, Stronger https://security.googleblog.com/2016/11/pixel-security-better-faster-stronger.html ------------------------------ Date: Tue, 27 Dec 2016 09:19:42 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Advertising's Moral Struggle: Is Online Reach Worth the Hurt? (The NYTimes) NNSquad http://www.nytimes.com/2016/12/26/business/media/advertising-online-ads-fake-news-google.html?partner=rss&emc=rss "Honestly, the long tail is to advertising what subprime was to mortgages," he said. "No one knows what's in it, but it helps people believe that there is a mysterious tonnage of impressions that are really low cost. But low-cost impressions would mean low-cost human attention. How can any publisher of quality content survive on low-cost impressions?" Marc Goldberg, chief executive of Trust Metrics, an ad safety vendor, said the effort to remove bad actors ignored the fact that many advertisers value impressions over everything else. They would rather not choose and monitor what websites they are appearing on, he said, because they worry they will miss out on potentially lucrative destinations. "What they're doing is introducing all of these bad sites into our ecosystem and not having the means to monitor them appropriately and effectively," he said. "The big problem in our industry is our expectations of scale are not aligned with reality." ------------------------------ Date: Tue, 27 Dec 2016 14:13:10 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: White House: Robots may take half of our jobs What are the risks of robots in the White House? If a robot can drive, why not a robot that tweets at 3am? The White House could use more automation, but could a robot deal with the lack of a "W" key? Also, does a robot requires Senate confirmation? https://secure.marketwatch.com/story/white-house-robots-may-take-half-of-our-jobs-and-we-should-embrace-it-2016-12-21 https://www.whitehouse.gov/sites/whitehouse.gov/files/documents/Artificial-Intelligence-Automation-Economy.PDF White House: Robots may take half of our jobs Will artificial intelligence have unintended consequences? ------------------------------ Date: Wed, 28 Dec 2016 09:27:03 -0800 From: Gene Wirchenko <genew () telus net> Subject: "14 eyebrow-raising things Google knows about you" (JR Raphael) JR Raphael, *Computerworld*, 28 Dec 2016 Some are fascinating, others are frightening -- but here's how to find out what Google has on you http://www.infoworld.com/article/3150925/privacy/14-eyebrow-raising-things-google-knows-about-you.html ------------------------------ Date: Wed, 28 Dec 2016 15:37:03 +0100 From: Thomas Koenig <tkoenig () netcologne de> Subject: German Fake News debate: "False Opinion" destabilizes There is an amusing (or, alternatively, chilling) tidbit on the German "fake news" debate. Michael Grosse-Brömer is Parliamentary Chairman of the CDU, the party of Chancellor Merkel. He made a short video teaser for a TV broadcast on ZDF, the public-service TV broadcaster, about "fake news". In this, he said (my translation) "We have to take notice, supported by findings of journalists, scientists and intelligence agencies, that there are a lot of people on the Net who want to destabilize, who spread false opinion, who want to manipulate. Politics has to deal with this, especially before election campaigns." Yes, he said "spread false opinion" ("falsche Meinung verbreiten" in the original German). Viewer comments ranged from "Finally, a politician who speaks the truth" to "Freudian slip, he said what he thinks, not what he wanted to say". Interestingly enough, the ZDF pulled the video and resulting viewer comments without comment or explanation. Grosse-Brömer later stated on Twitter that he meant to say "spread false reports" ("Falsche Meldungen verbreiten"). In view of the efforts create a "Ministry of Truth" within the German government (see RISKS-30.05), this is rather chilling. Here is the video, including the original sound track: https://twitter.com/berlindirekt/status/809786307648036865 And here some more analysis of his texts, in German: http://www.tichyseinblick.de/meinungen/destabilisierende-falsche-meinung-bitte-was/ ------------------------------ Date: Thu, 29 Dec 2016 19:45:27 -0500 From: Monty Solomon <monty () roscom com> Subject: Facebook's Safety Check, Now Automated, Turns a Firecracker Into an Explosion http://www.nytimes.com/2016/12/29/world/asia/facebook-safety-check-bangkok.html The social network automatically linked to a bogus article about an explosion in Thailand and appeared to conflate it with a 2015 bombing. ------------------------------ Date: Wed, 28 Dec 2016 10:57:50 -0500 From: Monty Solomon <monty () roscom com> Subject: Britney Spears reminds fans she's very much alive after death hoax http://www.usatoday.com/story/life/entertainthis/2016/12/27/britney-spears-tweets-death-hoax/95869094/ ------------------------------ Date: Fri, 30 Dec 2016 10:14:58 -0500 From: Monty Solomon <monty () roscom com> Subject: Fake Academe, Looking Much Like the Real Thing Sham scholarly publications and academic conferences without rigor reflect a legitimate problem: too many Ph.D. holders chasing too few credentials. http://www.nytimes.com/2016/12/29/upshot/fake-academe-looking-much-like-the-real-thing.html ------------------------------ Date: Wed, 28 Dec 2016 10:20:38 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: OSCE security monitors targeted by hackers (BBC) The OSCE (international monitoring organization) says its IT systems were hit by cyberattackers. ------------------------------ Date: Thu, 29 Dec 2016 19:46:26 -0500 From: Monty Solomon <monty () roscom com> Subject: Bid for Access to Amazon Echo Audio in Murder Case Raises Privacy Concerns Arkansas investigators are seeking access to what may have been recorded on the electronic personal assistant. http://www.nytimes.com/2016/12/28/business/amazon-echo-murder-case-arkansas.html ------------------------------ Date: Fri, 30 Dec 2016 01:43:14 -0500 From: Monty Solomon <monty () roscom com> Subject: For Millions of Immigrants, a Common Language: WhatsApp With the ability to communicate securely and free, the messaging app has become a mainstay for those who have left their homes for the unknown. http://www.nytimes.com/2016/12/21/technology/for-millions-of-immigrants-a-common-language-whatsapp.html ------------------------------ Date: Fri, 30 Dec 2016 01:43:46 -0500 From: Monty Solomon <monty () roscom com> Subject: Why Some of Your Holiday Gifts Might Not Fly Airlines are wary of drones and other devices with powerful batteries. And they won't be as delighted as you are with that virtual reality headset. http://www.nytimes.com/2016/12/26/business/why-some-of-your-holiday-gifts-might-not-fly.html ------------------------------ Date: 27 Dec 2016 01:41:41 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: MSFT $927M tech support contract (Macintyre, R 30 05) FYI, Bill Gates now owns about 4% of Microsoft's stock. It's a big contract for Microsoft, but it's irrelevant for Gates. ------------------------------ Date: Tue, 27 Dec 2016 13:02:33 -0600 From: Bob Wilson <wilson () math wisc edu> Subject: Re: SHAME ON YOU, GOOGLE! In addition to fearing the results if governments try to label truth and falsehood, I certainly see little likelihood of that happening at least in the USA. In any grocery store checkout line there will be tabloid "newspapers" which present as truth all sorts of falsehoods. I see people reading them while waiting to check out, and occasionally buying them. When some celebrity thinks he/she has been damaged by an article, photograph, etc., and sues, these papers have consistently used the defense that "everybody knows we are just publishing material we created, for entertainment, with no claim to fact". (But I think many readers never heard that defense and subscribe to the "If it is in print it must be true" position.) These seem to me to be quite like the false news sites, but the US government has so far as I know never made any attempt to control them, and I suspect it would be thrown out on 1st Amendment grounds if it were tried. This does not mean I really want this attack on our national belief system to continue without legal action of some sort. But the only action I can imagine having a significant effect has no chance of happening, somehow educating and motivating our population to think. ------------------------------ Date: Wed, 28 Dec 2016 07:08:09 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Is no place sacred from surveillance? (on Jenna Wortham) [I thought Churchix was a bad joke 18 months ago, but apparently not; here's a *NYTimes* article from yesterday. HB] Jenna Wortham, *The New York Times*, 27 Dec 2016 Finding Inspiration for Art in the Betrayal of Privacy http://www.nytimes.com/2016/12/27/magazine/finding-inspiration-for-art-in-the-betrayal-of-privacy.html "There was an interactive demonstration on a widely used program called "Churchix," a facial-recognition tool licensed to churches that records and logs the identities of people entering the premises." ------------------------------ Date: Wed, 28 Dec 2016 10:10:07 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Scholarships for Women Studying Information Security Since 2011, Applied Computer Security Associates, sponsor of the ACSAC, NSPW, LAW, and LASER conferences, has offered scholarships for women in security-related undergraduate and masters' degree programs through the Scholarships for Women Studying Information Security (SWSIS, www.swsis.org). Thanks to a $250,000 4-year contribution by Hewlett Packard Enterprise (HPE) in early 2014, ACSA expanded our program to award 11 scholarships for the 2014-15 academic year, 16 for the 2015-16 academic year, and 16 for the 2016-17 academic year. The Committee on the Status of Women in Computing Research (CRA-W), an arm of the Computing Research Alliance, led selection of scholarship winners. Information about the 49 SWSIS Scholars (scholarship winners) is available at www.swsis.org. ACSA, CRA-W, and HPE are pleased to announce that applications for 2017-18 scholarships are accepted Dec 15 2016 - Feb 1 2017. To apply, an applicant must provide: * An essay describing her interest and background in the information security field. * A current transcript. * A resume or CV. * At least two letters of reference (typically from faculty members). * Her university name and class status. The scholarship is renewable for a second year subject to availability of funds, given proof of satisfactory academic progress and available funds. Scholars must be US citizens or permanent residents; funds are available for use at any US campus of a US university. More information at www.swsis.org or swsis () swsis org Jeremy Epstein, Director, Scholarship Programs Applied Computer Security Associates, Inc. Founder & Managing Director, SWSIS Rebecca Wright, CRA-W Scholar Selection Director Computing Research Association Committee on the Status of Women in Computing Research ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.06 ************************
Current thread:
- Risks Digest 30.06 RISKS List Owner (Dec 30)