RISKS Forum mailing list archives
Risks Digest 30.12
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 1 Feb 2017 17:00:56 PST
RISKS-LIST: Risks-Forum Digest Wednesday 1 February 2017 Volume 30 : Issue 12 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.12> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Network-enabled ICBMs for the USAF? (John Dallman) Quantum Computers Versus Hackers, Round One (WiReD via Werner U) Hackers Use New Tactic at Austrian Hotel: Locking the Doors (Dan Bilefsky) Hotels and electronics (Benoit Goas) Hackers hit DC CCTV's Jan. 12-15, 2017 (Clarence Williams via Henry Baker) Everything I Need to Know about Russia's Internet Interference I Learned Through College Pranks (Sean Havey) "FBI request for Twitter account data may have overstepped legal guidelines" (Dustin Volz) Severe vulnerability in Cisco's WebEx extension for Chrome leaves PCs open to easy attack (PC World) Voter fraud? (PGN) The future of fake news is real-time video manipulation (Nick Bilton) Intentionally or not, big brands help fund fake news (Star Tribune) alt-facts.net site (Arthur T.) Re: "The missile may have veered ... towards the US" (Chris Drewe) Re: United Airlines resumes flights after temporary ground order (Mark) Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Wols, John Levine) Data Privacy Day: know the risks of Amazon Alexa and Google Home (Naked Security) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 28 Jan 2017 19:32 +0000 (GMT Standard Time) From: "John Dallman" <jgd () cix co uk> Subject: Network-enabled ICBMs for the USAF? "The fact that future nuclear weapons will be far more networked (though not necessarily to the open Internet) will create better safety and oversight, and allow for more coordinated operations. But more connectivity also introduces new potential vulnerabilities and dangers." https://www.theatlantic.com/amp/article/511904/ The idea that connectivity to the Internet wasn't rejected out of hand seems to indicate that the Air Force Scientific Advisory Board needs replacing very firmly. A blogger at the US Naval Institute certainly thinks so: <https://blog.usni.org/2017/01/04/there-are-bad-ideas-and-then-there-is-this-bad-idea> "Some support systems? Sure, but command, control, mission loading, arming, and launch must be contained in a robust, hardened, isolated & closed system. Simple, almost primitive, with multiple physical human interfaces required. To be even thinking of network access to the weapons systems themselves is the height of irresponsibility; even more irresponsible than a reliance on GPS or satellite systems as a point of failure between authorization, launch, and "servicing the target." Ahem." ICBMs as part of the IoT is, I'm pretty sure, the worst idea I've seen on the Internet since I started using it in 1992. ------------------------------ Date: Tue, 31 Jan 2017 09:36:54 +0100 From: Werner U <werneru () gmail com> Subject: Quantum Computers Versus Hackers, Round One (WiReD) (WiReD, 27 Jan 2017) [Peter, I'm feeling ambivalent about calling attention to this article, 'popular' in tone, but it does a decent enough job of explaining the basics... and while there is 'business hype' in the name-dropping and describing the possibilities, the author also is fair in pointing out the difficult and uncertain blessings of the technology... take a look-see and decide if and how you want to use it.] Quantum Computers Versus Hackers, Round One. Fight! https://www.wired.com/2017/01/quantum-computers-versus-hackers-round-one-fight/ Lily Hay Newman, *WiReD*, 27 Jan 2017 This week D-Wave, a leader in the nascent field of quantum computing, unveiled its latest machine, D-Wave 2000Q, as well as its first customer: a cybersecurity firm called Temporal Defense Systems. It's the first time quantum has been used to fight cybercrime, and if it works, it could reshape how security analysts protect their networks from harm. [...] D-Wave's customers for earlier models range from Lockheed Martin to Google to Los Alamos National Laboratory. Now TDS, a cybersecurity company that builds hardware and software security products, will be the first private security business to seek improved results through next-generation computing. [...] Quantum computing is far from a proven tool at this point, and it's just one of a handful of next-generation computing solution being applied to thorny cybersecurity issues. The more opportunities it has to transform the world, though, the better the chance that it eventually will. ------------------------------ Date: Mon, 30 Jan 2017 16:40:02 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Hackers Use New Tactic at Austrian Hotel: Locking the Doors (Dan Bilefsky) Dan Bilefsky, *The New York Times*, 30 Jan 2017 https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html The ransom demand arrived one recent morning by email, after about a dozen guests were locked out of their rooms at the lakeside Alpine hotel in Austria. (The hotel was at maximum capacity.) The electronic key system at the picturesque Romantik Seehotel Jaegerwirt had been infiltrated, and the hotel was locked out of its own computer system, leaving guests stranded in the lobby, causing confusion and panic. ``Good morning!'' the email began, according to the hotel's managing director, Christoph Brandstaetter. It went on to demand a ransom of two Bitcoins, or about $1,800, and warned that the cost would double if the hotel did not comply with the demand by the end of the day, 22 Jan. Mr. Brandstaetter said the email included details of a Bitcoin wallet, the account in which to deposit the money -- and ended with the words, ``Have a nice day!'' With the 111-year-old hotel brimming with eager skiers, hikers and vacationers, some having paid about $530 for a suite with a panoramic view and sauna, Mr. Brandstaetter said he decided to cave in. Guests had already complained that their electronic room keys were not working, and receptionists' efforts to create new ones had proved futile. Bashing down the doors was not an option. Security experts said the attack on the hotel appeared to be a novel example of an increasingly malicious and prevalent type of modern-day piracy. The weapon? A type of software known as ransomware... [Jim Reisert AD1C noted another article, Hotel ransomed by hackers as guests locked in rooms (Chris Summers) http://www.dailymail.co.uk/news/article-4163886/Alpine-hotel-brings-locks-cyber-hacking.html Benoit Goas noted https://www.theregister.co.uk/2017/01/30/austrian_hotel_ransomware_attack/ ] ------------------------------ Date: Tue, 31 Jan 2017 23:01:18 +0100 From: Benoit Goas <goasben () hawk iit edu> Subject: Hotels and electronics I recently was in a brand new hotel (around a week old), and their computer systems crashed the day I checked in, preventing them to know which room got cleaned or not. The room I was first given indeed wasn't made, but at least nobody else was in... Not sure if they could know that! They also had a big computer screen to display the next bus hours, which at one point later displayed only a pop-up screen with "your 7 day anti-virus trial version expired". Nothing really dangerous (as long as you don't need electronic keys to exit the rooms), but it can be more reliable to keep older technology! ------------------------------ Date: Sat, 28 Jan 2017 16:34:36 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Hackers hit DC CCTV's Jan. 12-15, 2017 [I wonder if this hack is related to any of the other recent high-profile Internet-wide CCTV hacks.] Here's a non-sequitur: "the intrusion was confined to the police CCTV cameras that monitor public areas" "the safety of the public or protectees was never jeopardized" If this conclusion were really true, then a "security theater" camera would be just as effective as a real camera, and they needn't have bothered fixing the cameras ! Clarence Williams, *The Washington Post*, 27 Jan 2017 Hackers hit D.C. police closed-circuit camera network, city officials disclose https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump's inauguration, forcing major citywide reinstallation efforts, according to the police and the city's technology office. City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday. Secret Service spokesman Brian Ebert said the safety of the public or protectees was never jeopardized. Archana Vemulapalli, the city's Chief Technology Officer, said the city paid no ransom and resolved the problem by taking the devices offline, removing all software and restarting the system at each site. An investigation into the source of the hack continues, said Vemulapalli, who said the intrusion was confined to the police CCTV cameras that monitor public areas and did not extend deeper into D.C. computer networks. [...] ------------------------------ Date: Sat, 28 Jan 2017 18:26:57 -0500 From: "dfarber" <dfarber () me com> Subject: Everything I Need to Know about Russia's Internet Interference I Learned Through College Pranks http://www.defenseone.com/ideas/2017/01/everything-i-need-know-about-russias-internet-interference-i-learned-through-college-pranks/134953/?oref=d-river Sean Havey It's not terribly difficult to inject fake news into conversation. One February, as a snowstorm headed for the Carolinas, a Raleigh television station debuted a Web form meant to allow local schools and businesses to send cancellations and snow delays straight to the live TV feed. Someone posted the URL to an unofficial university message board, and within minutes, mayhem erupted in the margins of the nightly news: <http://www.thewolfweb.com/message_topic.aspx?topic=180137&page=2> <https://www.youtube.com/watch?v=WcO3pyge-8w> But while our antics caused little damage aside from a few embarrassed faces in the newsroom, not everyone uses fake news for lulz. As recent events show, sinister actors use the same tricks to spread misinformation and deception -- with potentially disastrous consequences. ------------------------------ Date: Mon, 30 Jan 2017 09:25:39 -0800 From: Gene Wirchenko <genew () telus net> Subject: "FBI request for Twitter account data may have overstepped legal guidelines" (Dustin Volz) Dustin Volz, Reuters, 27 Jan 2017 http://www.businessinsider.com/r-fbi-request-for-twitter-account-data-may-have-overstepped-legal-guidelines-2017-1 selected text: WASHINGTON, Jan 27 (Reuters) - The FBI appeared to go beyond the scope of existing legal guidance in seeking certain kinds of Internet records from Twitter as recently as last year, legal experts said, citing two warrantless surveillance orders the social media company published on Friday. Twitter said its disclosures were the first time the company had been allowed to publicly reveal the secretive orders, which were delivered with gag orders when they were issued in 2015 and 2016. In doing so, the orders bolster the belief among privacy advocates that the FBI has routinely used NSLs to seek Internet records beyond the limitations set down in a 2008 Justice Department legal memo, which concluded such orders should be constrained to phone billing records. The FBI did not immediately respond to a request for comment. An FBI inspector general report from 2014 indicated that it disagreed with the memo's guidance. ------------------------------ Date: Sat, 28 Jan 2017 11:28:07 -0500 From: Monty Solomon <monty () roscom com> Subject: Severe vulnerability in Cisco's WebEx extension for Chrome leaves PCs open to easy attack http://www.pcworld.com/article/3160836/software/severe-vulnerability-in-ciscos-webex-extension-for-chrome-leaves-pcs-open-to-easy-attack.html ------------------------------ Date: Sat, 28 Jan 2017 16:32:30 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Voter fraud? Several highly visible Republicans (including Tiffany Trump, Steve Bannon, Steven Mnuchin) are registered in more than one state. That's not illegal, although Bannon apparently never lived in the house in Florida at which he was registered. That's illegal. (R 30 12) http://www.usnews.com/news/national-news/articles/2017-01-25/tiffany-trump-steve-bannon-steve-mnuchin-registered-to-vote-in-multiple-states [Additional names seem to be cropping up as well.] ------------------------------ Date: Tue, 31 Jan 2017 21:15:12 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: The future of fake news is real-time video manipulation (Nick Bilton) Nick Bilton, BoingBoing via NNSquad http://boingboing.net/2017/01/31/the-future-of-fake-news-is-rea.html Nick Bilton reports on the next round of fake news tools that allow users to manipulate audio and video to change what's being said, a sort of real-time Photoshop for moving images and audio. Want to make it look like a celebrity used a taboo word, or misquote a politician? No problem. ------------------------------ Date: Sat, 28 Jan 2017 08:53:12 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Intentionally or not, big brands help fund fake news AP via NNSquad http://m.startribune.com/intentionally-or-not-big-brands-help-fund-fake-news/412040223/?section=nation Wittingly or not, major global corporations are helping fund sites that traffic in fake news by advertising on them. Take, for instance, a story that falsely claimed former President Barack Obama had banned Christmas cards to overseas military personnel. Despite debunking by The Associated Press and other fact-checking outlets, that article lives on at "Fox News The FB Page," which has no connection to the news channel although its bears a replica of its logo. And until recently, the story was often flanked by ads from big brands such as the insurer Geico, the business-news outlet Financial Times, and the beauty-products maker Revlon. This situation isn't remotely an isolated case, although major companies generally say they have no intention of bankrolling purveyors of fake news with their ad dollars. Because many of their ads are placed on websites by computer algorithms, it's not always easy for these companies to steer them away from sites they find objectionable. ------------------------------ Date: Sat, 28 Jan 2017 14:13:16 -0500 From: "Arthur T." <Risks201701.10.atsjbt () xoxy net> Subject: alt-facts.net site (RISKS-30.11) That, in turn, links to a Google Groups Form, which requires active scripting and cookies. Given that Risks readers know the Risks of active scripting (and the privacy implications of anything hosted by Google), I'm surprised he thought it worthwhile to announce this here. Or is it just a test to see how many of us will browse unsafely just to submit a fake news site? [Intriguingly, Lindsay Marshall's newcastle site that houses the official searchable RISKS archive barfed on this item, blocking it perhaps because the website was brand new. PGN] ------------------------------ Date: Sun, 29 Jan 2017 19:26:12 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: "The missile may have veered ... towards the US" (RISKS-30.05) 1. This story rumbled on over several days last week. As I understand it, the missile was unarmed and officially the test was to check the submarine's launch capability rather than the missile itself. The main news interest was who knew what and when, fueled by conflicting reports from UK and US commentators and governments, UK Prime Minister Theresa May evasively not answering questions about it in a TV interview, "we don't comment on security matters", etc. Presumably 'UK Unintentionally Launches Missile Attack On US' makes a better headline than 'Problem Found During Routine Test Firing'... :o) http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/ 2. Maybe I'm missing something, but I find the recent posts in RISKS on "fake news", "alternative news", "real news", and so forth rather ridiculous -- can news reports be definitively graded as 'true' or not!??! The Royal Society has this on their web site, which seems right to me:
The Royal Society's motto 'Nullius in verba' is taken to mean 'take nobody's word for it'.
https://royalsociety.org/about-us/ Tediously long article at http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/ ------------------------------ Date: Sun, 29 Jan 2017 10:15:26 -0800 From: Mark <gumpfs () gmail com> Subject: Re: United Airlines resumes flights after temporary ground order (RISKS-30.11) The link to ACARS went down, resulting in an inability for the company to send weight and balance information or communicate with aircraft via datalink. I don't know what specific part of the system failed. ------------------------------ Date: Sat, 28 Jan 2017 17:01:26 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Shapir, RISKS-30.11)
While ease of development may be in the eye of the developer, I certainly wouldn't commend for readability a language in which a blank in the wrong place might completely change the meaning of a routine!
This is an old chestnut. How many people remember PL/1? That was intended to
be the ultimate programming language, iirc, and I found it a nice language,
but it had a similar reputation.
A misplaced parenthesis ran a serious risk of still leaving you with a valid
program, but one that did something completely different from what you
intended. Caused by the massive overloading of the meaning of said
character.
------------------------------
Date: 28 Jan 2017 20:25:00 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
(RISKS-30.10,11)
I spent decades programming in languages like C and perl that marked
grouping with { braces } and now mostly use python which uses indentation.
While it took a little while to get used to it, now I find the python way
works at least as well. Compilers remember the open levels of indentation
so they can diagnose spacing typos where you return to an indentation level
that was never opened, something C and perl can't do since all braces look
the same.
It also avoids a whole category of hard to find bugs in C programs where the
indentation suggests one thing but the braces say something else.
I think the moral here is that just because something is unfamiliar doesn't
mean it's worse. I'm reminded of a famous article Don Norman wrote in 1981
about how awful the UNIX shell language (which at that time was the user
interface) was. One of the UNIX guys pointed out that commands he complained
weren't "natural" were because they weren't like the PDP-10 he was used to.
------------------------------
Date: Sat, 28 Jan 2017 11:25:36 -0500
From: Monty Solomon <monty () roscom com>
Subject: Data Privacy Day: know the risks of Amazon Alexa and Google Home
(Naked Security)
https://nakedsecurity.sophos.com/2017/01/27/data-privacy-day-know-the-risks-of-amazon-alexa-and-google-home/
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.12
************************
Current thread:
- Risks Digest 30.12 RISKS List Owner (Feb 01)