RISKS Forum mailing list archives
Risks Digest 30.31
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 8 Jun 2017 12:12:45 PDT
RISKS-LIST: Risks-Forum Digest Thursday 8 June 2017 Volume 30 : Issue 31 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.31> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Russian malware communicates by leaving comments in Britney Spears's Instagram account (BoingBoing) Russian Gang Hacked Slot Machines and Plotted Over Stolen Sweets (The New York Times) How the Trump-Russia Data Machine Games Google to Fool Americans (Paste) An Ad Network That Helps Fake News Sites Earn Money Is Now Asking Users To Report Fake News (BuzzFeed) How The Intercept Outed Reality Winner (ErrataSec) The Internet Is Where We Share -- and Steal -- the Best Ideas (The New York Times) Why We Lie: The Science Behind Our Deceptive Ways (National Geographic) While EU Copyright Protests Mount, the Proposals Get Even Worse (EFF) Re: Alleged engineer says red light cameras may misissue tickets (John Levine, Joseph Brennan) Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless? (Kelly Bert Manning) Re: Software is forever... Re: WannaCry (Geoffrey Keating) Re: Robot Copilot Lands 737 (Roderick A Rees) Re: What Happens When Your Car Gets Hacked? (David E. Ross) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 7 Jun 2017 21:02:55 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Russian malware communicates by leaving comments in Britney Spears's Instagram account (BoingBoing) NNSquad http://boingboing.net/2017/06/07/watering-holes.html A new analysis by Eset shows that Turla is solving its C&C problems by using Britney Spears' Instagram account as a cut-out for its C&C servers. Turla moves the C&C server around, then hides the current address of the server in encrypted comments left on Britney Spears's image posts. The compromised systems check in with Spears's Instagram whenever they need to know where the C&C server is currently residing. ------------------------------ Date: Thu, 8 Jun 2017 06:10:50 -0400 From: Monty Solomon <monty () roscom com> Subject: Russian Gang Hacked Slot Machines and Plotted Over Stolen Sweets (The New York Times) Federal authorities on Wednesday charged 31 people with roles in an organized-crime scheme that pursued old-fashioned and novel forms of racketeering. https://www.nytimes.com/2017/06/07/nyregion/russian-eurasian-organized-crime.html ------------------------------ Date: Wed, 7 Jun 2017 12:37:24 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How the Trump-Russia Data Machine Games Google to Fool Americans (Paste) NNSquad https://www.pastemagazine.com/articles/2017/06/how-the-trump-russia-data-machine-games-google-to.html "I'm going to show you one specific weapon in this war that's being used against you and me and the United States right now: Google. There are other information weapons, such as bots and fake news sites, but other stories have those pretty well covered. But before we get started, though, two things to keep in mind: First, most of us don't even know we're in this war yet. You don't know when you've been wounded, when you've been killed. And that's the whole point: You're not supposed to. Second, the attacks in this war aren't aimed at your enemies. You attack your own side." ------------------------------ Date: Mon, 5 Jun 2017 20:17:02 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: An Ad Network That Helps Fake News Sites Earn Money Is Now Asking Users To Report Fake News (BuzzFeed) NNSquad https://www.buzzfeed.com/craigsilverman/an-ad-network-that-works-with-fake-news-sites-just-launched?utm_term=.lm3aKGqzK#.xabvWQPXW An ad network launched a new initiative to "continue the fight against fake news" at the same time it was working with 21 websites that have published fake news stories, according to a review conducted by BuzzFeed News. ------------------------------ Date: Tue, 6 Jun 2017 09:56:33 -0400 From: Monty Solomon <monty () roscom com> Subject: How The Intercept Outed Reality Winner (ErrataSec) How The Intercept Outed Reality Winner http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html [See also: The easy trail that led the feds to Reality Winner ... https://www.washingtonpost.com/news/morning-mix/wp/2017/06/06/the-easy-trail-that-led-the-feds-to-reality-winner-alleged-source-of-nsa-leak/ The latest NSA leak is a reminder that your bosses can see your every move The case of Reality Winner, the 25-year-old woman arrested and accused of linking classified information, shows the limits of your privacy at work. https://www.washingtonpost.com/news/the-switch/wp/2017/06/07/the-latest-nsa-leak-is-a-reminder-that-your-bosses-can-see-your-every-move/ ] ------------------------------ Date: Tue, 6 Jun 2017 08:29:05 -0400 From: Monty Solomon <monty () roscom com> Subject: The Internet Is Where We Share -- and Steal -- the Best Ideas (The New York Times) The Internet Is Where We Share -- and Steal -- the Best Ideas https://www.nytimes.com/2017/06/06/magazine/the-internet-is-where-we-share-and-steal-the-best-ideas.html The schism between those driving cultural conversations online and those profiting from them has us questioning ownership in the digital age. ------------------------------ Date: Tue, 6 Jun 2017 02:47:15 -0400 From: Monty Solomon <monty () roscom com> Subject: Why We Lie: The Science Behind Our Deceptive Ways http://www.nationalgeographic.com/magazine/2017/06/lying-hoax-false-fibs-science/ ------------------------------ Date: Mon, 5 Jun 2017 17:47:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: While EU Copyright Protests Mount, the Proposals Get Even Worse (EFF) NNSquad https://www.eff.org/deeplinks/2017/05/while-eu-copyright-protests-mount-proposals-get-even-worse This week, EFF joined Creative Commons, Wikimedia, Mozilla, EDRi, Open Rights Group, and sixty other organizations in signing an open letter [PDF] addressed to Members of the European Parliament expressing our concerns about two key proposals for a new European "Digital Single Market" Directive on copyright. These are the "value gap" proposal to require Internet platforms to put in place automatic filters to prevent copyright-infringing content from being uploaded by users (Article 13) and the equally misguided "link tax" proposal that would give news publishers a right to compensation when snippets of the text of news articles are used to link to the original source (Article 11). If the EU proceeds with any of this nonsense, they risk being effectively cut off the Internet from the rest of the world as far as most popular services are concerned. EU citizens are being sold down the river by their own politicians. Presumably they'll be cutting off the electricity next, and bringing back The Plague. ------------------------------ Date: 6 Jun 2017 15:41:59 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Alleged engineer says red light cameras may misissue tickets (RISKS-30.30) This is the same guy who was fined by the Oregon Board of Examiners for Engineering for calling himself an engineer in letters that he wrote to them, based on an unusual and ambiguously worded Oregon law about licensing professional engineers. (It's not unusual to have a licensing law, it's unusual for the law to have broad restrictions on speech.) https://www.nytimes.com/2017/04/30/business/traffic-light-fine.html Järlström sued them in federal court, and it's not looking good for the state. In a preliminary injunction last week, the state agreed permanently not to try to prevent Järlström from speaking about engineering or traffic lights or calling himself an engineer: http://ij.org/wp-content/uploads/2017/05/Agreed-PI-signed-by-judge.pdf It appears that Oregon is a slow learner. Here's an article about a case 20 years ago where they did the same thing to an academic geologist who was testifying against a proposed project under a professional geologist licensing law. They lost that one, too: https://www.theatlantic.com/politics/archive/2017/05/license-to-speak/525450/ ------------------------------ Date: Tue, 6 Jun 2017 12:58:45 -0400 From: Joseph Brennan <brennan () columbia edu> Subject: Re: "Red Light Cameras May Issue Some Tickets" Oregon is one of the minority of states with a "restrictive yellow" traffic law. The driver is expected to stop at a yellow signal unless the driver "cannot stop in safety" in which case the driver must "drive cautiously through the intersection" and yet almost in contradiction to driving cautiously the driver must also be clear of the intersection before the red signal. The arguments in the case have to do with the definition of being able to "stop in safety" based on many factors-- how far the driver is from the intersection, how fast the driver might legally be moving, and even the type of vehicle and whether the driver intends to turn. The length of the yellow phase therefore is critical because of the requirement to be out of the intersection before the red signal. In the other 37 states, entering the intersection on yellow is permitted, and only *entering* on red is a violation. I have learned for the first time from looking things up just now that my own state of New Jersey is restrictive while New York where I learned to drive is permissive. On the road I have seen little sign that any driver in New Jersey knows about this! Here, Appendix A, pages 19-23 give the rules state by state http://www.jarlstrom.com/PDF/Exhibit_1_FINAL_An_investigation_of_the_ITE_formula_and_its_use_R14.pdf ------------------------------ Date: Tue, 6 Jun 2017 18:24:50 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless? If memory serves me correctly I heard MIT Prof Nancy Leveson say that one of the reasons she rarely takes a flight on an Airbus plane is that Airbus and Boeing have different philosophies about what to do when Automation and pilots have opposite views of what the controls should make the plane do. Dr. Leveson said that in the end Boeing will have the plane do what the pilots want it to do, but they might have to use all their strength to oppose the automation. Airbus gives automation the last say about what the plane should do, sometimes with disastrous results. I believe that Dr. Leveson said she took an Airbus flight once, when the alternative was spending a night in downtown Chicago. [Second prize was Two nights in downtown Chicago? PGN] ------------------------------ Date: 05 Jun 2017 16:30:47 -0700 From: Geoffrey Keating <geoffk () geoffk org> Subject: Re: Software is forever... Re: WannaCry (Grossman, RISKS-30.30) There's another option than those four: vendors can arrange for the software to stop working when its support period ends, and tell the customer to arrange for an upgrade as necessary; whether that means buying a new lightbulb, plugging a USB stick into their car, or just clicking the button for "yes, ok, I give in, I will upgrade". You might think this is dangerous; but then, so is the current state. So which is the greatest danger? How bad would the state need to be before this last option starts looking good? ------------------------------ Date: Tue, 6 Jun 2017 08:43:24 -0700 From: Roderick A Rees <rarees () frontier com> Subject: Re: Robot Copilot Lands 737 (RISKS-30.30) "The risk? Second Officer Robo Pilot not having been programmed for an unusual and very bad situation. Say, a bird strike on both engines leaving NYC's LaGuardia Airport or an incapacitated human pilot. Nice corporate goal, "reduced crew operations while ensuring that aircraft performance and mission success are maintained or improved" -- and it does mention safety -- but I wonder about handling those occasional oddities where human experience shines.experience. Aren't some aircraft designated two-crew for good reasons?" Right -- the pilots are there to deal with the designers' mistakes and inadequate assumptions. Shawn Coyle, a very experienced helicopter test pilot, wrote that of all the many emergencies he had had to deal with, not one was like those that the designers had told him to prepare for. Without him, the machine would have crashed, expensively. Automation enthusiasts have for decades been saying that pilots should be abolished; but in a recent blog, an air transport pilot said that ``Yes, the aircraft can fly itself, but the crew have their hands near the controls the whole time, to take over when the automatic system messes up - and it does mess up.'' The greatest problem is over-confidence by the designers. The Airbus Chief Test Pilot was killed because he did not understand how the Alpha Floor, which is supposed to prevent stalls, actually worked - which means it had not been properly explained to him. And Air France 447, for example, need not have crashed; but the designers and Air France assumed that pilots no longer needed to be taught how to fly the aircraft when the automatic system does not cope correctly. This is found in other fields too, when it is assumed that complex logic must be right; but the more complex the logic, the less likely it is to be correct, usually because the input assumptions are inadequate or false (as the Lockheed rep was quoted as saying about an F-22 problem, ``There are millions of lines of code in there and you can't check everything.'' None of this is dealt with just by saying that complex logic is now to be called Artificial Intelligence. And two-valued logic in itself has many limitations. [But it might be safer and faster than Trans-Turing computations with conceptually unbounded precision! PGN] ------------------------------ Date: Mon, 5 Jun 2017 14:36:48 -0700 From: "David E. Ross" <david () rossde com> Subject: Re: What Happens When Your Car Gets Hacked? (RISKS-30.30) Bruce Schneier states
It's only older unpatched systems on your computer that are vulnerable.
and then goes on to state
Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly.
Much of that is quite true. The problem is that the latest patched Windows 10 was still vulnerable to the WannaCrypt ransomware. Worse, patches often contain bugs that can make things worse instead of better. For that reason, many of the more knowledgeable Windows 7 users block automatic patches (a capability denied to Windows 10 users). They wait a week or more to see what other experience with new patches before accepting them. Since the end of 2014, Microsoft's record of patches has been dismal. At least 39 patches issued since then were defective and had to be replaced. That is more than one defective patch a month. Three replacement patches themselves were also defective and had to be replaced. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.31 ************************
Current thread:
- Risks Digest 30.31 RISKS List Owner (Jun 08)