RISKS Forum mailing list archives
Risks Digest 30.25
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 18 Apr 2017 15:37:17 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 18 April 2017 Volume 30 : Issue 25 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.25> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: How fake news and hoaxes have tried to derail Jakarta's election (BBC) Critics See Signs of Interference in French Vote (Andrew Higgins) Voters Cite Turkish Leader's Record as He Claims a Slim Victory (Patrick Kingsley) Biased Bots: Human Prejudices Sneak Into Artificial Intelligence Systems (Princeton) The tiny changes that can cause AI to fail (BBC) Shadow Brokers: a mysterious hacker or group of hackers released the Microsoft apocalypsed that wasn't (Robert Hackett) Hackers have just dumped a treasure trove of NSA data. Here's what it means. (Henry Farrell) Car parking app shares 2000 customers' private details after company suffers glitch (The Telegraph) California Secession Bid Fails: Leader Is Living in Russia (KABC) Inside the Tech Support Scam Ecosystem (OnTheWire) Why one Republican voted to kill privacy rules: Nobody has to use the Internet (Ars Technica) Re: Autonomous Electric Vehicle impact on Economy (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 17 Apr 2017 22:29:26 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How fake news and hoaxes have tried to derail Jakarta's election via NNSquad http://www.bbc.com/news/world-asia-39176350 In Indonesia, the rise of fake news, hoaxes, and misleading information online has cast a pall over an already bitterly divided election in the capital, Jakarta. BBC Indonesian's Christine Franciska looks at why activists are describing this as a dark era in Indonesia's digital life. ------------------------------ Date: Tue, 18 Apr 2017 8:39:30 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Critics See Signs of Interference in French Vote (Andrew Higgins) Andrew Higgins, *The New York Times*, 18 Apr 2017 State-run Russian News Operations Disperse Slanted Reports ------------------------------ Date: Tue, 18 Apr 2017 8:49:11 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Voters Cite Turkish Leader's Record as He Claims a Slim Victory (Patrick Kingsley) Patrick Kingsley, *The New York Times*, 18 Apr 2017 Noting irregularities, opposition party seeks recount. The pro-Kurdish party noted that as many as 3M votes lacked an official stamp and should be invalidated. Teams of European observers also had complaints. Unlevel playing field with Erdogan's "state of emergency". Opposition party people arrested. "No" campaigners physically intimidated, rallies limited. That seems to be a recipe for a "fair" election rather than a "good" one or an "excellent" one -- if you subscribe to the other meaning of "fair". [PGN-ed] ------------------------------ Date: Mon, 17 Apr 2017 12:16:09 -0400 (EDT) From: "ACM TechNews" <technews-editor () acm org> Subject: Biased Bots: Human Prejudices Sneak Into Artificial Intelligence Systems (Princeton) Princeton University 13 Apr 2017 via ACM TechNews 17 Apr 2017 Researchers at Princeton University have demonstrated how machines can be reflections of their creators' biases. They determined common machine-learning programs, when fed ordinary human language available online, can obtain cultural prejudices embedded in the patterns of wording. "We have a situation where these artificial intelligence [AI] systems may be perpetuating historical patterns of bias that we might find socially unacceptable and which we might be trying to move away from," warns Princeton professor Arvind Narayanan. The team experimented with a machine-learning version of the Implicit Association Test, the GloVe program, which can represent the co-occurrence statistics of words in a specific text window. The test replicated the broad substantiations of bias found in select Implicit Association Test studies over the years that relied on human subjects. Coders might hope to prevent the perpetuation of cultural stereotypes via development of explicit, math-based instructions for machine-learning programs underpinning AI systems. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13472x2118efx072995&; ------------------------------ Date: Sat, 15 Apr 2017 09:38:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The tiny changes that can cause AI to fail (BBC) BBC via NNSquad http://www.bbc.com/future/story/20170410-how-to-fool-artificial-intelligence The year is 2022. You're riding along in a self-driving car on a routine trip through the city. The car comes to a stop sign it's passed a hundred times before - but this time, it blows right through it. To you, the stop sign looks exactly the same as any other. But to the car, it looks like something entirely different. Minutes earlier, unbeknownst to either you or the machine, a scam artist stuck a small sticker onto the sign: unnoticeable to the human eye, inescapable to the technology. In other words? The tiny sticker smacked on the sign is enough for the car to "see" the stop sign as something completely different from a stop sign. It may sound far-fetched. But a growing field of research proves that artificial intelligence can be fooled in more or less the same way, seeing one thing where humans would see something else entirely. ------------------------------ Date: Sat, 15 Apr 2017 23:55:15 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Shadow Brokers: a mysterious hacker or group of hackers released the Microsoft apocalypsed that wasn't (Robert Hackett) Robert Hackett On Friday the Shadow Brokers, a mysterious hacker or group of hackers, released the Microsoft apocalypse that wasn't. What originally appeared to be one of the most damaging releases in recent memory of zero-day exploits, or hacking tools that take advantage of previously unknown software vulnerabilities, fell from the sky with the shrieking ferocity of a MOAB bomb and landed with the soft thud of a dud. Unknown to members of the information security community all through the day, Microsoft had quietly patched the majority of the Windows flaws in a security update last month, preventing the NSA-crafted espionage tools from being abused by opportunistic attackers after their leak. The company only announced that fact late in the evening. Prior to Microsoft's hysteria-neutering blog post, security pros had been tearing apart the leaked cache of digital weapons, running the attack code on their test systems, and warning the world about the potential danger of anyone connected to the Internet with a Windows-based computer. That the researchers were running slightly outdated, un-patched versions of Microsoft's software only became apparent after the company made its late-night announcement. Given that Microsoft seemed to miraculously fix the hitherto unknown bugs just a month prior to their exposure leads any sane onlooker to the conclusion that the U.S. government must have alerted the company to these problems earlier and on the sly, preempting fallout. (A customary acknowledgment for the researcher who reported the bugs was conspicuously absent from Microsoft's post, hmm.) If so, this coordinated disclosure represents a major policy coup. Instead of sticking its head in the sand (as critics often accuse the intelligence community of doing), the spy set appears to have worked with the tech sector, taking proactive measures to defuse the situation before it could get out of hand. This is the right approach; kudos to all involved. To stay protected, make sure your systems -- Windows 7 or later -- are up to date with the latest patches, dear readers. And a Happy Easter to those who celebrate. ------------------------------ Date: Sun, Apr 16, 2017 at 6:47 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Hackers have just dumped a treasure trove of NSA data. Here's what it means. (Henry Farrell) Henry Farrell, 15 Apr 2017 https://www.washingtonpost.com/news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-nsa-data-heres-what-it-means/ A group of hackers called the Shadow Brokers has just released a new dump of data from the National Security Agency. This is plausibly the most extensive and important release of NSA hacking tools to date. It's likely to prove awkward for the U.S. government, not only revealing top-secret information but also damaging the government's relationships with U.S. allies and with big information technology firms. That is probably the motivation behind the leak: The Shadow Brokers are widely assumed to be connected with the Russian government. Here's what the dump means. What information has been released? The release is only the most recent in a series of Shadow Broker dumps of information. However, it is by far the most substantial, providing two key forms of information. The first is a series of zero-day exploits for Microsoft Windows software. Zero-day exploits are attacks that take advantage of unknown vulnerabilities in a given software package. Exploits against commonly used software such as Windows are highly valuable =94 indeed, there is a clandestine international market where hackers sell exploits (sometimes through middlemen) to intelligence agencies and other interested parties, often for large sums of money. Intelligence services can then use these exploits to compromise the computers of their targets. Second, information in the dump seems to show that the NSA has penetrated a service provider for SWIFT, an international financial messaging service. Specifically, it appears to have penetrated a SWIFT Service Bureau that provides support for a variety of banks in the Middle East. Why are zero-day exploits important? The leak of the zero-day exploits is important for two reasons. First, once the existence of a zero-day exploit is revealed, it rapidly loses a lot of its value. Zero-day exploits work reliably only when they are held secret. Microsoft may already have fixed many of these vulnerabilities (there are conflicting reports from Microsoft and security companies UPDATE: NOW SECURITY RESEARCHERS APPEAR TO HAVE WITHDRAWN THEIR CLAIMS). However, if it hasn't, or if the attacks provide information to hackers that can b= e used to generate more attacks, unscrupulous hackers might be able to take advantage. In a worst-case scenario, there may be a period when it's as if criminal hackers suddenly acquired super powers in an explosion, as in the TV show The Flash, and started using them for nefarious ends. Second, and as a consequence, trust between the United States and big software companies may be seriously damaged. Some weeks ago, Adam Segal of the Council on Foreign Relations wrote a report talking about how the U.S. government needs to rebuild a relationship with Silicon Valley that had been badly damaged by the Edward Snowden revelations. Now, the damage is starting to mount up again. Most people think of the NSA as a spying agency and do not realize that it has a second responsibility: It is also supposed to protect the security of communications by U.S. citizens and companies against foreign incursions. When the United States learns of a zero-day exploit against software used by Americans, it is supposed to engage in an equities process, in which the default choice should be to inform the software producer so that it can fix the vulnerability, keeping the zero-day secret only if a special case can be made for it. [...] ------------------------------ Date: Tue, 18 Apr 2017 09:54:39 -0400 From: Monty Solomon <monty () roscom com> Subject: Car parking app shares 2000 customers' private details after company suffers glitch (The Telegraph) http://www.telegraph.co.uk/news/2017/04/15/car-parking-app-customers-personal-data-shared-others-company/ ------------------------------ Date: Tue, 18 Apr 2017 13:28:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: California Secession Bid Fails: Leader Is Living in Russia (KABC) via NNSquad http://www.kabc.com/news/california-secession-bid-fails-leader-is-living-in-russia/ Supporters of one long-shot bid to make California an independent nation ended their effort on Monday, while another group said it will launch a new campaign for a statewide vote next year, reports the AP. The Yes California Independence Campaign faltered after its president, Louis Marinelli, revealed ties to Russia. ------------------------------ Date: Sun, 16 Apr 2017 10:11:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Inside the Tech Support Scam Ecosystem (OnTheWire) OnTheWire via NNSquad https://www.onthewire.io/inside-the-tech-support-scam-ecosystem/ "So far, we collected more than 25K scam domains and thousands of scam phone numbers and we [have] evidence that this threat is not going to decrease soon and it still has an increasing trend," Miramirhani said. REFERENCE: User Trust Fail: Google Chrome and the Tech Support Scams -- https://lauren.vortex.com/2017/01/12/user-trust-failure-google-chrome-and-the-tech-support-scams ------------------------------ Date: Sat, 15 Apr 2017 23:33:49 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Why one Republican voted to kill privacy rules: Nobody has to use the Internet (Ars Technica) A Republican lawmaker who voted to eliminate Internet privacy rules said, "Nobody's got to use the Internet" when asked why ISPs should be able to use and share their customers' Web browsing history for advertising purposes. https://arstechnica.com/tech-policy/2017/04/dont-like-privacy-violations-dont-use-the-internet-gop-lawmaker-says/ The risk? People like that. ------------------------------ Date: Tue, 18 Apr 2017 12:49:06 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Autonomous Electric Vehicle impact on Economy (Macintyre, RISKS-30.24) Parking meter? How quaint. I'm now using a phone application called Pango which identifies where a user is parked (in a garage or on a street) when it's turned on, and charges the account for parking fees when it's turned off (in garages it can do this automatically, I prefer manual mode). Additional payments could be charged to the account the same way.
But if we are to have autonomous cars zooming past too fast to see the
signs, marketing to reach riders of the autonomous vehicles may need a sea change of technology rethinking. The Waze navigation application (recently acquired by Google) already has this feature, flashing ads on the screen for businesses while a user approaches them or drives by. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.25 ************************
Current thread:
- Risks Digest 30.25 RISKS List Owner (Apr 18)