RISKS Forum mailing list archives
Risks Digest 30.38
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 17 Jul 2017 21:14:31 PDT
RISKS-LIST: Risks-Forum Digest Monday 17 July 2017 Volume 30 : Issue 38 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.38> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: A Solar Eclipse Could Wipe Out 9,000 Megawatts of Power Supplies (Bloomberg) Massachusetts tax system blocks payments, sends refunds in error (MassLive) The AlphaBay Takedown Sends Dark Web Markets Reeling (WiReD) Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard) How Fake News Goes Viral -- Here's the Math (Scientific American) While Some Cry 'Fake,' Spotify Sees No Need to Apologize (The New York Times) Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (Gizmodo) Elon Musk says preventing a 'fleet-wide hack' is Tesla's top security priority (Electrek) Weekend Video Extra: A Prescient Warning re: AI and Robotics, from 1956! (Lauren Weinstein) Your pacemaker is spying on you (Mark Thorson) Leaping Kangaroos (Anthony Thorn) Paper ballots (Tom Donilon) To avoid cyberattacks, Israel urged to manually count election results (Haaretz) UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials (The Washington Post) Re: Western tech firms bow to Russian demands to share cybersecrets (Martyn Thomas) Re: DIY devices let car owners add autonomous features to vehicles (Simon Wright) Re: Funny how these articles are all the same (Jonathan Levine) Re: Press kits or other publications on thumb drives? (Kelly Bert Manning) Review: "Twitter and Tear Gas," by Zeynep Tufekci (Bruce Schneier) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, Jul 16, 2017 at 6:29 PM From: Geoff Kuenning <geoff () cs hmc edu> Subject: Bloomberg: A Solar Eclipse Could Wipe Out 9,000 Megawatts of Power Supplies [via Dave Farber] ... a recurring but unexplained phenomenon keeps shutting down *all* solar power in the country for as much as 14 hours at a time. Scientists have not yet named the frightening event, although some have suggested adapting the French term "La nuit" or German's "Der Nacht". Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Sat, 15 Jul 2017 11:14:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Massachusetts tax system blocks payments, sends refunds in error (MassLive) http://www.masslive.com/business-news/index.ssf/2017/07/massachusetts_tax_system_blocks_payments.html ------------------------------ Date: Sat, 15 Jul 2017 19:34:40 -0400 From: Monty Solomon <monty () roscom com> Subject: The AlphaBay Takedown Sends Dark Web Markets Reeling (WiReD) https://www.wired.com/story/alphabay-takedown-dark-web-chaos/ Not since the days of the now-legendary Silk Road has a single site dominated the dark web's black market as completely, and for as long, as the online bazaar known as AlphaBay. And with the news that the site has been torn down by a law enforcement raid--and one of its leaders found dead in a Thai prison -- the dark web drug trade has fallen into a temporary state of chaos. https://www.wired.com/story/alphabay-takedown-dark-web-chaos/ ------------------------------ Date: Fri, 14 Jul 2017 07:51:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard) via NNSquad https://www.upguard.com/breaches/verizon-cloud-leak The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra'anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation's largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.--another NICE Systems partner that services customers across Europe and Africa. Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket's URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts--an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication. ------------------------------ Date: Fri, 14 Jul 2017 07:56:21 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How Fake News Goes Viral -- Here's the Math (Scientific American) NNSquad https://www.scientificamerican.com/article/how-fake-news-goes-viral-mdash-heres-the-math/ Models similar to those used to track disease show what happens when too much information hits social media networks. ------------------------------ Date: Sat, 15 Jul 2017 09:40:04 -0400 From: Monty Solomon <monty () roscom com> Subject: While Some Cry 'Fake,' Spotify Sees No Need to Apologize (The New York Times) Spotify's playlists are dotted with hundreds of songs done by composers under pseudonyms, but the company says it is just soliciting music to meet demand. https://www.nytimes.com/2017/07/14/business/media/while-some-cry-fake-spotify-sees-no-need-to-apologize.html ------------------------------ Date: Mon, 17 Jul 2017 10:37:03 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (Gizmodo) via NNSquad http://gizmodo.com/nearly-90-000-sex-bots-invaded-twitter-in-one-of-the-la-1796985630 Last week, Twitter's security team purged nearly 90,000 fake accounts after outside researchers discovered a massive botnet peddling links to fake "dating" and "romance" services. The accounts had already generated more than 8.5 million posts aimed at driving users to a variety of subscription-based scam websites with promises of -- you guessed it -- hot Internet sex. ------------------------------ Date: Mon, 17 Jul 2017 08:39:48 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Elon Musk says preventing a 'fleet-wide hack' is Tesla's top security priority via NNSquad https://electrek.co/2017/07/17/tesla-fleet-hack-elon-musk/?utm_content=buffer304a1&utm_medium=social&utm_source=plus.google.com&utm_campaign=buffer He followed with an interesting example of what someone could do with that kind of access: "In principles, if someone was able to say hack all the autonomous Teslas, they could say - I mean just as a prank - they could say 'send them all to Rhode Island' [laugh] - across the United States... and that would be the end of Tesla and there would be a lot of angry people in Rhode Island." And that's like a best case scenario. Musk continued with what Tesla is doing to try to prevent that: "We gotta make super sure that a fleet-wide is basically impossible and that if people are in the car, that they have override authority on whatever the car is doing. If the car is doing something wacky, you can press a button that no amount of software can override and ensure that you gain control of the vehicle and cut the link to the servers." But governments will demand access to data from and control over autonomous vehicles, both individually and en masse, no matter what Musk or other manufacturers want. Autonomous vehicles represent the greatest potential for government control over individuals in the history of mankind. ------------------------------ Date: Sat, 15 Jul 2017 09:27:56 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Weekend Video Extra: A Prescient Warning re: AI and Robotics, from 1956! https://www.youtube.com/watch?v=qtpRMsDuH74 ------------------------------ Date: Fri, 14 Jul 2017 21:45:35 -0700 From: Mark Thorson <eee () sonic net> Subject: Your pacemaker is spying on you It seems to me that any allegation that the pacemaker data is evidence of anything should require, at a minimum, establishment of a cause --> effect relationship published in peer-reviewed literature. Lacking that, it's just like tarot cards or something. http://www.bbc.com/news/technology-40592520 ------------------------------ Date: Sat, 15 Jul 2017 21:47:58 +0200 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Leaping Kangaroos (Re: Horsfall, RISKS-30.37) I am reluctant to question an Australian's statement about kangaroos, but surely a taller object would appear to be nearer than it really is? ------------------------------ Date: Sun, 16 Jul 2017 18:12:37 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Paper ballots (Tom Donilon) Tom Donilon, National Security Advisor 2010-2013, advocates for paper ballots in his opinion piece https://www.washingtonpost.com/opinions/russia-will-be-back-heres-how-to-hack-proof-the-next-election/2017/07/14/f085e870-67d5-11e7-a1d7-9a32c91c6f40_story.html?utm_term=.1be864cac68d Tom Donilon, *The Washington Post*, 14 Jul 2017 Russia will be back. Here's how to hack-proof the next election. Russian President Vladimir Putin and President Trump meet at the G-20 summit in Hamburg on July 7. (Evan Vucci/Associated Press) [PGN-ed] Tom Donilon was national security adviser to President Barack Obama from 2010 to 2013. In 2016, he chaired the President's Commission on Enhancing National Cybersecurity. We now know that Russian President Vladimir Putin ordered a comprehensive effort to interfere with the 2016 presidential election. This mission involved the cybertheft and strategic publication of politically sensitive emails, the placement and amplification of misinformation on social media, overt propaganda and efforts to penetrate the systems of dozens of state election authorities. This is not speculation or political posturing; it is the public and high-confidence conclusion of the U.S. intelligence community. And it is wholly consistent with past Soviet and Russian use of active measures -- intelligence operations meant to shape an adversary's political decisions -- with the strategic goal of undermining the integrity of and confidence in the West. Modern technology has only increased the speed, scale and efficacy of such actions. This would be alarming even as a one-time occurrence, but as former FBI director James B. Comey recently warned, They will be back. The fact is that, so far, Putin has paid too small a price to meaningfully deter him in the future. Here are five concrete steps the United States should take to meet this ongoing threat to our democracy: First, President Trump must unequivocally acknowledge Russia's attack on the 2016 election and clearly state that any future attack on our democratic institutions will not be tolerated. [...] Second, the Department of Homeland Security and the Election Assistance Commission (EAC) should lead a process to develop election baseline cybersecurity guidelines and help states implement these best practices. [...] Third, we must develop a better system for sharing information between state and federal officials. While the U.S. election system is decentralized, the threats against it are not confined to state borders. [...] Fourth, we must engage in a national policy discussion about the roles and responsibilities of our social media platforms and the steps they should take to protect our democracy from malign interference. [...] Fifth, the United States should work within international forums to establish the principle that an attack on election systems violates the principles of noninterference and sovereignty and would justify a robust response. [...] These are steps we can take to help secure the future of our democratic institutions in the cyber-age. We are on notice. We must act now. ------------------------------ Date: Mon, 17 Jul 2017 14:28:10 -0700 From: "Peter G. Neumann" <peter.neumann () sri com> Subject: To avoid cyberattacks, Israel urged to manually count election results Middle East Monitor (Israel), Jul 14 2017 [PGN-ed] <https://www.middleeastmonitor.com/category/region/middle-east/israel/> *Haaretz* reported yesterday that Israel's National Cyber Authority is expected to recommend the manual counting of votes in future elections in order to prevent cyberattacks, following recent attempts to meddle with elections in the West, Formed 18 months ago, the authority is working on a defence plan against possible meddling in Israeli elections through cyberattacks similar to what recently took place in the United States, France and Ukraine. It will recommend that votes continue to be counted manually in Israel, as they always have, even if this is an outdated method. However, *Haaretz* noted that other aspects of the election campaign and preparations for Election Day are also exposed to cyberattacks and need protection. Citing cyberexperts, they report that Israel is aware that countries and groups seek to disrupt Israeli elections, and that there is a growing risk they might succeed in their endeavour. ------------------------------ Date: Sun, 16 Jul 2017 23:05:06 -0400 From: Monty Solomon <monty () roscom com> Subject: UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials (WashPost) https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html ------------------------------ Date: Sat, 15 Jul 2017 16:31:43 +0100 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Re: Western tech firms bow to Russian demands to share cybersecrets (Youngman, RISKS-30.37) Maybe I have forgotten the context of Youngman's email but I don't understand what point he is making. ALL engineering depends on mathematics, because math-based methods are far more likely to lead to dependable systems than using math-free methods. What methods would he recommend? All reasoning depends on axioms. Does Youngman eschew reasoning? https://www.gresham.ac.uk/professorships/it-professorship/ ------------------------------ Date: Sat, 15 Jul 2017 08:34:23 +0100 From: Simon Wright <simon () pushface org> Subject: Re: DIY devices let car owners add autonomous features to vehicles (Said, RISKS-30.37)
Risks (totally unmentioned, and often left to the imagination of RISKS readers) might include (for example), ...
And probably invalidating your insurance. ------------------------------ Date: Sat, 15 Jul 2017 16:29:30 -0600 From: Jonathan Levine <jonathan.canuck.levine () gmail com> Subject: Re: Funny how these articles are all the same (Goldberg, RISKS-30.37) No surprise here. Tapscott, a "futurist" (and now with his son), has a well-established history as an uncritical Internet cheerleader, and he's simply applying his MO to the Next Big Thing. Hard to sell books and get lecturing gigs otherwise. ------------------------------ Date: Sat, 15 Jul 2017 17:47:11 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Press kits or other publications on thumb drives? (Goldberg, RISKS-30.37)
"How do you check out shrink-wrapped commercial thumb drives?"
The commercial antivirus installed on my home computer automatically scans any portable media connected via a USB port. The scan continues unless stopped explicitly. Doing away with auto run was a good start. That said, scanning only works for detectable malware. Custom or low volume malware may evade scans for a long time, unless the people using it get stupid or the check monitors patterns of access to storage and network. Michael Haephrati and his "clients" got caught when he used his custom malware to hack ex-relatives after a bitter divorce, then posted draft novel excerpts written by one of them on the web. Ironically the novel portrayed police investigating IT crimes as unresponsive and ineffective. In life Israeli Law Enforcement action was timely and very effective. Life is not compelled to imitate Art. http://www.networkworld.com/article/2344015/security/four-private-investigators-in-the-israeli-trojan-fiasco-sentenced--finally-.html https://www.theguardian.com/world/2005/may/31/israel https://en.wikipedia.org/wiki/Amnon_Jackont#Trojan_horse_exposure ------------------------------ Date: Sat, 15 Jul 2017 00:25:08 -0500 From: Bruce Schneier <schneier () schneier com> Subject: "Twitter and Tear Gas," by Zeynep Tufekci Bruce Schneier, CTO, IBM Resilient https://www.schneier.com CRYPTO-GRAM, July 15, 2017 [PGN-excerpted] For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>. Book Review: "Twitter and Tear Gas," by Zeynep Tufekci There are two opposing models of how the Internet has changed protest movements. The first is that the Internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt (2011), and Ukraine (2013). The second is that it has made them more ineffectual. Derided as "slacktivism" or "clicktivism," the ease of action without commitment can result in movements like Occupy petering out in the US without any obvious effects. Of course, the reality is more nuanced, and Zeynep Tufekci teases that out in her new book "Twitter and Tear Gas." Tufekci is a rare interdisciplinary figure. As a sociologist, programmer, and ethnographer, she studies how technology shapes society and drives social change. She has a dual appointment in both the School of Information Science and the Department of Sociology at University of North Carolina at Chapel Hill, and is a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University. Her regular "New York Times" column on the social impacts of technology is a must-read. Modern Internet-fueled protest movements are the subjects of "Twitter and Tear Gas." As an observer, writer, and participant, Tufekci examines how modern protest movements have been changed by the Internet -- and what that means for protests going forward. Her book combines her own ethnographic research and her usual deft analysis, with the research of others and some big data analysis from social media outlets. The result is a book that is both insightful and entertaining, and whose lessons are much broader than the book's central topic. "The Power and Fragility of Networked Protest" is the book's subtitle. The power of the Internet as a tool for protest is obvious: it gives people newfound abilities to quickly organize and scale. But, according to Tufekci, it's a mistake to judge modern protests using the same criteria we used to judge pre-Internet protests. The 1963 March on Washington might have culminated in hundreds of thousands of people listening to Martin Luther King Jr. deliver his "I Have a Dream" speech, but it was the culmination of a multi-year protest effort and the result of six months of careful planning made possible by that sustained effort. The 2011 protests in Cairo came together in mere days because they could be loosely coordinated on Facebook and Twitter. That's the power. Tufekci describes the fragility by analogy. Nepalese Sherpas assist Mt. Everest climbers by carrying supplies, laying out ropes and ladders, and so on. This means that people with limited training and experience can make the ascent, which is no less dangerous -- to sometimes disastrous results. Says Tufekci: "The Internet similarly allows networked movements to grow dramatically and rapidly, but without prior building of formal or informal organizational and other collective capacities that could prepare them for the inevitable challenges they will face and give them the ability to respond to what comes next." That makes them less able to respond to government counters, change their tactics -- a phenomenon Tufekci calls "tactical freeze" -- make movement-wide decisions, and survive over the long haul. Tufekci isn't arguing that modern protests are necessarily less effective, but that they're different. Effective movements need to understand these differences, and leverage these new advantages while minimizing the disadvantages. To that end, she develops a taxonomy for talking about social movements. Protests are an example of a "signal" that corresponds to one of several underlying "capacities." There's narrative capacity: The ability to change the conversation, as Black Lives Matter did with police violence and Occupy did with wealth inequality. There's disruptive capacity: The ability to stop business as usual. An early Internet example is the 1999 WTO protests in Seattle. And finally, there's electoral or institutional capacity: The ability to vote, lobby, fund raise, and so on. Because of various "affordances" of modern Internet technologies, particularly social media, the same signal -- a protest of a given size -- reflects different underlying capacities. This taxonomy also informs government reactions to protest movements. Smart responses target attention as a resource. The Chinese government responded to 2015 protesters in Hong Kong by not engaging with them at all, denying them camera-phone videos that would go viral and attract the world's attention. Instead, they pulled their police back and waited for the movement to die from lack of attention. If this all sounds dry and academic, it's not. "Twitter and Tear Gas" is infused with a richness of detail stemming from her personal participation in the 2013 Gezi Park protests in Turkey, as well as personal on-the-ground interviews with protesters throughout the Middle East -- particularly Egypt and her native Turkey -- Zapatistas in Mexico, WTO protesters in Seattle, Occupy participants worldwide, and others. Tufekci writes with a warmth and respect for the humans that are part of these powerful social movements, gently intertwining her own story with the stories of others, big data, and theory. She is adept at writing for a general audience, and -- despite being published by the intimidating Yale University Press -- her book is more mass-market than academic. What rigor is there is presented in a way that carries readers along rather than distracting. The synthesist in me wishes Tufekci would take some additional steps, taking the trends she describes outside of the narrow world of political protest and applying them more broadly to social change. Her taxonomy is an important contribution to the more-general discussion of how the Internet affects society. Furthermore, her insights on the networked public sphere has applications for understanding technology-driven social change in general. These are hard conversations for society to have. We largely prefer to allow technology to blindly steer society or -- in some ways worse -- leave it to unfettered for-profit corporations. When you're reading "Twitter and Tear Gas," keep current and near-term future technological issues such as ubiquitous surveillance, algorithmic discrimination, and automation and employment in mind. You'll come away with new insights. Tufekci twice quotes historian Melvin Kranzberg from 1985: "Technology is neither good nor bad; nor is it neutral." This foreshadows her central message. For better or worse, the technologies that power the networked public sphere have changed the nature of political protest as well as government reactions to and suppressions of such protest. I have long characterized our technological future as a battle between the quick and the strong. The quick -- dissidents, hackers, criminals, marginalized groups -- are the first to make use of a new technology to magnify their power. The strong are slower, but have more raw power to magnify. So while protesters are the first to use Facebook to organize, the governments eventually figure out how to use Facebook to track protesters. It's still an open question who will gain the upper hand in the long term, but Tufekci's book helps us understand the dynamics at work. This essay originally appeared on Vice Motherboard. https://motherboard.vice.com/en_us/article/43dx3j/twitter-and-tear-gas-review The book: https://www.twitterandteargas.org/ https://www.amazon.com/Twitter-Tear-Gas-Fragility-Networked/dp/0300215126/ Tufekci: https://twitter.com/zeynep https://www.nytimes.com/column/zeynep-tufekci ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.38 ************************
Current thread:
- Risks Digest 30.38 RISKS List Owner (Jul 17)