RISKS Forum mailing list archives
Risks Digest 30.54
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 10 Feb 2018 12:19:35 PST
RISKS-LIST: Risks-Forum Digest Saturday 10 February 2018 Volume 30 : Issue 54 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.54> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Dutch agencies provide crucial intel about Russia's interference in US-elections (volkskrant) DHS exec: Russians penetrated US voter registrations in 2016 (NBC) German shock at car exhaust tests on humans and monkeys (bbc.com) "Ten Monkeys and a Bettle: Inside Rigged Diesel Test" (NYTimes) How a single line of computer code put 75,000 innocent Turks in jail (Kelly Bert Manning) Triton Malware Details Show the Dangers of Industrial System Sabotage (WiReD) FBI vs crypto-sanity? (PGN) Waze navigation app sends US driver into lake (The Times of Israel) Eyesight Technologies Will Watch You Drive, and That's a Good Thing (IEEE Spectrum) Self-Driving Cars Have a Secret Weapon: Remote Control (WiReD) Facebook AI spam detector lacks autoreview (Dan Jacobson) Why cops won't need a warrant to pull the data off your autonomous car (Gabe Goldberg) WHATIS Going to Happen With WHOIS? (Motherboard) "How Strava's "anonymized" fitness tracking data spilled government secrets" (Jack Whittaker via Gabe Goldberg) Personal Trackers expose Aggregated Personal and Group Data (Bob Gezelter) "Disney faces privacy complaint over children's apps" (Corinne Reichert) IoT fun -- Don't Rely on Your Smart Speaker as Your Only Alarm Clock (Lifehacker) More Than Half of Adult Americans Were Victims of Cybercrime in 2017 (TRK via Gabe Goldberg) ICE can now track anyone's car in almost real-time (Think Progress) Terrorists Could Use Teslas to Kill Us (The Weekly Standard) A motorcyclist is suing GM after crashing into its self-driving car (PopSci) robots.txt vs. noindex (Google via Dan Jacobson) "3 leaked NSA exploits work on all Windows versions since Windows 2000" (CSO Online) 'Jackpotting' hackers steal over $1 million from ATMs across U.S. (Amos Shapir) Feds drop hammer on massive "carder" ring that caused $530 million in losses (Ars Technica) Blockchain Stocks Collapse by 40% to 90% (Wolfstreet) Bitcoin price manipulation (Charley Kline) Coincheck Says It Lost Crypto Coins Valued at About $400M (Bloomberg) Bitcoin payments used to unmask dark web users (Naked Security) Bitcoin: Dumb Crypto Criminal Botches Kidnapping (Fortune) As Bitcoin Bubble Loses Air, Frauds and Flaws Rise to Surface (NYTimes) Russian nuclear scientists arrested for 'Bitcoin mining plot' (BBC) Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign (Catalin Cimpanu) The Fake-Follower Factory (NYTimes) British Teen Accessed U.S. Middle East Intelligence Ops by Pretending to be CIA Director (Newsweek) Bug Bounty Programs Are Paying Off for Hackers, HackerOne Finds (EWeek) Want to see all data Windows 10 sends Microsoft? There's an app for that (Ars Technica) "Can AI predict when that new hire will quit?" (Terena Bell) First, We Kill All the Lawsuits (Henry Baker) "In spite of military assurances, autonomous weapon research speeds ahead" (Greg Nichols) Ford Patents Autonomous Robocop Police Car That Can Give Out Tickets (Tech Times) British 15-year-old gained intelligence info (The Telegraph) Majority of employees in US unaware of GDPR mandate (DXC) Enter all identifying numbers as single text string without formatting (Dan Jacobson) Exclusive: Mattis seeking to ban cell phones from Pentagon (CNNPolitics) Re: Vehicle Satellite Navigation (Drewe, RISKS-30.53) Not knowing Twitter credentials delayed Hawai'i "all clear" (Lauren Weinstein) HI-EMA 'button pusher' refusing to cooperate with FCC (Star Advertiser) Re: Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (Henry Baker) Re: "LA-Tokyo flight turns back after passenger 'boards with wrong (John Levine) Re: Five copyright claims against youtube video of white noise (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 27 Jan 2018 12:59:26 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Dutch agencies provide crucial intel about Russia's interference in US-elections (volkskrant) Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections. For years, AIVD had access to the infamous Russian hacker group Cozy Bear. That's what de Volkskrant and Nieuwsuur have uncovered in their investigation. https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference [Googling the subject line also gets you to the Volkskrant article. Volks is people in Dutch, so Volkskrant might be The People's Voice or something like that.] ------------------------------ Date: February 7, 2018 at 5:20:16 PM EST From: Richard Forno <rforno () infowarrior org> Subject: DHS exec: Russians penetrated US voter registrations in 2016 (NBC) Cynthia McFadden, William M. Arkin and Kevin Monahan, NBC News, 7 Feb 2018, The U.S. official in charge of protecting American elections from hacking says the Russians successfully penetrated the voter registration rolls of several U.S. states prior to the 2016 presidential election. In an exclusive interview with NBC News, Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said she couldn't talk about classified information publicly, but in 2016, "We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated." Jeh Johnson, who was DHS secretary during the Russian intrusions, said, "2016 was a wake-up call and now it's incumbent upon states and the Feds to do something about it before our democracy is attacked again." "We were able to determine that the scanning and probing of voter registration databases was coming from the Russian government." NBC News reported in Sept. 2016 that more than 20 states had been targeted by the Russians. There is no evidence that any of the registration rolls were altered in any fashion, according to U.S. officials. https://www.nbcnews.com/politics/elections/eric-holder-leads-democrats-war-gerrymandering-n845576 ------------------------------ Date: Tue, 30 Jan 2018 12:40:50 +0800 From: Richard M Stein <rmstein () ieee org> Subject: German shock at car exhaust tests on humans and monkeys (bbc.com) http://www.bbc.com/news/world-europe-42858668 also reported here https://www.nytimes.com/2018/01/25/world/europe/volkswagen-diesel-emissions-monkeys.html and elsewhere. The European Research Group on Environment and Health in the Transport Sector (EUGT), with automaker funding, performed these tests.
From the BBC article:
"Were the tests unethical?" 'The German government thinks so. VW apologised and Daimler said "the EUGT's approach contradicts our values and ethical principles."' "In the end, the EUGT, which was disbanded in 2017, concluded that no health effects could be detected. Diesel emits more particulate soot than regular gasoline, as well as pollutants such as nitrogen dioxide and nitrogen oxides that in the short term, the EPA says, can lead to respiratory ailments and exacerbate asthma. Industry sponsored research is fine when full disclosure of all findings are presented, especially those affecting public health and safety. Often, negative results (or outliers; tail events) are suppressed to accentuate the positive. Industry-sponsored research findings from pharmaceuticals, implantable devices, etc. are prime examples. Takata airbag ignition shrapnel is another. A mighty long list in this space. Transportation systems appear as a ripe target for unethical research practices. Given a historically low air transport fatality rate, certain organizations might be tempted to "push the envelop" on reduced qualification efforts to save funds, and justify their effort using one or more academic studies that sponsor confirmation bias or bury risks. Another nail in the coffin of public trust. ------------------------------ Date: Fri, 26 Jan 2018 12:43:10 +0800 From: Richard M Stein <rmstein () ieee org> Subject: "Ten Monkeys and a Bettle: Inside Rigged Diesel Test" (NYTimes) (The New York Times) https://www.nytimes.com/2018/01/25/world/europe/volkswagen-diesel-emissions-monkeys.html A revealing story of corporate control fraud, industry-sponsored research, and regulatory capture. Another case of "Profit Without Honor" (see https://www.amazon.com/Profit-Without-Honor-Looting-America This digest documents the willful exploitation of problem solving talent, and a timorous inclination to challenge corporate governance decisions to build and sell products that weaken public health, safety, and privacy. Bravery and resilience are rare characteristics practiced by ethical professionals who denounce fraud. How many IEEE or PMI members actively abide by the code of conduct these organizations promote? IEEE Code of Ethics (https://www.ieee.org/about/corporate/governance/p7-8.html IEEE Code of Ethics for Project Managers http://www.pmi.org/learning/library/project-managers-code-of-ethics-10343 Legions of professionals apparently treat their codes of ethics with impunity: impotent declarations, not honorable guides to defend and practice for public safety, health or privacy benefit. The accelerating incidence and damage accrued from technologically-enabled, defective products testifies to this abdication of duty dishonoring professionals on a global scale. ------------------------------ Date: Mon, 22 Jan 2018 14:33:28 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: How a single line of computer code put 75,000 innocent Turks in jail Every so often I encounter someone who says that their life is an open book, and that anyone who is concerned about Panoptic government surveillance or uses encrypted messaging must have something to hide. My short response is often to express sympathy for them having such boring lives. Now we have a real world example of a NATO government persecuting 75,000 innocents as part of a Witch Hunt. Many thousands of innocent Turks were pursued by their government after viewing webpages that had a 1x1 1 pixel link to Bylock.net. Other consequences included loss of jobs and suicidal depression. 'BeÅikçi said it was due to a single line of code, which created a window "one pixel high, one pixel wide" -- essentially invisible to the human eye -- to Bylock.net.' http://www.cbc.ca/news/world/terrifying-how-a-single-line-of-computer-code-put-thousands-of-innocent-turks-in-jail-1.4495021?cmp=rss https://www.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached http://beta.latimes.com/world/europe/la-fg-turkey-purge-crackdown-snap-story.html https://thehackernews.com/2017/09/turkish-coup-bylock-messenger.html "ByLock was one of the many encrypted messaging apps available to download for free on Apple's App Store and Google's Play Store and was downloaded over 600,000 times between April 2014 and April 2016, according to a report by British computer forensics expert, Thomas K. Moore." Sometimes what you download or view for free on the Internet is worth every penny you paid for it. In other cases it has a negative value, compromising your device or tainting you with false associations. ------------------------------ Date: Fri, 19 Jan 2018 18:12:05 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Triton Malware Details Show the Dangers of Industrial System Sabotage (WiReD) A recent digital attack on the control systems of an industrial plant has renewed concerns about the threat hacking poses to critical infrastructure. And while security researchers offered some analysis last month of the malware used in the attack, called Triton or Trisis, newly revealed details of how it works expose just how vulnerable industrial plants--and their failsafe mechanisms--could be to manipulation. https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/ ...interesting dueling malware vs. detection. ------------------------------ Date: Thu, 25 Jan 2018 9:26:40 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: FBI vs crypto-sanity? 1. Senator Demands FBI Director Explain His Encryption Backdoor Bull... U.S. Senator Ron Wyden is calling out the director of the FBI for pushing the moronic notion that there is somehow a good way to add backdoors to encryption used to protect devices like Apple's iPhone. https://gizmodo.com/senator-demands-fbi-director-explain-his-encryption-bac-1822400040 2. Strong encryption is vital to our future in tech (The Hill) http://thehill.com/opinion/cybersecurity/370574-strong-encryption-is-vital-to-our-future-in-tech ------------------------------ Date: Thu, 25 Jan 2018 13:37:44 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Waze navigation app sends US driver into lake (The Times of Israel) Jeep in Vermont directed onto boat ramp and onto ice-covered Lake Champlain, where it eventually sinks; driver and passengers unharmed. https://www.timesofisrael.com/waze-sends-us-driver-into-lake/ Google, the Internet giant that bought Waze from the Israeli firm that developed it, could not explain how the app directed the driver into the lake. Waze maps are updated with millions of edits to adapt to real time road conditions daily, often making them the most accurate available, Google spokesperson Julie Mossler told *USA Today*. Mossler sagely advised drivers to keep their eyes on the road and use all environmental information available to them to make the best decisions as they drive. GPS needs the useful Hill Street Blues exhortation, "Let's be careful out there". ------------------------------ Date: Thu, 1 Feb 2018 20:28:42 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Eyesight Technologies Will Watch You Drive, and That's a Good Thing (IEEE Spectrum) https://spectrum.ieee.org/cars-that-think/transportation/self-driving/eyesight-will-watch-you-drive-and-thats-a-good-thing The risk? My car thinks it knows what I'm thinking. ------------------------------ Date: Thu, 1 Feb 2018 20:34:46 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Self-Driving Cars Have a Secret Weapon: Remote Control (WiReD Usually we don't do this during rush hour, says Ben Shukman. He's driving a Lincoln MKZ sedan, trying to exit a gas station driveway and cross four lanes of traffic so he can make a left at the light 20 yards ahead. It's 5pm in Palo Alto, and Silicon Valley commuters are crawling home, leaving few gaps between the cars. Finally, the car in the closest lane stops, leaving a space for him. The car in the next lane over does too. Shukman slides in and makes the left. Good job, Ben, says Shai Magzimof, giving a wave of thanks to those gracious humans. He's sitting in the driver's seat, while, in a garage miles away, Shukman controls the Lincoln from the kind of setup you'd find in the bedroom of a too-serious fan of racing video games. And he's showing off the type of remote-control capability that every major player in the nascent world of robotic driving will end up relying on (at least for now) in some form or other. https://www.wired.com/story/phantom-teleops/ The risk? Outsourcing and offshoring remote control to third-world call centers. ------------------------------ Date: Fri, 26 Jan 2018 11:30:15 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Facebook AI spam detector lacks autoreview 11:16:00 We removed this post because it looks like spam to us. If you did post this and don't believe it's spam, you can let us know. 11:16:10 Thanks for letting us know about this post. We'll try to take another look to check if it goes against our Community Standards and send you a message here in your Support Inbox if we have an update. 11:16:11 Thanks again for letting us know about this post. We took another look and found it doesn't go against our Community Standards, so we've restored your post. We're sorry for the trouble and appreciate you taking the time to get in touch with us so that we could correct this. 11:16:12 How was this experience? Bad. 11:16:13 What went wrong? How could it be better? Why not have the AI program autoreview it itself? Then it wouldn't even need to bother the user. ------------------------------ Date: Sun, 4 Feb 2018 12:57:47 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Why cops won't need a warrant to pull the data off your autonomous car I've been saying for ages. Even beyond the remote control capabilities that law enforcement and governments will demand, the video and other data collected by robocars are already making law enforcement salivate. It's not just Waymo that doesn't like talking about these aspects of robocars. Nobody in the industry wants the public thinking about these aspects. ------------------------------ Date: Sat, 3 Feb 2018 11:07:25 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: WHATIS Going to Happen With WHOIS? (Motherboard) via NNSquad https://motherboard.vice.com/en_us/article/vbpgga/whois-gdpr-europe-icann-registrar In May, the European Union's General Data Protection Regulation (GDPR) will officially go into effect. The GDPR is ostensibly a law to protect the privacy of European citizens when it comes to how Internet megacorporations like Google and Facebook handle their data. But the privacy regulations also come with some secondary effects whose influence extends far beyond the borders of the EU and ironically may actually serve to undermine the security of Internet users, rather than protect them. This situation is total bull. You want a domain name? You should be publicly and fully identified, unless you can present some compelling case of why doing so would be dangerous to you. Otherwise, it should be like a business license or other public record. I'm tired of spammers, phishers, and other goddamned crooks hiding under the hypocrisy of "privacy" -- and the EU is now complicit in those crimes. ------------------------------ Date: Tue, 30 Jan 2018 13:00:48 -0800 From: Gene Wirchenko <genew () telus net> Subject: "How Strava's "anonymized" fitness tracking data spilled government secrets" (Jack Whittaker) Jack Whittaker for Zero Day, 29 Jan 2018 http://www.zdnet.com/article/strava-anonymized-fitness-tracking-data-government-opsec/ How Strava's "anonymized" fitness tracking data spilled government secrets Analysis: Strava may "anonymize" the user, but that isn't helpful when that user inadvertently reveals the location of sensitive government facilities. opening text: Remember when you said you have "nothing to hide?" It turns out you do. If it's not an affair you're hiding from your spouse, it's your highly classified place of work that's now painted in precise detail on a map for anyone to see. That's exactly what happened when Strava, a widely used app for tracking activity and exercise, released an "anonymized" heatmap of all its global data in November. The map only came to light this weekend after Australian student Nathan Ruser started digging into the data. With over 3 trillion coordinates at the street level from over 27 million fitness device users, like Fitbit and Jawbone, the GPS tracking company mapped out its aggregated data over the past two years of activity to reveal some of the most visited areas. Predictably, high population areas -- like most of the US and Europe -- are brightly lit up. That same data also illuminated a scattering of little-known locations in war zones, where US secret facilities and military bases have operations and personnel -- presumably because soldiers and staff are unknowingly uploading their fitness tracking data to Strava. The news has prompted US-led coalition forces to reevaluate their use of fitness trackers, amid fears that enemy forces could use the data to locate troops on the ground, according to a statement obtained by the Washington Post. ------------------------------ Date: Mon, 29 Jan 2018 05:28:00 -0700 From: Bob Gezelter <gezelter () rlgsc com> Subject: Personal Trackers expose Aggregated Personal and Group Data Several years ago, I took note in my blog (article at http://www.rlgsc.com/blog/ruminations/micro-blogging-and-personal-information.html of the potential security hazards of micro-blogging details about one's life. MSN and the Washington Post have reported that the use of personal trackers by military personnel is disclosing information about their presence and life patterns, including information about sensitive locations. This is a serious security hazard, and not just for military personnel. Detailed information about life patterns is of use to a wide range of actors, more than a few of which are not friends. The report has appeared on MSN at: https://www.msn.com/en-au/news/world/us-soldiers-are-revealing-sensitive-and-dangerous-information-by-jogging/ar-BBImwt5 The Washington Post published a similar article. ------------------------------ Date: Wed, 07 Feb 2018 09:26:32 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Disney faces privacy complaint over children's apps" (Corinne Reichert) Corinne Reichert, ZDnet, 10 Aug 2017 http://www.zdnet.com/article/disney-faces-privacy-complaint-over-childrens-apps/ The class-action complaint alleges Disney's smartphone game apps have been collecting personally identifiable information about young users without the consent of their parents for the purpose of targeted advertising. opening text: A United States class action complaint against the Walt Disney Company has alleged that it is collecting personally identifying information via a series of children's smartphone apps "for future commercial exploitation" in contravention of the Children's Online Privacy Protection Act (COPPA). ------------------------------ Date: Mon, 22 Jan 2018 20:44:24 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: IoT fun -- Don't Rely on Your Smart Speaker as Your Only Alarm Clock (Lifehacker) https://lifehacker.com/dont-rely-on-your-smart-speaker-as-your-only-alarm-cloc-1822238074 Alarm clock relying on network connectivity -- what could go wrong? Who cares, let's connect everything... ------------------------------ Date: Tue, 23 Jan 2018 14:59:48 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: More Than Half of Adult Americans Were Victims of Cybercrime in 2017 (TRK) Mountain View CA. More than half the U.S. adult population was a victim of cybercrime last year, according to a new study by *Norton*. All told, 143 million Americans lost a total of $19.4 billion , as well as an average of 19.8 hours dealing with the aftermath. Globally, cybercrime victims tended to use the same password across multiple accounts or share it with others. What's more, 39% of victims said they gained trust in their ability to protect their data and personal information from future attacks, and 33% believed they had a low risk of becoming a cybercrime victim. Despite a steady stream of cybercrime sprees reported by media, too many people appear to feel invincible and skip taking even basic precautions to protect themselves, said *Fran Rosch*, the executive vice president of Symantec's consumer business unit. This disconnect highlights the need for consumer digital safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime. Forty-six percent of U.S. cybercrime victims owned a smart device for streaming content, compared with about one quarter of non-victims. They were also three times as likely to own a connected home device. <http://trk.cp20.com/click/m8rxu-dcnhra-7fgw0x85/> <http://trk.cp20.com/click/m8rxu-dcnhrb-7fgw0x86/> (Full report) *Fuzzy numbers, fuzzy math? I didn't read full report, but buried in last graf:* How We Define Cybercrime The definition of cybercrime continues to evolve as avenues open up that allow cybercriminals to target consumers in new ways. Each year, we will evaluate current cybercrime trends and update the report's methodology as needed, to ensure the Norton Cyber Security Insights Report provides an accurate snapshot of the impact of cybercrime as it stands today. In the 2017 Norton Cyber Security Insights Report, a cybercrime is defined as, but not limited to, a number of specific actions, including identity theft, credit card fraud or having your account password compromised. For the purposes of this report, a cybercrime victim is a survey respondent who confirmed one or more of these incidents took place. Visit https://www.symantec.com/about/newsroom/press-kits to learn more. ...which doesn't say what sort of account password had to be compromised to be a cybercrime. I've been alerted that some accounts were likely compromised but since they were inconsequential and didn't share passwords with anything else, I needed and took no corrective action. So I might be counted as a victim, I didn't spend a second -- let alone the alleged 19.8 hours -- doing repairs. And summary doesn't explain how they reached conclusion of $172B losses. ** ------------------------------ Date: Fri, 26 Jan 2018 15:11:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: ICE can now track anyone's car in almost real-time (Think Progress) The system raises serious questions about civil liberties, not just for undocumented immigrants but for all Americans. https://thinkprogress.org/license-plate-tracking-ice-system-bd76f18f676e/ ------------------------------ Date: Tue, 23 Jan 2018 18:05:21 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Terrorists Could Use Teslas to Kill Us (The Weekly Standard) Long, interesting. http://www.weeklystandard.com/terrorists-could-use-teslas-to-kill-us/article/2011171 Scariest I heard on this topic was at an industry meeting, automotive manufacturers happily looking forward to pushing software updates/patches overnight to parked cars. I asked whether they'd ever had a bad PC patch cause problems. Yes, but... ------------------------------ Date: Thu, 1 Feb 2018 10:03:50 +0200 From: Amos Shapir <amos083 () gmail com> Subject: A motorcyclist is suing GM after crashing into its self-driving car (PopSci) https://www.popsci.com/self-driving-car-crashes-blame-game Again, a self-driving car gets into a situation any human driver could (and should) deal with without causing an accident. The automaton was following all the rules, and it seems that in this case the motorcyclist was a bit out of line; this may satisfy the lawyers, but engineers should be expected to build systems which work in the real world. The bottom line is: Are we really sure automatic cars are already able to be let out on the road on their own? ------------------------------ Date: Thu, 01 Feb 2018 10:26:42 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: robots.txt vs. noindex (Google) https://support.google.com/webmasters/answer/93710 "Important! For the noindex meta tag to be effective, the page must not be blocked by a robots.txt file. If the page is blocked by a robots.txt file, the crawler will never see the noindex tag, and the page can still appear in search results, for example if other pages link to it." I wonder what an analogy in human terms might be. "If you put a Do Not Disturb sign on your door, you still have to leave it open so I can ask you if I can disturb you." Something like that. ------------------------------ Date: Wed, 07 Feb 2018 09:09:58 -0800 From: Gene Wirchenko <genew () telus net> Subject: "3 leaked NSA exploits work on all Windows versions since Windows 2000" (CSO Online) https://www.csoonline.com/article/3253247/security/3-leaked-nsa-exploits-work-on-all-windows-versions-since-windows-2000.html Ms. Smith [pseudonym], CSO, 5 Feb 2018 The EternalSynergy, EternalRomance, and EternalChampion exploits have been reworked to work on all vulnerable Windows versions: Windows 2000 -- Server 2016. [selected text] Oh, good, three NSA exploits previously leaked by The Shadow Brokers have been tweaked so they now work on all vulnerable Windows 2000 through Server 2016 targets, as well as standard and workstation counterparts. The reworked NSA exploits work on all unpatched versions, 32-bit and 64-bit architectures, of Windows since 2000. Dillon included this list of supported versions of Windows that can be exploited: [snipped list of 43 items] ------------------------------ Date: Tue, 30 Jan 2018 18:42:15 +0200 From: Amos Shapir <amos083 () gmail com> Subject: 'Jackpotting' hackers steal over $1 million from ATMs across U.S. (Reuters) https://www.reuters.com/article/us-usa-cyber-atm/jackpotting-hackers-steal-over-1-million-from-atms-across-u-s-secret-service-id I'm not sure this is real and/or current; they mention that many ATM's still run Windows XP, and the Secret Service recommends to *upgrade *to Windows 7! ------------------------------ Date: Thu, 8 Feb 2018 10:17:47 -0500 From: Monty Solomon <monty () roscom com> Subject: Feds drop hammer on massive "carder" ring that caused $530 million in losses (Ars Technica) Infraud is the biggest online fraud enterprise ever prosecuted by US prosecutors. https://arstechnica.com/information-technology/2018/02/feds-drop-hammer-on-massive-carder-ring-that-caused-530-million-in-losses/ ------------------------------ Date: January 25, 2018 at 7:43:06 PM EST From: Richard Forno <rforno () infowarrior org> Subject: Blockchain Stocks Collapse by 40% to 90% (Wolfstreet) The music is slowing down on this stock manipulation scam.... https://wolfstreet.com/2018/01/25/the-40-to-90-collapse-of-blockchain-stocks/ ------------------------------ Date: Thu, Jan 25, 2018 at 12:46 PM From: Charley Kline <csk () mail com> Subject: Bitcoin price manipulation (TechCrunch) Researchers find that one person likely drove Bitcoin from $150 to $1,000. https://techcrunch.com/2018/01/15/researchers-finds-that-one-person-likely-drove-bitcoin-from-150-to-1000/ Researchers Neil Gandal, JT Hamrick, Tyler Moore, and Tali Oberman have written a fascinating paper on Bitcoin price manipulation. Entitled Price Manipulation in the Bitcoin Ecosystem, and appearing in the recent issue of the Journal of Monetary Economics the paper describes to what degree the Bitcoin ecosystem is controlled by bad actors. See also: http://www.tetherreport.com/ * Author's opinion - it is highly unlikely that Tether is growing through any organic business process, rather that they are printing in response to market conditions. * Tether printing moves the market appreciably; 48.8% of BTC's price rise in the period studied occurred in the two-hour periods following the arrival of 91 different Tether grants to the Bitfinex wallet. * Bitfinex withdrawal/deposit statistics are unusual and would give rise to further scrutiny in a typical accounting environment. * If there is questionable activity, the author believes a 30-80% reduction in BTC price could be forecast. PS - Tether printed another $100M yesterday, adding to this record: https://twitter.com/Silver_Watchdog/status/955327588284612608 "Tether Net Annual Issuance 2014 $100 2015 $951,550 2016 $9,000,000 2017 $1,405,047,515 2018 $750,000,000" PPS - Nicholas Weaver tweets: https://twitter.com/ncweaver/status/954033664601473026 "At current prices, net new Bitcoin requires $18M of net new $ flowing in to maintain the price. Yet there is a net $100M/day of fake $s in the form of Tethers... If that Tether printing press ever breaks, there will be a true bloodbath on the cryptocurrency prices. Good." Nouriel Roubini responds: https://twitter.com/Nouriel/status/956482056254455809 "Indeed Tether/USDT used to manipulate Bitcoin prices. Without this scam Bitcoin price would collapse by 80%. Regulators asleep at the wheel while $2 billion of fake $ created via this scam, half of it since December. Not even North Korea created so many fake $ backed by nothing" ------------------------------ Date: Sat, 27 Jan 2018 12:44:51 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Coincheck Says It Lost Crypto Coins Valued at About $400M (Bloomberg) Via NNSquad https://www.bloomberg.com/news/articles/2018-01-26/cryptocurrencies-drop-after-japanese-exchange-halts-withdrawals The disclosure that one of Japan's biggest cryptocurrency exchanges lost about $400 million in NEM tokens is spooking investors in a country still wary of such venues four years after the collapse of Mt. Gox. ------------------------------ Date: Thu, 1 Feb 2018 20:20:37 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Bitcoin payments used to unmask dark web users (Naked Security) Researchers have discovered a way of identifying those who bought or sold goods on the dark web, by forensically connecting them to Bitcoin transactions. https://nakedsecurity.sophos.com/2018/01/31/bitcoin-payments-used-to-unmask-dark-web-users/ Mmmm, tasty data. ------------------------------ Date: Sat, 3 Feb 2018 12:15:58 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Bitcoin: Dumb Crypto Criminal Botches Kidnapping (Fortune) It was a high tech caper, involving a fake Uber and a $1.8 million digital currency heist, but it was old-fashioned stupidity that led Louis Meza to get caught. Meza not only bungled a kidnapping but made a major mistake that helped cops recover the loot. http://fortune.com/2018/02/01/bitcoin-kidnapping-cryptocurrenccy/ Risks? Bragging about assets. Letting a "business associate" insistently arrange your travel. Being an idiot crook (high-tech version of writing bank robbery note on your own deposit slip). ------------------------------ Date: Wed, 7 Feb 2018 23:01:01 -0500 From: Monty Solomon <monty () roscom com> Subject: As Bitcoin Bubble Loses Air, Frauds and Flaws Rise to Surface (NYTimes) https://www.nytimes.com/2018/02/05/technology/virtual-currency-regulation.html Hackers draining online exchanges. Ponzi schemes. Regulators unable to keep up with heightened interest in virtual currencies. A young industry's problems have become clearer in recent weeks. ------------------------------ Date: Fri, 9 Feb 2018 23:27:07 +0000 From: Li Gong <li.gong () sri com> Subject: Russian nuclear scientists arrested for 'Bitcoin mining plot' (BBC) http//www.bbc.com/news/world-europe-43003740 ------------------------------ Date: Fri, 26 Jan 2018 17:34:03 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign (Catalin Cimpanu) Catalin Cimpanu, Bleeping Computer, 26 Jan 2018 https://www.bleepingcomputer.com/news/security/crooks-created-28-fake-ad-agencies-to-disguise-massive-malvertising-campaign/ A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers. The entire operation --codenamed Zirconium-- appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms. ------------------------------ Date: Sat, 27 Jan 2018 11:39:40 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: The Fake-Follower Factory (NYTimes) via NNSquad https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html Celebrities, athletes, pundits and politicians are buying millions of fake followers. ------------------------------ Date: Sat, 27 Jan 2018 10:52:09 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: British Teen Accessed U.S. Middle East Intelligence Ops by Pretending to be CIA Director (Newsweek) via NNSquad http://www.newsweek.com/british-teen-accessed-top-secret-us-middle-east-ops-pretending-be-cia-director-786031 A British teenager managed to obtain access to sensitive U.S. plans about intelligence operations in different Middle East countries by acting as former CIA Director John Brennan, a court heard on Friday. Kane Gamble, 18, researched Brennan and used the information he gathered to speak to an Internet company and persuade call handlers to give him access to the spy chief's email inbox in 2015. He pretended to be both a Verizon employee and Brennan to access Brennan's Internet account. [Also spotted by Gabe Goldberg. PGN] ------------------------------ Date: Fri, 26 Jan 2018 12:40:53 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Bug Bounty Programs Are Paying Off for Hackers, HackerOne Finds (EWeek) http://www.eweek.com/security/bug-bounty-hackers-make-more-money-than-average-salaries-report-finds The risk? Material like this presented as annoying slide shows people won't bother reading. ------------------------------ Date: Fri, 26 Jan 2018 15:09:30 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Want to see all data Windows 10 sends Microsoft? There's an app for that (Ars Technica) Following the publication last year of the data collected by Windows 10's built-in telemetry and diagnostic tracking, Microsoft today announced that the next major Windows 10 update, due around March or April, will support a new app, the Windows Diagnostic Data Viewer, that will allow Windows users to browse and inspect the data that the system has collected. Windows 10 has two settings for its data collection, "basic" and "full." The documentation last year described all the data collected in the "basic" setting but only gave a broad outline of the kinds of things that the "full" setting collected. The new app will show users precisely what the full setting entails and a comparison with what would be sent with the basic setting. https://arstechnica.com/gadgets/2018/01/want-to-see-all-data-windows-10-sends-microsoft-theres-an-app-for-that/ ------------------------------ Date: Wed, 24 Jan 2018 14:27:20 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Can AI predict when that new hire will quit?" (Terena Bell) Terena Bell, CIA.COM https://www.cio.com/article/3249746/hiring-and-staffing/can-ai-predict-when-that-new-hire-will-quit.html New pattern matching tech takes aim at predicting how long new hires will stay, potentially saving employers billions per year. But has AI really cracked the code on employee retention? CIO, 24 Jan 2018 interesting quote: Polli says, "Maybe 50 years ago, jobs were more similar across different companies. Potentially, the world was less complex. But I think nowadays there's just so much variability in what someone would call any given role that I think it's hard to just say, 'Oh, look for these three things and you're all set.'" But looking for key traits is exactly what her company does. When this reporter took Pymetrics' tests, I scored high in "risk preference for high risks," "risk preference for low risks," and "planning speed." My results listed these as negative traits for an entrepreneur, predicting I only had a 6 percent chance of making it as one for more than a year: I'm a two-time tech founder who sold her first company for a multiple of revenue after running it nine years. And speaking as a tech founder, these so-called negative traits helped me do my job. I can see all too easily questionable models being used in hiring. I already see questionnaires when applying for some jobs that have many ambiguous questions and when I have asked, I have been told to fill it out the best I can. Turning AI loose in the area has the potential to be much worse. ------------------------------ Date: Thu, 18 Jan 2018 15:02:48 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: First, We Kill All the Lawsuits "First, we kill all the lawsuits." -- Apologies to W. Shakespeare States -- including California -- are falling all over one another to lead the country in boosting autonomous vehicles, perhaps to prove that they welcome investments in building factories. But the first order of business -- other than obtaining financial subsidies -- seems to be securing "safe harbors" against "frivolous" lawsuits that might arise out of unpleasantness caused by less-than-optimal autonomous vehicle behaviors. Now I'm not a big fan of class-action ambulance chasers, but in the application of a new technology, tort law may be the only protection society has against egregious and negligent behavior by greedy "unicorns". Unfortunately, we are systematically disconnecting the backup system of tort law BEFORE the primary system of regulation has been installed and activated. Not that this behavior is at all new. Theodore Vail -- as CEO of ATT -- made a deal with society that ATT would be shielded from all kinds of lawsuits in return for being heavily regulated as a monopoly. More recently, the drug industry is shielded from litigation, as responsibility was shifted to the FDA for drug regulation. But we must not put the hearse before the autonomous cart. https://www.wired.com/story/california-self-driving-car-laws/ http://beta.latimes.com/politics/la-pol-ca-new-driverless-car-regulations-20171114-story.html https://www.nytimes.com/2017/05/21/technology/pittsburgh-ubers-driverless-car-experiment.html PITTSBURGH -- When Uber picked this former Rust Belt town as the inaugural city for its driverless car experiment, Pittsburgh played the consummate host. "You can either put up red tape or roll out the red carpet," Bill Peduto, the mayor of Pittsburgh, said in September. "If you want to be a 21st-century laboratory for technology, you put out the carpet." ------------------------------ Date: Tue, 06 Feb 2018 09:54:04 -0800 From: Gene Wirchenko <genew () telus net> Subject: "In spite of military assurances, autonomous weapon research speeds ahead" (Greg Nichols) Greg Nichols for Robotics, ZDnet, 6 Feb 2018 http://www.zdnet.com/article/in-spite-of-military-assurances-autonomous-weapon-research-speeds-ahead/ In spite of military assurances, autonomous weapon research speeds ahead The US Army has successfully paired autonomous vehicles with robotic weapons. Autonomous vehicles are coming to roads near you. If the US Army has its way, battlefields will be next. Under a program nicknamed "Wingman," the Army just announced it is range testing autonomous vehicles equipped with robotic weapons systems. So far, engineers have managed to successfully destroy targets with a self-driving Humvee equipped with an onboard autonomous 7.62 mm weapon system. The three-year program officially began last year, and it seems to be progressing quickly. "You're not going to have these systems go out there like in 'The Terminator'," Thomas B. Udvare, deputy chief of the program, told the Army News Service. "For the foreseeable future, you will always have a Soldier in the loop." Nice to hear. But there's something a little spooky about the Army insisting humans will remain in the loop while engineers are rushing ahead with weapons systems clearly designed for autonomous use. ------------------------------ Date: Thu, 1 Feb 2018 20:46:58 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Ford Patents Autonomous Robocop Police Car That Can Give Out Tickets (Tech Times) Ford has filed a patent for an autonomous Robocop police car, which aims to catch traffic law violators. Ford's autonomous police car will use machine learning tools to take action and catch those who break the speed limit or run red lights and issue tickets remotely. Taking in information, the robot car can determine what law was violated and take action. http://www.techtimes.com/articles/219756/20180130/ford-patents-autonomous-robocop-police-car-that-can-give-out-tickets.htm The risk? Taking this seriously? ------------------------------ Date: Sat, 20 Jan 2018 11:31:48 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: British 15-year-old gained intelligence info (The Telegraph) http://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/ ------------------------------ Date: Mon, 22 Jan 2018 23:11:39 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Majority of employees in US unaware of GDPR mandate (DXC) https://blogs.dxc.technology/2018/01/22/majority-of-employees-in-us-unaware-of-gdpr-mandates/ ------------------------------ Date: Sun, 28 Jan 2018 02:34:56 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Enter all identifying numbers as single text string without formatting FinancialCrimes EnforcementNetwork: BSA Electronic Filing Requirements For Report of Foreign Bank and Financial Accounts (FinCEN Form 114): "Identifying numbers: Enter all identifying numbers as a single text string without formatting or special characters such as hyphens or periods. An identifying number in the format NNNNN- NNNN would be entered as NNNNNNNNN." OK, but sometimes 123-45 is different than 12-345... ------------------------------ Date: Wed, 31 Jan 2018 14:43:30 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Exclusive: Mattis seeking to ban cell phones from Pentagon (CNNPolitics) https://www.cnn.com/2018/01/31/politics/mattis-pentagon-cellphone-ban/index.html The risk? Too big a hammer hitting the wrong nail? ------------------------------ Date: Thu, 18 Jan 2018 20:43:14 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Vehicle Satellite Navigation (Drewe, RISKS-30.53) I suspect I know that flyover ... But I got bit by a very similar sort of issue. The Embankment in London was closed by roadworks a few days ago. So Google, detecting no traffic, thought it was the perfect route and was directing people to use it. Unfortunately, as the name implies, this runs alongside the Thames, so drivers' options for a diversion once they realised they were in a jam were extremely limited. I ended up going back to Westminster Bridge (I think it took me an hour to travel a net zero metres) before crossing south of the river and heading to my destination that way. Surely it's not beyond the wit of computer to realise that if ALL the vehicles you are directing down a certain road all divert off, that there's something wrong? Rather than, as at present, you send even more traffic that way to turn a jam into gridlock. ------------------------------ Date: Mon, 22 Jan 2018 21:34:54 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Not knowing Twitter credentials delayed Hawai'i "all clear" The Governor of Hawaii is declaring that the long delay in his sending out the "false alarm" message after an incoming missile alarm was triggered in error, was due to his not knowing his own Twitter credentials. He had to find his public communications spokesperson -- who normally ran his Twitter account -- in order to get an "all clear" note out on Twitter. Supposedly he now knows his own username and password. I wonder if he has 2-factor enabled? ------------------------------ Date: Thu, 25 Jan 2018 17:59:52 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: HI-EMA 'button pusher' refusing to cooperate with FCC, internal investigators (Star Advertiser) via NNSquad http://www.staradvertiser.com/2018/01/24/breaking-news/schatz-to-lead-hearing-on-alert-systems-in-wake-of-hawaii-blunder/ The Hawaii Emergency Management Agency "button pusher" who sent a bogus missile alert that triggered panic across the islands on Jan. 13 is not cooperating with either a Federal Communications Commission investigation nor two internal investigations. ------------------------------ Date: Thu, 18 Jan 2018 14:00:21 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (Gezelter, RISKS-30.53) One wonders if the President's nuclear football has a similar "Are you sure you want to destroy mankind? (y/n)" UX? Perhaps 2-factor authentication is warranted? "A numeric code has been sent via SMS to the cellphone buried in First Lady Melania's thoracic cavity. Please enter that 6 digit numeric code here ------ in order to proceed." Apologies to Roger Fisher: https://en.wikipedia.org/wiki/Roger_Fisher_(academic)#Preventing_nuclear_war ------------------------------ Date: 18 Jan 2018 17:01:53 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" (BBC) They're more than counters -- when they scan my boarding pass I can see that it shows my name and my seat number. Apparently the passenger did have a boarding pass for another flight so the obvious question is whether each scanner is supposed to accept bp's for a single flight, or all the scanners in the airport are the same and they'll all accept bp's for any flight and the staff are supposed to check that it's showing the right flight number. ------------------------------ Date: 18 Jan 2018 16:01:12 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: Five copyright claims against youtube video of white noise Ahem. Patent and copyright are not the same thing. Independent creation, i.e., I made my white noise all by myself and not by listening to your white noise, is a complete defense to claims of copyright infringement. [Absolutely. TNX. PGN] By the way, the actual answer to the question about the prime number is no, since there is case law saying that copyright requires creativity, and the amount of work involved doesn't matter. The case involved copying phone-book white pages (remember them?) listings. [Incidentally, in that courts have ruled we cannot copyright our own genomes, "creativity" cannot be the sole factor. Cheers! PGN] ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.54 ************************
Current thread:
- Risks Digest 30.54 RISKS List Owner (Feb 10)