RISKS Forum mailing list archives
Risks Digest 30.56
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 27 Feb 2018 17:30:41 PST
RISKS-LIST: Risks-Forum Digest Tuesday 27 February 2018 Volume 30 : Issue 56 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.56> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: To Stir Discord in 2016, Russians Turned Most Often to Facebook (NYT) Russian election interference (PGN) Russia hacked the Olympics and tried to make it look like North Korea did it (Vox) Are Bots a Danger for Political Election Campaigns? (PGN) The Myth of the Hacker-Proof Voting Machine (Kim Zetter) Your Bitcoin or Your Life (Nathaniel Popper) All but Banned in the U.S., Chinese Giant Huawei Is Welcomed in Britain (WSJ) Drone collisions, close calls underscore growing risks for aircraft (WashPo) BB&T Restores ATM Service, Online Banking Problem Persists (WSJ) "Lawsuits threaten infosec research just when we need it most" (Zack Whittaker) "Security firm Keeper sues news reporter over vulnerability story" (Zack Whittaker) "Microsoft is distributing security patches through insecure HTTP links" (Woody Leonhard) That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH. (The Register) Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency (WiReD) An old tax scam -- with a troubling new twist (WashPo) "Maker of sneaky Mac adware sends security researcher cease-and-desist letters" (Zack Whittaker) Tesla cloud resources are hacked to run cryptocurrency-mining malware (Ars Technica) One-stop counterfeit certificate shops for all your malware-signing (Ars Technica) US Border Patrol Hasn't Validated E-Passport Data For Years (Lily Hay Newman) Facebook Shows Why SMS Isn't Ideal for Two-Factor Authentication (Tidbits) Google Chrome Now Blocks Irksome Ads. That's a Good Thing, Right? (NYTimes) Federal Judge Says Embedding a Tweet Can Be Copyright Infringement (EFF) How a fight over Star Wars download codes could reshape copyright law (Ars Technica) How Samsung moved beyond its exploding phones (Ars Technica) "Fail-slow at scale: When the cloud stops working" (Robin Harris) Apple Repair Center Barrages Sacramento's 911 Operators (CBS) Convention registration leaks information (Medium via Arthur T) Banking Nightmare: Chase Glitch Gives Online Access to Random People (Fly&Dine) "iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride" (RocketNews) Cyberstalking via unsolicited anonymous Amazon deliveries (The Boston Globe) The Car of the Future Will Sell Your Data (Bloomberg) Don't blindly follow your GPS -- Sylvan Lake State Park staff offers winter route advice (Pam Boyd) Before Hitting the Road, Self-Driving Cars Should Have to Pass a Driving Test (Scientific American) Re: mystery deliveries from Amazon (Kelly Manning) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 17 Feb 2018 14:05:19 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: To Stir Discord in 2016, Russians Turned Most Often to Facebook (NYT) Sherra Frenkel and Kate Benner, *The New York Times*, 17 Feb 2018, via NNSquad http://www.nytimes.com/2018/02/17/technology/indictment-russian-tech-facebook.html In 2014, Russians working for a shadowy firm called the Internet Research Agency started gathering American followers in online groups focused on issues like religion and immigration. Around mid-2015, the Russians began buying digital ads to spread their messages. A year later, they tapped their followers to help organize political rallies across the United States. Their digital instrument of choice for all of these actions? Facebook and its photo-sharing site Instagram. ------------------------------ Date: Sun, 18 Feb 2018 21:32:20 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Russian election interference [Perhaps it is time to once again dust off my mixed metaphor from the second crypto wars: Pandora's Cat is Out of the Barn, and the Genie Won't Go Back in the Closet. PGN] Here are the articles from *The New York Times* in this news cycle. 0. INDICTMENT BARES RUSSIAN NETWORK TO TWIST 2016 VOTE, 17 Jan 2018 (front page top lead, over [1] and [2]) 1. Scott Shane and Mark Mazzetti, Mueller Chronicles a Social Media War, 17 Jan 2018 2. Matt Apuzzo and Sharon LaFraniere, Sees `Unwitting' Ties to Trump Forces, 17 Jan 2018 3. Sheera Frenkel and Katie Benner, To Create Rifts, Russians Liked Facebook Most, 18 Jan 2018 4. Peter Baker, Trump Quiet In a U.S. War On Meddling, 18 Jan 2018 5. Neil MacFarquahar, Russian Trolls Were Sloppy, but U.S. Indictment Still `Points to the Kremlin', 18 Jan 2018 6. David E. Sanger, In Trump Administration, A Sharp Divide Over Election Interference, 18 Jan 2018 7. Scott Shane, How Russians Exploited Web to Tangle Vote, 19 Jan 2018 Long Live the Internet, for better and for worse! ------------------------------ Date: Sun, 25 Feb 2018 10:50:58 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Russia hacked the Olympics and tried to make it look like North Korea did it (Vox) http://www.vox.com/world/2018/2/25/17050058/russia-hacked-olympics-pyeongchang-north-korea Russian military spies hacked hundreds of computers at the 2018 Olympic Games in South Korea -- and tried to make it look like North Korea was the culprit, according to a new report. It is likely retaliation against the International Olympic Committee (IOC) for banning the Russian team from Olympics because of a widespread doping scheme it used to cheat in previous competitions. The Washington Post's Ellen Nakashima reported on Saturday evening that the GRU, Russia's military intelligence agency, accessed as many as 300 Olympics-related computers earlier this month, according to two US officials. To cover their tracks, and to pin any suspicions on North Korea, the hackers used North Korean IP addresses, among other tactics. http://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html ------------------------------ Date: Wed, 21 Feb 2018 10:14:26 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Are Bots a Danger for Political Election Campaigns? Friedrich-Alexander University Erlangen-Nurnberg (Germany) (02/19/18) Researchers at Friedrich-Alexander University (FAU) in Germany have probed the extent to which autonomous social bots were used on Twitter during Japan's general elections in 2014. The team analyzed more than 540,000 tweets using a corpus linguistics strategy so large volumes of text could be examined, and found nearly 80 percent of the investigated tweets were duplicates traced back to a total of 3,722 original tweets. Five proliferation patterns were uncovered, four of which were used by right-wing activists, and one by users who acted similarly to bots. FAU professor Fabian Schafer says it seems as if social bots were widely used by right-wing users, to give indirect online backing to Shinzo Abe's nationalistic agenda. "As a result, Abe's position was not only supported by the conservative organizations of a group of users with close links to the [Liberal Democratic Party] but also by the large...group of right-wing Internet activists," Schafer notes. ------------------------------ Date: Fri, 23 Feb 2018 10:22:36 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: The Myth of the Hacker-Proof Voting Machine (Kim Zetter) Kim Zetter, *The New York Times*, 21 Feb 2018 Election officials have insisted that machines can;t be remotely compromised because they're not connected to the Internet. But security experts point out crucial ways in which they are. https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html ------------------------------ Date: Mon, 19 Feb 2018 12:01:57 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Your Bitcoin or Your Life (Nathaniel Popper) Nathaniel Popper, *The New York Times*, 19 Feb 2018 [PGN-ed] Bitcoin Thieves Threaten Real Violence for Virtual Currencies Anonymity and soaring values have made virtual currencies an attractive target for thieves. http://www.nytimes.com/2018/02/18/technology/virtual-currency-extortion.html The currency they were after was virtual, but the guns they carried were anything but. * In Phuket, Thailand, assailants forced a Russian man to transfer about $100K in Bitcoin to them. * The head of a Ukrainian Bitcoin exchange was taken hostage and released only after a ransom of $1M in Bitcoin. * A NYC man was held captive until he transferred $1.8M in Ether (Etherium). Other recent cases have taken place in Russia, Ukraine, Turkey, Canada, Britain, and the U.S. [Bit-caveat Emptor] ------------------------------ From: Monty Solomon <monty () roscom com> Date: Sun, 25 Feb 2018 00:33:09 -0500 Subject: All but Banned in the U.S., Chinese Giant Huawei Is Welcomed in Britain (WSJ) Britain's adoption of Huawei technology is widening a gulf between the U.S. and allies over cybersecurity. http://www.wsj.com/articles/huaweis-u-k-relationship-raises-u-s-concerns-1519416947 ------------------------------ Date: Tue, 20 Feb 2018 19:32:30 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Drone collisions, close calls underscore growing risks for aircraft The Washington Post, 17 Feb 2018 http://www.washingtonpost.com/politics/spate-of-drone-collisions-close-calls-underscore-growing-risks-for-aircraft/2018/02/17/4b630714-1433-11e8-8ea1-c1d91fcec3fe_story.html ------------------------------ Date: Fri, 23 Feb 2018 22:23:36 -0500 From: Monty Solomon <monty () roscom com> Subject: BB&T Restores ATM Service, Online Banking Problem Persists (WSJ) The North Carolina-based regional bank cited equipment malfunction at a data center for the problems http://www.wsj.com/articles/bb-t-customers-locked-out-of-online-banking-atms-after-technical-issue-1519403905%3Fmod%3De2fb ------------------------------ Date: Mon, 19 Feb 2018 09:30:55 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Lawsuits threaten infosec research just when we need it most" (Zack Whittaker) Zack Whittaker for Zero Day, 19 Feb 2018 http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/ Security researchers and reporters have something in common: both hold the powerful accountable. But doing so has painted a target on their backs -- and looming threats of legal action and lawsuits have many concerned. opening text: NEW YORK, NY -- This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. ------------------------------ Date: Mon, 19 Feb 2018 09:29:02 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Security firm Keeper sues news reporter over vulnerability story" Zack Whittaker for Zero Day, 20 Dec 2017 http://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/ The vulnerability was fixed, but Keeper now demands that the allegedly defamatory article is pulled offline. selected text: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. The bug has since been fixed, according to Ormandy's follow-up note, which triggered the release of the report. Goodin's story was amended twice, which was noted in the story's footer. Keeper confirmed the bug was fixed in its own blog post, which said "no customers were adversely affected by this potential vulnerability." Several security experts and researchers on Twitter decried the lawsuit. "This is bullying and Goodin is [definitely] def in the top 1 percent [of] knowledgeable journalists," said Matthieu Suiche, founder of Comae Technologies, a Dubai-based security firm, in a tweet. ------------------------------ Date: Mon, 19 Feb 2018 08:45:26 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Microsoft is distributing security patches through insecure HTTP links" (Woody Leonhard) Woody Leonhard, Computerworld, 16 Feb 2018 http://www.computerworld.com/article/3256304/microsoft-windows/microsoft-is-distributing-security-patches-through-insecure-http-links.html Microsoft is distributing security patches through insecure HTTP links Stefan Kanthak, reporting on the Bugtraq mailing list, shows how Microsoft's own security patch download links are based on HTTP, not HTTPS. ------------------------------ Date: Sun, 18 Feb 2018 11:15:08 -0500 From: Monty Solomon <monty () roscom com> Subject: That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH. (The Register) Oh yeah, we patched that in October, Windows giant yawns http://www.theregister.co.uk/2018/02/15/microsoft_skype_fixed/ ------------------------------ Date: Sat, 24 Feb 2018 00:51:59 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency (WiReD) When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook's malware scanner if she wanted to get back in. Charity couldn't use Facebook until she completed the scan, but the file the company provided was for a Windows device -- Charity uses a Mac. http://www.wired.com/story/facebook-mandatory-malware-scan/ ------------------------------ Date: Sat, 24 Feb 2018 14:34:50 -0500 From: Monty Solomon <monty () roscom com> Subject: An old tax scam -- with a troubling new twist (WashPo) An old tax scam -- with a troubling new twist http://www.washingtonpost.com/news/get-there/wp/2018/02/22/an-old-tax-scam-with-a-troubling-new-twist/ A New Tax Scam, and Tips on How to Deal With It http://www.nytimes.com/2018/02/23/your-money/income-tax-scam-tips.html A big deposit from the IRS unexpectedly shows up in your bank account. What should you do? First off, don't spend it. You may be a victim of identity fraud. ------------------------------ Date: Mon, 19 Feb 2018 09:23:11 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Maker of sneaky Mac adware sends security researcher cease-and-desist letters" (Zack Whittaker) Zack Whittaker for Zero Day | December 13, 2017 http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/ Maker of sneaky Mac adware sends security researcher cease-and-desist letters "If there's code that's mining data and hiding itself on a computer without any way of removing it, that's malware, plain and simple." selected text: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. ------------------------------ Date: Fri, 23 Feb 2018 20:26:21 -0500 From: Monty Solomon <monty () roscom com> Subject: Tesla cloud resources are hacked to run cryptocurrency-mining malware (Ars Technica) Crooks find poorly secured access credentials, use them to install stealth miner. http://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/ ------------------------------ Date: Fri, 23 Feb 2018 20:26:17 -0500 From: Monty Solomon <monty () roscom com> Subject: One-stop counterfeit certificate shops for all your malware-signing needs (Ars Technica) Certificates registered in names of real corporations are surprisingly easy to come by. http://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/ ------------------------------ Date: February 23, 2018 at 6:30:28 AM EST From: Richard Forno <rforno () infowarrior org> Subject: US Border Patrol Hasn't Validated E-Passport Data For Years (Lily Hay Newman) Lily Hay Newman, WiReD, 22 Feb 2018 US Customs and Border Patrol hasn't been verifying the cryptographic signatures on e-Passports --because they never installed the right software. Passports, like any physical ID, can be altered and forged. That's partly why for the last 11 years the United States has put RFID chips in the back panel of its passports, creating so-called e-Passports. The chip stores your passport information -- like name, date of birth, passport number, your photo, and even a biometric identifier -- for quick, machine-readable border checks. And while e-Passports also store a cryptographic signature to prevent tampering or forgeries, it turns out that despite having over a decade to do so, US Customs and Border Protection hasn't deployed the software needed to actually verify it. This means that since as far back as 2006, a skilled hacker could alter the data on an e-Passport chip -- like the name, photo, or expiration date -- without fear that signature verification would alert a border agent to the changes. That could theoretically be enough to slip into countries that allow all-electronic border checks, or even to get past a border patrol agent into the US. "The idea of these things is that they're supposed to provide some additional electronic security over a standard passport, which can be forged using traditional techniques," says Matthew Green, a cryptographer at Johns Hopkins University. "The digital signature would provide that guarantee. But if it's not checked it doesn't." A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire McCaskill of Missouri highlights this crucial shortcoming. More than 100 countries now offer passports that come with a digital chip, and fewer than half of those include the capability to verify the integrity of data using a digital signature. But Wyden and McCaskill stress that while the US demands that countries in the Visa Waiver program put a chip in their passports, it has failed to fully realize its own e-Passport program. "CBP does not have the software necessary to authenticate the information stored on the e-Passport chips," the two Senators wrote. "Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged." http://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-year ------------------------------ Date: Mon, 19 Feb 2018 16:51:03 -0500 From: Monty Solomon <monty () roscom com> Subject: Facebook Shows Why SMS Isn't Ideal for Two-Factor Authentication (Tidbits) http://tidbits.com/article/17802 ------------------------------ Date: Sun, 18 Feb 2018 23:08:39 -0500 From: Monty Solomon <monty () roscom com> Subject: Google Chrome Now Blocks Irksome Ads. That's a Good Thing, Right? (NYTimes) http://www.nytimes.com/2018/02/18/business/media/google-chrome-ad-block.html The brower's latest update filters out pop-up ads and other annoyances. It also strengthens Google's grip on the web. ------------------------------ Date: Sun, 18 Feb 2018 18:49:03 -0500 From: Monty Solomon <monty () roscom com> Subject: Federal Judge Says Embedding a Tweet Can Be Copyright Infringement (EFF) http://www.eff.org/deeplinks/2018/02/federal-judge-says-embedding-tweet-can-be-copyright-infringement ------------------------------ Date: Fri, 23 Feb 2018 20:26:14 -0500 From: Monty Solomon <monty () roscom com> Subject: How a fight over Star Wars download codes could reshape copyright law (Ars Technica) How a fight over Star Wars download codes could reshape copyright law http://arstechnica.com/tech-policy/2018/02/judge-slaps-down-disney-effort-to-stop-resale-of-star-wars-download-codes/ ------------------------------ Date: Sat, 24 Feb 2018 16:16:16 -0500 From: Monty Solomon <monty () roscom com> Subject: How Samsung moved beyond its exploding phones (Ars Technica) Just 18 months later, the company -- and consumers -- have shrugged it all off http://www.washingtonpost.com/business/how-samsung-moved-beyond-its-exploding-phones/2018/02/23/5675632c-182f-11e8-b681-2d4d462a1921_story.html ------------------------------ Date: Mon, 26 Feb 2018 09:11:15 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Fail-slow at scale: When the cloud stops working" (Robin Harris) Robin Harris for Storage Bits (26 Feb 2018) Big system have so many interacting parts which can interact in so many ways. Such interesting (and frustrating) failure modes: http://www.zdnet.com/article/how-clouds-fail-slow/ Computer systems fail. Most failures are well-behaved: the system stops working. But there are bad failures too, where the systems works, but really s-l-o-w-l-y. What components are most likely to fail-slow? The answers may surprise you. selected text: If you've ever had a system fail-slow, you know how maddening it is. The lights are on, the fans are running, but nobody is home. Is it software? A background process run amok? The paper has some cautionary anecdotes that are amusing, if only in retrospect. * one operator put an office chair adjacent to a storage cluster. The operator liked to rock in the chair, repeatedly popping hotplug drives out of the chassis (a hard correlation to diagnose). But many of the failures were more subtle: * a vendor's buggy firmware made a batch of SSDs stop for seconds, disabling the flash cache layer and making the entire storage stack slow. * a machine was deemed nonfunctional due to heavy ECC correction of many DRAM bit-flips. * bad chips in SSDs reduce the size of over-provisioned space, triggering more frequent garbage collection. * applications that create a massive load can cause the rack power control to deliver insufficient power to other machines (degrading their performance), but only until the power-hungry applications finish. "A fan in a compute node stopped working, making other fans compensate the dead fan by operating at maximal speeds, which then caused a lot of noise and vibration that subsequently degraded the disk performance." Naturally, finding these problems took a minimum of hours and often days, weeks, or even months. In one case an entire team of engineers was pulled off a project to diagnose a bug, at a cost of tens of thousands of dollars. Root causes Nor does the root cause necessarily rest with the slow hardware, as in the case above where a power-hungry application on some servers caused other servers to slow down. In another case the vendor couldn't reproduce the user's high-altitude failure mode at their sea level facility. For (one more) example, In one condition, a fan firmware would not react quickly enough when CPU-intensive jobs were running, and as a result the CPUs entered thermal throttle (reduced speed) before the fans had the chance to cool down the CPUs. ------------------------------ Date: Sun, 25 Feb 2018 11:53:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple Repair Center Barrages Sacramento's 911 Operators (CBS) http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/ Since October of last year, devices at an Apple repair center in Elk Grove, California have called 911 an average of 20 times a day, for a total of about 1600 dials, according to a local CBS affiliate. Apple acknowledged the issue in a statement, saying, "We take this seriously and we are working closely with local law enforcement to investigate the cause and ensure this doesn't continue." That investigation likely won't take long; the Apple Watch automatically calls 911 if you hold the side button down for several seconds. Tapping the side button of your iPhone five times in succession does the same, if you're on iOS 11. Those features are obviously helpful to people in legitimate danger. But unless Apple can wrangle its Elk Grove process to stop the influx of false alarms, it may end up blocking actual calls from getting through. http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/ [Monty Solomon noted this here: http://www.washingtonpost.com/news/the-switch/wp/2018/02/23/an-apple-repair-center-accidentally-called-911-about-1600-times-in-four-months-and-no-one-knows-why/ ] ------------------------------ Date: Sat, 24 Feb 2018 21:35:05 -0500 From: "Arthur T." <Risks201802.10.atsjbt () xoxy net> Subject: Convention registration leaks information Software used for registration at some science fiction and furry conventions will let you type in anyone's name, and it will show if that person has ever attended that convention, and if they're registered for the upcoming one. The software vendor considers this to be a feature, not a bug. Some quotes from the article: "Even worse, your fursona name is also displayed." "The reality is that many people are afraid to come out as a fur, for their own reasons." "This is a leak of customer data, and should be treated like any other." <http://medium.com/%40_sky_/furry-website-leaks-real-identities-7e25c71bd762> ------------------------------ Date: Sat, 24 Feb 2018 00:59:01 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Banking Nightmare: Chase Glitch Gives Online Access to Random People (Fly&Dine) http://flyanddine.boardingarea.com/chase-glitch-random-access/ http://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-accounts/ ------------------------------ Date: Tue, 20 Feb 2018 12:19:49 -0800 From: Gene Wirchenko <genew () telus net> Subject: "iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride" (RocketNews) http://en.rocketnews24.com/2018/02/21/iphone-explodes-at-vietnamese-hair-salon-thankfully-only-injures-apple-fans-pride%25E3%2580%2590video%25E3%2580%2591/ iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride The explosion is off-screen, but flames are not. ------------------------------ Date: Tue, 20 Feb 2018 17:46:31 -0500 From: David Tarabar <dtarabar () acm org> Subject: Cyberstalking via unsolicited anonymous Amazon deliveries (The Boston Globe) Several women have received multiple unsolicited Amazon packages containing sex toys and lingerie. The sending account is anonymous and pays for the items with gift cards. http://www.bostonglobe.com/business/2018/02/19/these-surprise-packages-from-amazon-spark-something-more-than-frustration-fear/6X4X2rWJw3SawwCGe4n2rJ/story.html ------------------------------ Date: Wed, 21 Feb 2018 00:46:29 From: Gabe Goldberg <gabe () gabegold com> Subject: The Car of the Future Will Sell Your Data (Bloomberg) Your driving behavior, location, has monetary value, not unlike your search activity. Of course, not all drivers may understand what privacy rights they're signing away. A Government Accountability Office report published in July found none of the 13 carmakers in the study that collected data from connected vehicles had easy-to-read privacy notices and most don't explain data sharing and use practices. ... The kinds of car-data tools in play today are much smaller scale. General Motors Co., which pioneered the connected car with its OnStar concierge service, sent a software update to million of vehicles in December, introducing an e-commerce system that lets drivers order coffee or make restaurant reservations while driving -- to the chagrin of some safety advocates. Longer term, GM may look to monetize traffic and parking data it'll collect as its self-driving cars get on the road next year. http://www.bloomberg.com/news/articles/2018-02-20/the-car-of-the-future-will-sell-your-data [Monty Solomon noted this one: Connected cars are going to monetize data, but most drivers don't know that. http://arstechnica.com/cars/2018/02/no-one-has-a-clue-whats-happening-with-their-connected-cars-data/ ] ------------------------------ Date: Tue, 20 Feb 2018 10:20:10 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Don't blindly follow your GPS -- Sylvan Lake State Park staff offers winter route advice (Pam Boyd) Pam Boyd, *Vail Daily*, February 17, 2018 EAGLE -- Just because a GPS system recommends it, doesn't mean it's the right way to travel. The staff at Sylvan Lake State Park near Eagle highlighted this fact with a recent case in point. When motorists along Interstate 70 initiate a search for the shortest route to Ruedi Reservoir, their GPS may advise Crooked Creek Pass. During warm weather months, it's a viable alternative. In the winter, not so much. "GPS will tell people to come up this way, and that's fine in the summertime, but in the winter, the Forest Service doesn't plow the road above the lake," said Sylvan Lake State Park Supervisor Michael Wall. "It's very clear the road isn't open when they get here, it just isn't clear on GPS." ------------------------------ Date: Sat, 24 Feb 2018 19:11:40 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Before Hitting the Road, Self-Driving Cars Should Have to Pass a Driving Test (Scientific American) http://www.scientificamerican.com/article/before-hitting-the-road-self-driving-cars-should-have-to-pass-a-driving-test/ So a fresh-off-the-assembly line autonomous vehicle (AV) goes to the motor vehicle department, and queues for a road qualification test with a crash-test dummy... This qualification test, preferably a simulation environment applied to the AVs operational control program (OFP), must incorporate non- deterministic stimulus conditions: Bowling balls tossed onto the road, a couch or refrigerator flying off the bed of a pick-up truck that's 8 car lengths ahead while traveling at 100 km/h, various weather conditions (snow, ice, rain, wind, blinding sun, sundown, sunrise, etc.), an overturned truck load of cabbages, traffic signs plastered with "Kilroy was Here" or "Eat at Joe's," wayward intersection traffic controls, sudden lane closures, and dogs and cats or children on bicycles or skateboards carelessly sprinting in front of the vehicle via blind spots. Add sensor error, failure, or s/w stack anomalies like a "Bluetooth hijack" attack to spice things up a bit. Can an AV's OFP successfully navigate these conditions? Success means reduced accident statistics compared to historical NHTSA findings. The NHTSA published these accident statistics (http://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812451) for 2014-2016. If all vehicles on the road are AVs, then the statistics would look different per vehicle mile traveled (VMT). Perhaps a probably approximately correct "trolley problem" self-trained, memristor-enabled, quantum neural network solution can. California's government specified safety requirements that AVs must satisfy for deployment. You can find them here: https://www.dmv.ca.gov/portal/wcm/connect/211897ae-c58a-4f28-a2b7-03cbe213e51d/avexpressterms_93016.pdf?MOD=AJPERES The government charges $3600 to register an AV for a trial permit. This document stipulates a "soup to nuts" specification for AV capability achievement: Section 227.58. Application for a Permit for Post-Testing Deployment of Autonomous Vehicles on Public Roads, Part (b) states: "(1)Certification that the vehicle complies with the Vehicle Performance Guidance for Automated Vehicles in the National Highway Traffic Safety Administration's Federal Automated Vehicles Policy. "(2) Certification that the autonomous vehicle's autonomous technology is designed to detect and respond to roadway situations in compliance with all provisions of the California Vehicle Code and local regulation applicable to the operation of motor vehicles." Section 277.44 Reporting Accidents states: "A manufacturer whose autonomous vehicle while operating under a Manufacturer's Testing Permit is in any manner involved in an accident originating from the operation of the autonomous vehicle on a public road that resulted in the damage of property or in bodily injury or death shall report the accident to the department, within 10 days after the accident, on Report of Traffic Accident Involving an Autonomous Vehicle, form OL 316 (NEW 9/2013)(REV 9/2016) which is hereby incorporated by reference." California's regulations are scoped to vehicle capability. There are no apparent "public benefit" metrics or key performance indicators contained in the regulations, such as to show a reduction in VMT accident or incident rates. I did not inspect the federal regulations, but suspect that they do not specify "public benefit" metrics either. It is the transition to an all "Minority Report" transportation system -- complete AV supremacy -- that portends regrettable "lessons learned" measured in fatalities and accident histories. The State of California proactively anticipates these incidents. AV manufacturers have bought a green light to commit accidents, without a demand to "meet or reduce" historical accident measures. The government apparently figures that interfering with commercial enterprise and technological progress, despite the public risk, is an acceptable quotidian practice. Governments enable loss-of-life experimentation to benefit preferred constituents. An incontrovertible, and tragic oxymoron. Apparently, the wealth to reap from accelerated human-operated vehicle retirement tempts many to experiment. Politicians are eager to spill a little blood for campaign contributions in the name of progress. Pedestrians and motorists have no participatory opt-out/opt-in, except through vocal protest and the ballot box. Seems that technology has become like war: As Homer's Odyssey says, "War is young men dying and old men talking." ------------------------------ Date: Tue, 20 Feb 2018 07:43:40 -0800 From: Kelly Manning <k.manning () ieee org> Subject: Re: mystery deliveries from Amazon The University of Victoria Student Union is also receiving a wide variety of Amazon purchases that were not ordered. While some of this may involve harassment the vast majority is probably related to the issue of Fake Reviews / "brushing". Fake Reviewers have to actually order the product, but don't want to be traceable, so they direct the delivery to a street address for some other person or entity. Can't Amazon correlate the nuisance delivery addresses with Amazon Reviews, and reject the reviews associated with those purchases, and flag future purchases made with charge cards that can't be associated with an established account? Amazon is able to determine that the purchases were typically made with "Gift" VISA cards. http://news.ycombinator.com/item%3Fid%3D15940318 http://www.brianbien.com/amazons-fake-review-problem/ ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.56 ************************
Current thread:
- Risks Digest 30.56 RISKS List Owner (Feb 27)