RISKS Forum mailing list archives
Risks Digest 30.57
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 1 Mar 2018 14:44:24 PST
RISKS-LIST: Risks-Forum Digest Thursday 1 March 2018 Volume 30 : Issue 57 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.57> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Using a Laser to Wirelessly Charge a Smartphone Safely Across a Room (James Orton) Bill Gates: Cryptocurrency is super-risky over the long-term (Emmie Martin) "Wine lovers cannot buy Burgundy as Google cracks down on 'gun' searches" (The Telegraph via Chris Drewe) "SAML protocol bug let hackers log in as other users" (Zack Whittaker via Gene Wirchenko) 23,000 HTTPS certificates axed after CEO emails private keys (Ars Technica) New Orleans alleged to have secretly used Palantir predictive policing (CSO) Voice Assistants Are Being Built Into New Smart Home Products at CES 2018 (Consumer Reports via Gabe Goldberg) I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick (TroyHunt) Weird attachment on ATM (Dave Horsfall) Artificial intelligence and national security (Allen/Chan via Diego Latella) Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users (WiReD) Re: The Myth of the Hacker-Proof Voting Machine (Mark E. Smith) Re: US Border Patrol Hasn't Validated E-Passport Data For Years (John Levine) Re: mystery deliveries from Amazon (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 28 Feb 2018 13:09:34 -0500 From: ACM TechNews <technews-editor () acm org> Subject: Using a Laser to Wirelessly Charge a Smartphone Safely Across a Room (James Orton) James Urton, UW News 20 Feb 2018, via ACM TechNews, Wednesday, February 28, 2018 Researchers at the University of Washington (UW) have developed a way to safely charge a smartphone wirelessly across a room using a narrow, near-infrared beam from a laser emitter. The engineers mounted a thin power cell to the back of the smartphone, and custom-designed safety features that included a metal heat sink to dissipate excess heat and a reflector-based mechanism to deactivate the laser in case someone attempts to move in the beam's path. "These features give our wireless charging system the robust safety standards needed to apply it to a variety of commercial and home settings," says UW professor Arka Majumdar. The smartphone emits high-frequency acoustic "chirps" so the emitter can detect when a user has set the phone on the charging surface. The team also notes the emitter can be tweaked to expand the charging beam's radius to up to 100 square centimeters from a distance of 12 meters. http://www.washington.edu/news/2018/02/20/using-a-laser-to-wirelessly-charge-a-smartphone-safely-across-a-room/ [This innovation might have some fascinating implications on security, reliability, and more. PGN] ------------------------------ Date: Tue, 27 Feb 2018 16:13:33 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Bill Gates: Cryptocurrency is super-risky over the long-term (Emmie Martin) Emmie Martin, CNBC, 27 Feb 2018 http://www.cnbc.com/2018/02/27/bill-gates-calls-cryptocurrency-super-risky-in-reddit-ama.html Bill Gates is not a fan of cryptocurrency. During a recent "Ask Me Anything" session on Reddit, the Microsoft co-founder said that the main feature of cryptocurrencies is the anonymity they provide to buyers, and Gates thinks that can actually be harmful. "The government's ability to find money laundering and tax evasion and terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies are used for buying fentanyl and other drugs, so it is a rare technology that has caused deaths in a fairly direct way." When a Reddit user pointed out that plain cash can also be used for illicit activities, Gates said that crypto stands out because it can be easier to use. "Yes -- anonymous cash is used for these kinds of things, but you have to be physically present to transfer it, which makes things like kidnapping payments more difficult," he wrote. ------------------------------ Date: Thu, 01 Mar 2018 22:14:54 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: "Wine lovers cannot buy Burgundy as Google cracks down on 'gun' searches" (The Telegraph) http://www.telegraph.co.uk/news/2018/02/27/wine-lovers-cannot-buy-burgundy-tipple-google-internet-giant Wine lovers can no longer purchase their favourite Burgundy tipple using Google's Shopping service after the Internet giant cracked down on search queries featuring the term 'gun'. Online shoppers have complained about being unable to browse dozens of products such as Burgundy wine, water guns and music by American rock band Guns N' Roses. ^^^ ^^^^ ^^^^ [Gabe Goldberg commented on the same article in Business Insider: "The risk? Computers doing what they're told!" PGN] ------------------------------ Date: Wed, 28 Feb 2018 08:50:15 -0800 From: Gene Wirchenko <genew () telus net> Subject: "SAML protocol bug let hackers log in as other users" (Zack Whittaker) [Bonus risk included! (The headline states that the bug was in the protocol, but it is actually in the implementation.)] Zack Whittaker for Zero Day, 27 Feb 2018 http://www.zdnet.com/article/saml-protocol-bug-puts-single-sign-on-accounts-at-risk/ A validation bug in how some single sign-on products implemented an open authentication standard could have allowed an attacker to log in to a site or service as though they were the victim they were targeting. selected text: But this new vulnerability lets an attacker take the authenticated response to a login request and switch a portion with an attacker's information instead. That means an attacker can log in as though they were the victim they were targeting. The exploit works by modifying the response once a username and password has been verified. It then sends a message back to the user's browser to log them in. If an attacker modifies the response, the validating signature is also meant to change -- but if the signatures aren't properly checked, the system is none the wiser.Duo researchers said the results of the attack "varies greatly" between services at risk by the bug. ------------------------------ Date: Thu, 1 Mar 2018 08:42:52 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: 23,000 HTTPS certificates axed after CEO emails private keys (Ars Technica) NNSquad http://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/ A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. ------------------------------ Date: Wed, 28 Feb 2018 14:12:50 -0800 From: Gene Wirchenko <genew () telus net> Subject: New Orleans alleged to have secretly used Palantir predictive policing (CSO) https://www.csoonline.com/article/3259445/security/new-orleans-alleged-to-have-secretly-used-palantir-predictive-policing.html The New Orleans Police Department is accused of secretly using Palantir's predictive policing technology to predict who would cause a crime or be a victim of it. "Ms. Smith", *CSO*, 28 Feb 2018 The city of New Orleans and Palantir Technologies are accused of using the city to secretly test Palantir's predictive policing technology since 2012. Even the City Council allegedly was in the dark about the program that was used to predict who was most likely to commit a crime or be a victim of it. The Verge published a disturbing report about how the Palantir system managed to fly under the radar for years. It alleges "Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu's signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans' 'strong mayor' model of government, the agreement never passed through a public procurement process." But it wasn't just in 2012; the partnership was reportedly extended three times and was set to expire on Feb. 21, 2018. Neither New Orleans nor Palantir would comment as to the program's current status. ------------------------------ Date: Thu, 1 Mar 2018 16:03:19 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Voice Assistants Are Being Built Into New Smart Home Products at CES 2018 (Consumer Reports) The most private room in the house may not be so private anymore. At CES 2018, Kohler announced a line of connected kitchen and bath products called Kohler Konnect, all of which work with Alexa, Google Assistant, and Apple HomeKit for Siri. The star of the lineup is Kohler's Verdera Voice Lighted Mirror, which has microphones, speakers, and Amazon Alexa built in so it can answer questions ("What's the weather today?"), adjust its lights by voice ("Turn on shaving mode"), and control other compatible devices around the house, including Kohler's other connected products -- no separate smart speaker required. Kohler is just one of many manufacturers showing off products with Alexa or Google Assistant baked right in. Other brands include iDevices, First Alert, and GE Lighting. http://www.consumerreports.org/smart-home/voice-assistants-coming-to-every-room-of-home-ces-2018/ Didn't Orwell's 1984 predict that mirror? ------------------------------ Date: Tue, 27 Feb 2018 10:14:44 -0500 From: Monty Solomon <monty () roscom com> Subject: I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick (TroyHunt) http://www.troyhunt.com/i-wanna-go-fast-why-searching-through-500m-pwned-passwords-is-so-quick/ ------------------------------ Date: Tue, 27 Feb 2018 08:01:54 +1100 From: Dave Horsfall <dave () horsfall org> Subject: Weird attachment on ATM The "Krebs on Security" blog (KrebsOnSecurity.com) has a running series on ATM skimmers, and some of them are quite dastardly (the skimmers I mean, not the series). Well, I saw a suspicious device on an ATM that I was about to use; it was a box just above the card slot, clearly labeled "scanner", and what looked like a window under it. It turned out to be a sensor for the smart-card chip (common in the world outside of the USA); I didn't try it, but all the same: If it's sniffing my card, how do I know it's legitimate, and: What better way to train the sheeple to get accustomed to funny attachments on ATMs? ------------------------------ Date: Tue, 27 Feb 2018 13:44:31 +0100 From: Diego Latella <Diego.Latella () isti cnr it> Subject: Artificial intelligence and national security (Allen/Chan) G. C. Allen and T. Chan, Artificial intelligence and national security http://thebulletin.org/artificial-intelligence-and-national-security11521 [Suggested by F. Lenci, whom I thank for the notice.] I've browsed the Executive Summary and Recommendations of this report: G. C. Allen and T. Chan, Artificial intelligence and national security. I haven't read the full report yet, but it seems to me that, once again, the issue of AI (and ICT) dependability as a general but fundamental feature of the specific technology at hand is not addressed, while the advances in machine learning and AI seem to be taken for granted as representing a turning point in the use of automation in warfare. In addition, as far as I could see, there are no references to the ethical dimension of the introduction of (lethal) autonomous weapons or AI tech in the battlefield. Shouldn't computer scientists [and systems engineers], and in particular those expert in computer ethics, dependability, trustworthiness, correctness, etc. be more effective and active in this discussion? [DL] Dott. Diego Latella, CNR-ISTI, Via Moruzzi 1, 56124 Pisa, Italy (http:www.isti.cnr.it) [The quest for a war-free world has a basic purpose: survival. But if in the process we learn how to achieve it by love rather than by fear, by kindness rather than compulsion; if in the process we learn how to combine the essential with the enjoyable, the expedient with the benevolent, the practical with the beautiful, this will be an extra incentive to embark on this great task. Above all, remember your humanity. Sir Joseph Rotblat] ------------------------------ Date: Thu, 1 Mar 2018 09:17:26 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users (WiReD) WiReD via NNSquad http://www.wired.com/story/chrome-yubikey-phishing-webusb/ There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as "unphishable," a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico's last bastion of login protection. It's important to note that this exploit category does NOT represent a flaw in U2F itself, but essentially a side-channel vulnerability created by an unrelated subsystem. This specific problem in Chrome will be straightforward to fix, but does highlight the complexity of these security environments. As the saying goes: Security is hard! [Caveat from Drew Dean channeling Kenn White on Twitter: This is apparently true only for the YubiKey Neo, which uses the CCID protocol over USB, not for the classic Blue, Nano, or 4 series. PGN] ------------------------------ Date: Tue, 27 Feb 2018 18:34:55 -0800 From: "Mark E. Smith" <mymark () gmail com> Subject: Re: The Myth of the Hacker-Proof Voting Machine (RISKS-30.56) ââThis is an extraordinarily powerful tool if all you want to do is simply discredit democracy,ââ [Douglas W.] Jones says. ââAll you have to do is create the appearance of something having happened, even if it hasn't happened.ââ If the risk is that of discrediting democracy, our electoral system in and of itself serves that function already. As far as I can tell, that's what US elections are designed to do: create the appearance of something having happened, such as systemic or institutional change, even when nothing has happened and the same big corporations are still financing both parties to continue the same political agenda as before. ------------------------------ Date: 27 Feb 2018 21:19:53 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: US Border Patrol Hasn't Validated E-Passport Data For Years (Lily Hay Newman via Forno, RISKS-30.56) That is really pitiful. Passport data use a standard PKI and they are signed with the same kind of certificates that web sites use. You can get passport reading apps for phones that will show you what's on your passport's chip. US passports are signed with a CA from the US State Department. They don't even have to collect the certs, since the ICAO keeps the database for the benefit of airlines that want to verify passengers' passports. ------------------------------ Date: 27 Feb 2018 20:59:45 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: mystery deliveries from Amazon (Manning, RISKS-30.56) In article <34.CMM.0.90.4.1519781441.risko () chiron csl sri.com3813> you write:
While some of this may involve harassment the vast majority is probably related to the issue of Fake Reviews / "brushing".
Apparently not. One of the articles mentioned that theory and Amazon said that there aren't many reviews for unordered stuff. "Our review detection systems are trained to catch this type of behavior and we will continue our ongoing efforts to detect and prevent abuse. Our investigations thus far indicate that there have been few reviews written on these shipments. We have removed these and will continue to remove any we do find immediately. We will hold offenders that have violated our policies accountable," said a spokesperson for Amazon in a statement to ABC News. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.57 ************************
Current thread:
- Risks Digest 30.57 RISKS List Owner (Mar 01)