RISKS Forum mailing list archives
Risks Digest 30.67
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 29 Apr 2018 11:04:41 PDT
RISKS-LIST: Risks-Forum Digest Sunday 29 April 2018 Volume 30 : Issue 67 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.67> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lightning Hazards Prompt Boeing to Fix 787 Jets (WSJ) Facebook's dark-ads problem is systemic (Techcrunch) Facebook's Ties With Kogan and Cambridge Were Even Cozier Than We Thought (Slate) How merchants use Facebook to flood Amazon with fake reviews (WashPo) How Looming Privacy Regulations May Strengthen Facebook and Google (NYTimes) How Fake Mark Zuckerbergs Scam Facebook Users Out of Their Cash (NYTimes) Malicious Amazon Alexa Skills Can Record Everything a User Says (EWeek) The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder (NYTimes) TSB fiasco (Charles Mann on Naked Capitalism) TSB week-long disruption (The Guardian) Brain-Computer Interfaces: 'The Last Frontier of Human Privacy' (WSJ) Viewpoint: The pitfalls of India's biometric ID scheme (BBC) Zelle, the Banks' Answer to Venmo, Proves Vulnerable to Frau (NYTimes)d Blockchains for journalism (CJR via Prashanth Mundkur) ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying (The Register) Cyberwarfare may be less dangerous than we think (WashPo) Defending Hospitals against Life-Threatening Cyber-attacks (Scientific American) 'Operation GhostSecret': North Korea Is Suspected in Intensifying Global Cyberattack (WSJ) "Mysterious cyber-worm targets medical systems, is found on X-ray machines and MRI scanners" (ZDNet) Comcast partners with Independence Health to create digital health company (Healthcare IT News) Medical transcription service leaves patient records open (Krebs) Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency (Ars Technica) Amazon Launches In-Car Delivery (Business Wire) A One-Minute Attack Let Hackers Spoof Hotel Master Keys (WiReD) Hackers have found a way to jailbreak the Nintendo Switch (WashPo) The state of patch management (HPE) Backlash prompts Eventbrite to drop demand to crash events, record them (Ars Technica) Re: Regulate AI? (Craig Burton) Re: ACM ICPC Programming Contest (Martyn Thomas) Re: Instant Runoff Voting (Wols) Re: American elections are too easy to hack. We must take action now (Mark E. Smith) Re: "A bad day with mobile 2FA" (John Levine, Dimitri Maziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 25 Apr 2018 09:50:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Lightning Hazards Prompt Boeing to Fix 787 Jets (WSJ) Manufacturer aims to eliminate chances of cockpit displays failing due to lightning events http://www.wsj.com/articles/lightning-hazards-prompt-boeing-to-fix-787-jets-1524652201 ------------------------------ Date: Sat, 28 Apr 2018 16:41:14 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Facebook's dark-ads problem is systemic (Techcrunch) via Lauren Weinstein's Network Neutrality Squad http://techcrunch.com/2018/04/28/facebooks-dark-ads-problem-is-systemic/ Facebook's admission to the UK parliament this week that it had unearthed unquantified thousands of dark fake ads after investigating fakes bearing the face and name of well-known consumer advice personality, Martin Lewis, underscores the massive challenge for its platform on this front. Lewis is suing the company for defamation over its failure to stop bogus ads besmirching his reputation with their associated scams. The Dark-ads might be thought of as similar to the Naryads, the Leeryads, the Purseyads, and other meatier showers -- except that they are largely invisible to Facebook and ubiquitously visible to everyone else. Besides, they are not like (scattered) showers at all -- more like uninterrupted monsoons and biblical deluges. At least Noah's Ark did not have the World Wide Web to blare at the hoofers and tweeters on board, or TV speakers offering fake gnus. We might want to take a lesson from the Hindu U-punish-ads. PGN ------------------------------ Date: Mon, 23 Apr 2018 09:57:15 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook's Ties With Kogan and Cambridge Were Even Cozier Than We Thought (Slate) via NNSquad http://slate.com/technology/2018/04/60-minutes-interview-facebooks-ties-with-aleksandr-kogan-and-cambridge-were-cozier-than-we-thought.html What Zuckerberg didn't mention was that Facebook itself had worked directly with Kogan and his Cambridge colleagues for years--and that it continues to this day to employ two of Kogan's close research associates. In an interview with CBS' 60 Minutes on Sunday, Kogan said one of them, his former co-worker Joseph Chancellor, was fully involved in harvesting the user data that they then sold to Cambridge Analytica. On Monday, Facebook spokesman Andy Stone confirmed to Slate that, with respect to Chancellor, "a review of the situation is ongoing." ------------------------------ Date: Mon, 23 Apr 2018 10:53:03 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How merchants use Facebook to flood Amazon with fake reviews (WashPo) via NNSquad http://www.washingtonpost.com/business/economy/how-merchants-secretly-use-facebook-to-flood-amazon-with-fake-reviews/2018/04/23/5dad1e30-4392-11e8-8569-26fda6b404c7_story.html But a Washington Post examination found that for some popular product categories, such as bluetooth headphones and speakers, the vast majority of reviews appear to violate Amazon's prohibition on paid reviews. They have certain characteristics, such as repetitive wording that people likely cut and paste in. Many of these fraudulent reviews originate on Facebook, where sellers seek shoppers on dozens of networks, including Amazon Review Club and Amazon Reviewers Group, to give glowing feedback in exchange for money or other compensation. The practice artificially inflates the ranking of thousands of products, experts say, misleading consumers. ------------------------------ Date: Tue, 24 Apr 2018 06:06:05 -0400 From: Monty Solomon <monty () roscom com> Subject: How Looming Privacy Regulations May Strengthen Facebook and Google (NYTimes) http://www.nytimes.com/2018/04/23/technology/privacy-regulation-facebook-google.html Facebook and Google are dealing with a privacy backlash and new European rules on data collection. The rules, though, may not be as damaging to the companies as they appear. ------------------------------ Date: Thu, 26 Apr 2018 09:30:33 -0400 From: Monty Solomon <monty () roscom com> Subject: How Fake Mark Zuckerbergs Scam Facebook Users Out of Their Cash http://www.nytimes.com/2018/04/25/technology/fake-mark-zuckerberg-facebook.html The Facebook chief executive has vowed to clean up the social network, but his company has failed to stop even those impersonating him from swindling people. ------------------------------ Date: Sun, 29 Apr 2018 13:23:15 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Malicious Amazon Alexa Skills Can Record Everything a User Says (EWeek) Security firm Checkmarx reports that malicious Amazon Alexa skills could have enabled an attacker to record everything a user says. Amazon has taken steps to mitigate the issue. http://www.eweek.com/security/researchers-find-amazon-alexa-can-be-hacked-to-record-users Of course, how secure are other listening devices? ------------------------------ Date: Sat, 28 Apr 2018 08:06:42 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder (NYTimes) via NNSquad http://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html Even as scientific experts applauded this week's arrest of the Golden State Killer suspect, Joseph James DeAngelo, 72, some expressed unease on Friday at reports that detectives in California had used a public genealogy database to identify him. Privacy and ethical issues glossed over in the public's rush to embrace DNA databases are now glaringly apparent, they said. Apparently they also got a false genetic hit on this case last year and harassed a sick and elderly innocent man as as result. I've been saying for years that anyone voluntarily submitting genetic data to publicly accessible databases is worse than an idiot. DNA-based genealogy as a hobby is for suckers. You're selling the current and future generations of your relatives down the goddamned river, you morons! [Also noted by Mark Thorson. PGN] ------------------------------ Date: Tue, 24 Apr 2018 8:42:56 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: TSB fiasco (Charles Mann on Naked Capitalism) http://www.nakedcapitalism.com/2018/04/tsb-train-wreck-massive-bank-it-failure-going-into-fifth-day-customers-locked-out-of-accounts-getting-into-other-peoples-accounts-getting-bogus-data.html Snippet: The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over to Sabadell over the weekend. It's turned out to be an epic failure, and it's not clear if and when this can be straightened out. It is bad enough that bank IT problem had been so severe and protracted a major newspaper, The Guardian, created a live blog for it that has now been running for two days. The more serious issue is the fact that customers still can't access online accounts and even more disconcerting, are sometimes being allowed into other people's accounts, says there are massive problems with data integrity. That's a nightmare to sort out. Even worse, the fact that this situation has persisted strongly suggests that Lloyds went ahead with the migration without allowing for a rollback. If true, this is a colossal failure... ------------------------------ Date: Sat, 28 Apr 2018 12:12:17 +0100 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: TSB week-long disruption (The Guardian) People outside the UK may not be aware that customers of one of the largest banks, TSB, has had a week-long IT disaster that has locked people out of accounts, cash, mortgages, staff payments...you name it. The Guardian says an inside source claims that the warning signs were there a year ago when TSB was forced to divest itself of Lloyds Banking Group (in the financial crisis taxpayer bailout) because after many mergers the IT system was a "bodge of many old systems" (banks here went on a consolidation spree in the 1990s and early 2000s). The risk that *The Guardian* highlights is interesting: IT systems that are forced into working together by business decisions, then forced apart by regulatory ones...compounded by IT mistakes and internal divisions. http://www.theguardian.com/business/2018/apr/28/warning-signs-for-tsbs-it-meltdown-were-clear-a-year-ago-insider [Richard Stein also notes TSB chaos: 'We are on our knees,' says boss (BBC) http://www.bbc.com/news/business-43904267 PGN] ------------------------------ Date: Wed, 25 Apr 2018 10:45:49 -0400 From: Monty Solomon <monty () roscom com> Subject: Brain-Computer Interfaces: 'The Last Frontier of Human Privacy' (WSJ) Bryan Johnson, the founder and CEO of neurotech company Kernel, on the issues surrounding direct access to our most valuable data http://www.wsj.com/articles/brain-computer-interfaces-the-last-frontier-of-human-privacy-1524580522 ------------------------------ Date: Tue, 24 Apr 2018 12:17:38 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Viewpoint: The pitfalls of India's biometric ID scheme (BBC) http://www.bbc.com/news/world-asia-india-43619944 ------------------------------ Date: Tue, 24 Apr 2018 17:11:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Zelle, the Banks' Answer to Venmo, Proves Vulnerable to Fraud (The New York Times) Bob Sullivan, an author who specializes in cybercrime and consumer protection, said he was stunned by how poorly the banks had communicated Zelleâs risks â and by their failure to learn from the painful lessons of the past. http://www.nytimes.com/2018/04/22/business/zelle-banks-fraud.html [Monty Solomon added this from that: The personal payment platform Zelle is flourishing. But so are fraudsters, who are exploiting weaknesses in the banksâ security. PGN] ------------------------------ Date: Mon, 23 Apr 2018 09:03:29 -0700 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: Blockchains for journalism (CJR) [Apparently, it's a thing!] Civil says the future of media is blockchains and cryptocurrencies Mathew Ingram, December 4, 2017, CJR http://www.cjr.org/business_of_news/civil-says-the-future-of-media-is-blockchains-and-cryptocurrencies.php Mathew Ingram, March 2, 2018, CJR Jarrod Dicker on what the blockchain can do for news http://www.cjr.org/innovations/blockchain-poet.php ------------------------------ Date: Fri, 27 Apr 2018 15:24:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying (The Register) Experts complain of shoddy tech specs and personal attacks. http://www.theregister.co.uk/2018/04/25/nsa_iot_encryption Those experts with their high standards... ------------------------------ Date: Thu, 26 Apr 2018 19:41:41 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Cyberwarfare may be less dangerous than we think (WashPo) http:/www.washingtonpost.com/news/monkey-cage/wp/2018/04/26/what-can-cybergames-teach-us-about-cyberattacks-quite-a-lot-in-fact/ âFrankly, the United States is under attack. "This February 2018 warning to the Senate from Director of National Intelligence Dan Coats included a message that âthere should be no doubtâ that Russia, emboldened by its 2016 cyberattacks and informational warfare campaign, will target the U.S. midterm elections this year. "We agree. However, our research suggests that, although states like Russia will continue to engage in cyberattacks against the foundations of democracy (a serious threat indeed), states are less likely to engage in destructive âdoomsdayâ attacks against each other in cyberspace. Using a series of war games and survey experiments, we found that cyber operations may in fact produce a moderating influence on international crises. "Hereâs why: Cyberspace offers states a way to manage escalation in the shadows. Thus, cyber operations are more akin to the Cold War- era political warfare than a military revolution." Daniel Ellsberg's latest, "The Doomsday Machine: Confessions of a Nuclear War Planner," supplies sober discourse about his persistent and successful effort, during the first Cold War, to implement permissive action links (PALs) as part of US strategic nuclear war planning. Are similar protocols and devices applied to constrain cyber weaponry? The article does not discuss how delegation of authority may initiate an offensive cyber attack, or escalate into a limited or general war, if  or when established command and control channels are disabled or compromised. ------------------------------ Date: Thu, 26 Apr 2018 11:21:13 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Defending Hospitals against Life-Threatening Cyber-attacks (Scientific American) http://www.scientificamerican.com/article/defending-hospitals-against-life-threatening-cyber-attacks/ "We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employeesâ roles line up with cybersecurity efforts." Heterogeneous infrastructure broadens ransomware attack surface area and malicious service denial takedown. Role privilege allocation/restriction gaps elevates computerized medical device configuration and usage error risks. "Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us theyâre worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said theyâre focused on patient care and donât have time to worry about cybersecurity." Professionals shirk their oaths and obligations to protect patients, compromising ethical practice with impunity; an alarming standard operating procedure that begs for enforcement and strictly monitored, corrective measures. Business operations that neglect risk mitigations in the name of profit and expenditure reduction, and a criminal exploiting these vulnerabilities are linked by more than metaphor. Hospital administrators fear brand outrage, yet demure to proactively suppress this potential.  Dysfunctional organizational behavior is inimical to patient health and resilient operations. Digital medical records are integral components of the surveillance economy, and apparently easy to monetize. The notorious bank robber Willie Sutton said, "I rob banks because thatâs where the money is." Electronic medical record banks are sweeter targets, and software is the criminal's weapon of choice. ------------------------------ Date: Wed, 25 Apr 2018 10:04:46 -0400 From: Monty Solomon <monty () roscom com> Subject: 'Operation GhostSecret': North Korea Is Suspected in Intensifying Global Cyberattack (WSJ) Pyongyang-linked data-theft campaign has hit 17 countries, including the U.S., report says http://www.wsj.com/articles/operation-ghostsecret-north-korea-is-suspected-in-intensifying-global-cyberattack-1524629807 ------------------------------ Date: Tue, 24 Apr 2018 09:37:46 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Mysterious cyber-worm targets medical systems, is found on X-ray machines and MRI scanners" (ZDNet) http://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ Danny Palmer, ZDNet, 23 Apr 2018 Orangeworm hacking group carefully selects victims in highly targeted attacks. selected text: A newly-discovered cybercriminal group is installing custom malware onto the systems of organisations in healthcare and related sectors in order to conduct corporate espionage. "The targeting of large multinational corporations that work directly in or related to the healthcare space has been a consistent theme with Orangeworm since their discovery," Alan Neville, threat researcher at Symantec told ZDNet. Within the healthcare sector, Kwampirs malware was found installed on a wide variety of systems, including X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms. However, rather than stealing information stored upon these systems, it is suggested that attackers are mostly interested in learning about the devices themselves. ------------------------------ Date: Tue, 24 Apr 2018 12:36:33 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Comcast partners with Independence Health to create digital health company (Healthcare IT News) http://www.healthcareitnews.com/news/comcast-partners-independence-health-create-digital-health-company Use terrible/hated consumer brand for healthcare. What could go wrong? ------------------------------ Date: Wed, 25 Apr 2018 11:37:11 -0400 From: danny burstein <dannyb () panix com> Subject: Medical transcription service leaves patient records open (Krebs) Courtesy of Krebsonline, 18 Apr 2018 (URL at end), Transcription Service Leaked Medical Records http:/krebsonsecurity.com/2018/04/transcription-service-leaked-medical-records/ MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records - apparently for thousands of physicians. On Friday, KrebsOnSecurity learned that the portion of MEDantex's site which was supposed to be a password-protected portal physicians could use to upload audio-recorded notes about their patients was instead completely open to the Internet. What's more, numerous online tools intended for use by MEDantex employees were exposed to anyone with a Web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name. No authentication was required to access any of these pages. ------------------------------ Date: Tue, 24 Apr 2018 15:49:00 -0400 From: Monty Solomon <monty () roscom com> Subject: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency (Ars Technica) Almost 1,300 addresses for Amazon Route 53 rerouted for two hours. http://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/ ------------------------------ Date: Tue, 24 Apr 2018 08:50:02 -0400 From: Monty Solomon <monty () roscom com> Subject: Amazon Launches In-Car Delivery (Business Wire) http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery ------------------------------ Date: Sat, 28 Apr 2018 14:32:45 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A One-Minute Attack Let Hackers Spoof Hotel Master Keys (WiReD) Master Key At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen plan to present a technique they've found to not simply clone the keycard RFID codes used by Vingcard's Vision locks, but to create a master key that can open any room in a hotel. With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute. http://www.wired.com/story/one-minute-attack-let-hackers-spoof-hotel-master-keys ------------------------------ Date: Wed, 25 Apr 2018 00:00:25 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers have found a way to jailbreak the Nintendo Switch (WashPo) The hack can turn the Switch into a tablet that can run pirated programs and grant hackers far greater control over the system than Nintendo intended. http://www.washingtonpost.com/news/the-switch/wp/2018/04/24/hackers-have-found-a-way-to-jailbreak-the-nintendo-switch/ ------------------------------ Date: Thu, 26 Apr 2018 19:44:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The state of patch management (HPE) http://www.hpe.com/us/en/insights/articles/the-state-of-patch-management-1804.html It's automated so it's wonderful. That takes more faith than I have. ------------------------------ Date: Tue, 24 Apr 2018 22:56:05 -0400 From: Monty Solomon <monty () roscom com> Subject: Backlash prompts Eventbrite to drop demand to crash events, record them (Ars Technica) http://arstechnica.com/information-technology/2018/04/eventbrite-rolls-back-policy-that-would-have-given-it-right-to-record-events/ ------------------------------ Date: Mon, 23 Apr 2018 11:04:42 +1000 From: Craig Burton <craig.alexander.burton () gmail com> Subject: Re: Regulate AI? (Thomas, R 30.66) Regulate AI: laudable and important goal, but the Three Steps in the Nature article sound the same as proposals for nuclear non-proliferation. Nukes are hard to make and hard to hide. AI code can be emailed to North Korea. Is any kind of prohibition going to work for AI? What about the opposite: Open and promote AI development so that a pretty good system is freely available. People worried about secret AI systems can turn their efforts to improving the open system. This may put pressure on dark AI systems. Or is the risk really in applications - that 20 year old AI in textbooks is being keyed into missile guidance software? Then the prohibition needs to be on guided missiles? ------------------------------ Date: Mon, 23 Apr 2018 09:47:27 +0100 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Re: ACM ICPC Programming Contest (RISKS-30.66) The Risk? That someone will confuse this achievement with professional software development. ------------------------------ Date: Mon, 23 Apr 2018 16:33:53 +0100 From: Wols Lists <antlists () youngman org uk> Subject: Re: Instant Runoff Voting (Unger, R 30 66) What about Condorcet, as used by Debian? Basically, for any pair of candidates, you say which one you prefer. This will give you a candidate who is preferred above everyone else, or alternatively an "anyone but" candidate to be eliminated. The trouble with Condorcet is you really need a computer to count the votes. Personally, my favourite where there are multiple positions available (such as our parliamentary elections) would be "top up" places. Keep the current "first past the post" voting for constituencies, then based on the national vote share out the top-up seats to candidates who came second in the constituencies. That's not perfectly fair, it is intended to ensure that two or three parties get most of the seats, but it makes it much easier to unseat an unpopular party. It also prevents the instability that Italy experienced a decade or two when a system, intended to be as fair as possible, resulted in even the largest party not having many seats, and thus the country lurched from one short-lived coalition to another. ------------------------------ Date: Mon, 23 Apr 2018 08:44:53 -0700 From: "Mark E. Smith" <mymark () gmail com> Subject: Re: American elections are too easy to hack. We must take action now (Schneier, R 30.66)
"The politicians running in the election shouldn't have to argue their challenges in court."
If they are Congressional candidates, they cannot argue their challenges in court. Article I, Section 5 of the U.S. Constitution says, "Each House shall be the Judge of the Elections, Returns, and Qualifications of its own Members..." Candidates who lose Congressional elections due to fraud can appeal only to Congress. Not even the Supreme Court can intervene, as the power to judge Congressional elections rests solely with Congress. Does anyone know if a candidate has ever won one of those appeals? ------------------------------ Date: 22 Apr 2018 22:10:01 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: "A bad day with mobile 2FA" (Maziuk, R 30.66) If this is an actual problem you must have a remarkably bad local clock. Google uses the standard TOTP algorithm that generates a new key every 30 seconds, and I am reasonably sure they will accept either the current or the previous code to give you time to switch apps and type the code in. So as long as your phone's clock is within a minute of the correct time, the code should work. One time I lost my phone in an airport parking garage shortly before getting on a plane. It was easy enough to buy another phone and port my number to it, thereby recovering any 2FA keyed to my phone number, but I'd lost all the Authenticator codes. So I made sure that wouldn't happen again. When Google or anyone else shows you a QR code to set up in Authenticator, it contains a base32 seed string along with a comment. If you save or write down that seed string, you can later enter it into Authenticator or any other TOTP application. I have all my seeds both in the phone app and in a python script on my laptop. Adding to the confusion, I have SIM cards for countries I visit so my phone has a Canadian phone number when I'm in Canada, and a UK phone number when I'm in Europe. This means when I'm traveling, the TOTP 2FA works fine, but anyone who sends a SMS to my US phone number will have to wait until I get home. So overall I like TOTP a lot better, clock issues and all. ------------------------------ Date: Tue, 24 Apr 2018 14:33:30 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: "A bad day with mobile 2FA" (Levine) My bank has an even better option, actually: they'll print you a card with 2 rows of symbols for a challenge-response authentication. It's not quite one-time: it's good for a couple of months or until you call them and ask for a new one, whichever comes first. :) ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.67 ************************
Current thread:
- Risks Digest 30.67 RISKS List Owner (Apr 29)