RISKS Forum mailing list archives
Risks Digest 30.83
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 13 Sep 2018 14:54:57 PDT
RISKS-LIST: Risks-Forum Digest Thursday 13 September 2018 Volume 30 : Issue 83 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.83> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Takeaways from Bruce Schneier's new book (Tim Starks) How to Rig an Election (Victoria Collier, Harpers) John Kerry: 2004 Vote Tampering in Ohio? (PGN) Crypto Wars, Again -- and again, and again, and again ... (Rob Slade) MSpy, Which Builds Software To Spy On Phones, Allegedly Leaked Millions Of Records (Gizmodo Australia) Officials unveil new facial recognition system at Dulles International Airport (WashPost) Israel's National Insurance suspends plan for spy system (Haaretz) Your canines' barks may be worse then their bites (DefenseOne) Japan Embraces eVTOL Vision (Mary Grady) "Tesla sued: Woman wants $300k for crashing on Autopilot while reading phone" (Liam Tung) Driver: GPS Made Me Go Wrong Way Onto I-93, Crash (Patch) Wireshark fixes serious security flaws that can crash systems (Charlie Osborne) "Premera Blue Cross accused of destroying evidence in data breach lawsuit" (ZDnet) Vicious Rumors Spread Like Wildfire On WhatsApp -- And Destroyed A Village (Buzzfeed) "Vodafone: You used 1234 as your password and were hacked? You cover the cost" (Charlie Osborne) "MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys" (Catalin Cimpanu) Tens of iOS apps caught collecting and selling location data (ZDNet) The EU's copyright plans will let anyone mass-censor the Internet (Boingboing) The story of why Chrome and Firefox will soon block sites with certain SSL certificates (Templarbit) While Cybercriminals Continue To Target Real Estate Transactions, Take These Protective Measures (Forbes) The explosive problem with recycling old electronics (WashPo) Didi Chuxing introduces new safety measures after passenger death (Cyrus Lee) Are Digital Devices Altering Our Brains? (Scientific American) These People Were Just Trying To Get To Maui When They Got On Horrible Flight Where Everything Went Wrong (Buzzfeed) BA Hack Leaves Airline Open to Fines Under Tough Data Rules (Bloomberg) New Home Dream Destroyed: Fraud Victims Fighting Back After Losing $89,000 (NBC Bay Area) Google's Doors Hacked Wide Open By Own Employee (Forbes) São Paulo subway operator gets sued for collecting passenger data (Angelica Mari) Frustration and Finger-Pointing as GOP Pulls Out of Deal Talks on Hacked Materials (NYTimes) Huawei busted for cheating over P20, Honor Play performance benchmarks (Liam Tung) A stranger meant to donate $15 to a GoFundMe page. He accidentally gave more than $15,000 (WashPost) "'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account" (Charlie Osborne) Logged off: meet the teens who refuse to use social media (The Guardian) Watch: Rascally Rat Jumps and Pulls Fire Alarm at DC Condo (NBC DC) Two Daily WTF Comments (Gene Wirchenko) Re: How FireEye Helped Facebook Spot a Disinformation Campaign (Richard Stein) Re: How do you get people to trust autonomous vehicles? (Martyn Thomas) Re: What3words: putting geographical addresses behind a closed API (Dan Jacobson) Re: Personal domain names (Keith F. Lynch) Re: The Untold Story of NotPetya, the Most Devastating Cyberattack in History (Dan Jacobson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 11 Sep 2018 16:33:12 -0700 From: "Peter G. Neumann" <Peter.Neumann () sri com> Subject: Takeaways from Bruce Schneier's new book (Tim Starks) Tim Starks, Politico 11 Sep 2018 [Two excerpts] With help from Mike Farrell, Eric Geller and Martin Matishak https://www.politico.com/newsletters/morning-cybersecurity/2018/09/11/takeaways-from-bruce-schneiers-new-book-336012 FIX THE INTERNET BEFORE IT FIXES US -- Technologist Bruce Schneier is out with his latest book and his most alarming title yet: "Click Here to Kill Everybody." In fact, it's one of the most ominous in the entire cybersecurity canon. Even in his introduction, Schneier admits to hyperbole, yet writes the title isn't without merit since "we're already living in a world where computer attacks can crash cars and disable power plants -- both actions that can easily result in catastrophic deaths if done at scale." So, OK, it's scary. In this outing, published last week, Schneier digs into the dangers posed by the rapid spread of Internet connectivity into all our things. But since he doesn't think the marketing term "Internet of things" is encompassing enough, he coined his own term: Internet+. If you've followed Schneier's career or seen his many talks at cybersecurity conferences, much of what he's writing about won't seem new. And since that's probably many of you, we're going highlight just a few of his policy recommendations (there are many more in the book) and predictions (more of those, too) when it comes to fixing what he calls the "sloppy state of Internet+ security." Cybersecurity requires its own government agency. Schneier writes that government is "by far the most common way we improve our collective security." So, he's proposing a National Cyber Office that would not have regulatory power (at least not initially) but would offer advice, direct research, convene meetings and set policy priorities. "There is significant historical precedent in the US for this idea," he writes. "New technologies regularly lead to the formulation of new government agencies. Trains did. Cars did. Airplanes did. The invention of radio led to the formation of the Federal Radio Commission, which became the Federal Communications Commission. ... The value of a single agency is considerable. The alternative is to craft Internet+ policy ad hoc and piecemeal, in a way that adds complexity and doesn't counter emerging threats." Regulation is inevitable. Regulation is problematic. A largely regulation-free tech industry may soon be a thing of the past, Schneier writes. And there are lots of reasons why he sees regulation on the horizon. One reason is that Internet+ security is public safety issue -- and that tends to get governments' attention. But he also worries regulation will be problematic and could hamper the speed at which tech companies innovate. "We don't want to -- and can't -- stop technological progress, but we can make deliberate choices between technological futures, or speed up or delay certain technologies with respect to the others." Prioritize defense, not offense. Schneier argues that if governments want to take a leading role in improving cybersecurity, "they need to switch their thinking and start prioritizing defense." Currently, he says, the U.S. wants to maintain the Internet for offensive purposes, ensuring that agencies such as the NSA can eavesdrop on other nations. "With few exceptions, we all use the same computers and phones, the same operating systems, and the same applications. We all use the same Internet hardware and software. There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack," he writes. But, he says, if the U.S. shifts its priorities to defense, the Internet will be more secure for everyone (see below for more on that idea). "We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one." [...] LOTS MORE WORK TO DO -- Leading tech companies want the U.S. government and other major powers to set limits on their exploitation of digital vulnerabilities for intelligence gathering and disruptive operations. "To strike an appropriate balance between risks and benefits, governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information," wrote members of the Cybersecurity Tech Accord, including Microsoft, Facebook, Dell, Cloudflare, Cisco and HP. Specifically, the companies want every nation to evaluate its stockpile of secretly identified flaws using a process like the U.S. government's Vulnerabilities Equities Process [VEP]. It also wants the countries to "make public the criteria used in determining whether to disclose a vulnerability or not," in addition to reviewing withholding decisions every six months. The Trump administration's 2017 VEP update does not do enough, the Tech Accord members said. For one thing, the new VEP does not explain "its calculus for assessing the broader economic impact when it discovers or acquires a vulnerability, including not only how it measures direct impacts to consumers but also economic security issues related to the resilience and reliability of the global technology ecosystem." And, the companies added, the VEP still doesn't address the long-term consequences of an improper vulnerability disclosure, like the leak of government hacking tools. "The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors," the companies wrote. "When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public's trust in cyberspace. For technology companies and for technology developers, to be effective partners in protecting users, they must be active participants in the awareness and mitigation of new vulnerabilities." ------------------------------ Date: Tue, 11 Sep 2018 12:36:53 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: How to Rig an Election (Victoria Collier, Harpers) [This item is included as a history lesson for our newer readers, although it should be well known to anyone who has worked seriously on election integrity. Surprisingly, this is the first item on the dark side of the Urosevich brothers to appear in RISKS, although Bob was quoted in RISKS-22.25. PGN] The sheer unreliability of this new technology is only half the problem. The other half is a series of mergers and acquisitions that have further centralized the voting-machine industry over the past decade or so. Election Day is now dominated by a handful of secretive corporations with interlocking ownership, strong partisan ties to the far right, and executives who revolve among them like beans in a shell game. Bob and Todd Urosevich are hardly household names. Yet the two brothers have succeeded in monopolizing American election technology for decades through a pair of supposedly competing corporations: the Ohio-based Diebold and the Nebraska-based ES&S. The latter was founded by the Urosevich brothers in 1979 and is headquartered in Omaha... It is also, let us recall, the same company that may have won Chuck Hagel his Senate seat. Diebold became the most infamous name in the industry in 2003, when its CEO, Walden O'Dell, a top fund-raiser for George W. Bush, made a jaw-dropping public promise to ``deliver'' Ohio's electoral votes to Bush. The following year, California banned Diebold's touchscreen system, and Secretary of State Kevin Shelley blasted the company as fraudulent, despicable, and deceitful. O'Dell stepped down in 2005, right before the filing of a class-action suit that accused Diebold of fraud, insider trading, and slipshod quality control. Concerned about its tarnished brand, the company removed its label from the front of voting machines. Then Diebold went one step further and changed the name of its voting-machine division to Premier Election Solutions. In 2009, Diebold, which makes ATMs and other security systems, got out of the elections business altogether, selling Premier to ES&S. Here was a windfall for the Urosevich brothers in more than one sense: Bob had decamped to Diebold in 2002, when the company bought Global Election Systems, where he then served as president. Todd, meanwhile, remained at ES&S. This cozy arrangement was disrupted by a Justice Department antitrust intervention, which forced ES&S to split ownership of Premier with Dominion, the next big name in election technology. A month later, the deck was shuffled once again with Dominion's purchase of Sequoia.* *At the time of the purchase, Dominion absorbed some key staffers from Sequoia, among them Edwin B. Smith, who now serves as Dominion's vice president of certification and compliance. In 2008, Smith threatened legal action against two computer scientists hired by an association of New Jersey election clerks to examine malfunctioning Sequoia touchscreen machines. The following year, in a farcical conflict of interest, he was appointed to the EAC's Technical Guidelines Development Committee, which helps determine which specific voting machines should be certified for use. Between them, Dominion and ES&S now count the majority of American ballots. There are, of course, newer technologies in development, including Web-based voting. This latest innovation is being peddled by the Spanish-owned Scytl, which named Bob Urosevich managing director of its Americas division in 2006. One would think (or hope) that a private industry entrusted with America's votes would require the highest degree of personal integrity from its employees. As it happens, many of the key staffers behind our major voting-machine companies have been accused or convicted of a dizzying array of white-collar crimes, including conspiracy, bribery, bid rigging, computer fraud, tax fraud, stock fraud, mail fraud, extortion, and drug trafficking. In 2001, for example, a grand jury indicted Philip Foster, Sequoia's southern regional sales manager, for malfeasance and conspiring to launder money. During the previous decade, he had facilitated a kickback scheme that funneled payments to a Louisiana elections official, who purchased Sequoia equipment while winking at millions of dollars in overcharges. The scheme, which also involved Foster's brother-in-law and fellow Sequoia employee David Philpot, was hardly an advertisement for the company. Yet Foster, who gained immunity for his testimony against the elections official, not only avoided jail time but was promoted to vice president of sales administration and strategies at Sequoia. One high achiever actually got his start in prison. Jeffrey Dean's vote-by-mail software -- developed while Dean was serving a sentence for twenty-three counts of embezzlement -- came to dominate the U.S. absentee-voting market. Once out of prison, Dean launched his own ballot-printing company with narcotics trafficker John Elder. They later sold it to Global Election Systems, where, readers will recall, Bob Urosevich served as president and COO, before the company was sold to Diebold. This leads us to a crazy-making realization. Although many felons (and prior felons) can't cast a ballot in America -- an estimated 6 million citizens will be disenfranchised in 2012 due to felony convictions -- these particular felons are apparently free to design and manage our entire elections industry. ------------------------------ Date: Tue, 11 Sep 2018 16:19:52 -0700 From: "Peter G. Neumann" <Peter.Neumann () sri com> Subject: John Kerry: 2004 Vote Tampering in Ohio? Politico, 11 Sep 2018 <http://go.politicoemail.com/%3Fqs%3D0d02fbfab9b52d3427d2bdfabbb4c272b9e1e6a54a0fa95781983658d946b5fd8ec7abe830fc569b506961e90df59c26 On Monday, DHS officials such as Secretary Kirstjen Nielsen and Chris Krebs, undersecretary of DHS's National Protection and Programs Directorate, pledged their support to local election officials at the conference and emphasized that the department prioritizes election security. While some believe the relationship between the federal government and state and local election officials has improved, Former Secretary of State John Kerry said there were election irregularities in Ohio during the 2004 presidential race and suggested tallies had been altered and voting machines were vulnerable to hackers. <http://go.politicoemail.com/%3Fqs%3D0d02fbfab9b52d344450307a211e07be70d8be3786f2a9edb227aec6dca12d7b359a0defaf672456f689a5f19d884f80 "We knew that of the provisional votes that were waiting to be counted, or able to be counted, we didn't have the numbers necessary to have the margin -- according to what they had decided to count, or the way the machines came in. The problem for us was we were doubting whether the machines themselves had been appropriately measured and whether the algorithm was correct," he said during an interview on WNYC's Brian Lehrer Show. "We were told by the court that you were not able to get that algorithm, to check it, because it was proprietary information. And I believed that it was absolutely incorrect that ... the election for the presidency of the United States should somehow be the purview of privately owned machines where the public doesn't have the right to know whether the algorithm's been checked, or whether they are hackable or not. And we now know they are hackable." [In his new book, *Every Day is Extra*, John Kerry mentions Swift-Boating -- which has been noted previously as an earlier example of the effects of disinformation on elections. PGN] ------------------------------ Date: Tue, 4 Sep 2018 18:21:56 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Crypto Wars, Again -- and again, and again, and again ... I lived through the crypto wars, 1990s edition. https://en.wikipedia.org/wiki/Crypto_Wars I remember the Clipper Chip, Skipjack, and the LEAF (Law Enforcement Access Field). I remember that, after the NSA spent millions of dollars, and years and years, developing it, it took the crypto community *three weeks* to figure out that there was a flaw in it. (And, ironically, the flaw was not in Skipjack, per se. As far as anyone knows, Skipjack is still a reasonably decent medium strength crypto algorithm. The flaw was in the LEAF, the whole reason for the project in the first place. It's trivially easy to spoof the LEAF.) But it seems we are going to have this all over again. LE and the spooks still think they need access to everything everyone says, all the time. https://techcrunch.com/2018/09/03/five-eyes-governments-call-on-tech-giants-to-build-encryption-backdoors-or-else/ or https://is.gd/lUftcH I remember "The Electronic Privacy Papers." http://victoria.tc.ca/int-grps/books/techrev/bkelprpa.rvw (Still got a copy of that, too.) I remember the page that has the results of a request for info about wiretaps that were impeded by crypto. Except for the table frame itself, and the column headings, every piece of info on it is blacked out. I remember Dorothy Denning, who was on the LE side at the beginning of the crypto wars. But, good scientist that she is, she asked for cases from LE where they couldn't get a conviction because of crypto. Nobody could give her any. I remember PGP. and the threats to throw Phil Zimmermann in jail because of ITAR. And I've got a copy of "PGP: Source Code and Internals" by Phil, published by MIT Press, https://www.amazon.ca/PGP-Internals-Philip-R-Zimmermann/dp/0262240394/ and available anywhere in the world because it was a book and therefore protected by the holy First Amendment. (For those who don't get the joke it was simply a printed copy of the PGP source code.) I also remember that the 1990s version of the crypto wars ended not because of all of our reasoned arguments about how stupid crypto regulations were, but because American businesses told the government that non-American businesses were going to build crypto anyway, and if the regs were in place Americans couldn't compete in business. *That* got their attention ... ------------------------------ Date: Sat, 8 Sep 2018 20:33:29 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: MSpy, Which Builds Software To Spy On Phones, Allegedly Leaked Millions Of Records (Gizmodo Australia) mSpy, a company that sells software designed to let users spy on their children, partners, or anyone else they want to keep their eye on, left exposed more than two million records ``including software purchases and iCloud usernames and authentication tokens of devices running mSky [sic*],'' TechCrunch reported. https://www.gizmodo.com.au/2018/09/mspy-which-builds-software-to-spy-on-phones-allegedly-leaked-millions-of-records/ [* Spy-in-Sky? sick transfer glorious Monday? PGN] ------------------------------ Date: Fri, 7 Sep 2018 09:45:18 -0400 From: Monty Solomon <monty () roscom com> Subject: Officials unveil new facial recognition system at Dulles International Airport (WashPost) Officials say the new system will eliminate the need for old-school boarding passes. But the airport's embrace of the technology is raising concern among privacy advocates. https://www.washingtonpost.com/transportation/2018/09/06/officials-unveil-new-facial-recognition-system-dulles-international-airport/ [Identical text submitted by Gabe Goldberg. PGN] [See also *Big Brother in Berlin*, Janosch Delcker, Politico.EU, 13 Sep 2018, which notes that the Berlin's railway station is now conducting an experiment to compare people's faces with a digital database -- with ``mixed results''. (The item is still not up on his website: https://www.politico.eu/staff/janosch-delcker/ as I write this, many hours later. PGN)] ------------------------------ Date: Thu, 6 Sep 2018 17:33:17 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Israel's National Insurance suspends plan for spy system (Haaretz) Israel's National Insurance Institute (similar to US Social Security) had announced it is suspending a tender requesting offers for a system designed to track down people who apply for disability compensation. According to leaked documents, the system's expressed purpose is to prevent fraud, but the request specified that the system should have the ability to track people in all social media, including closed groups, private sites, and hidden locations (a.k.a. "the Dark Net). Source (in Hebrew, I couldn't locate an English version): https://www.haaretz.co.il/captain/net/.premium-1.6455812 ------------------------------ Date: Tue, 11 Sep 2018 9:08:52 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Your canines' barks may be worse then their bites (DefenseOne) https://www.defenseone.com/technology/2018/09/military-now-has-tooth-mics-invisible-hands-free-radio-calls/151145/ ------------------------------ Date: Fri, 7 Sep 2018 15:47:55 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Japan Embraces eVTOL Vision (Mary Grady) https://cdn.avweb.com/media/newspics/325/p1cmii9e8kmm13pd9jq14bestu6.png Uber Elevate held its first Asia Pacific Expo last week, in Tokyo, where government officials said they are on board with the vision of creating urban transport systems with autonomous eVTOLs. ``We see much potential in flying cars,'' said Daisaku Hiraki, a vice-minister with Japan's Ministry of Economy, Trade and Industry. ``I believe public and private sectors, including companies outside of Japan, should work collaboratively to develop this new technology.'' Uber Elevate also named five finalists for the first international city to launch Uber Air services, and announced it will experiment with drone delivery. Uber already has said it is working to test its aerial taxi service in Dallas and Los Angeles by 2020. The short list for the first international test site includes Japan, India, Australia, Brazil and France. Uber also is exploring the use of drones for its Uber Eats service, which provides quick home delivery of takeout meals. ``Uber sees a compelling opportunity to bring the same benefits that urban aviation will bring its ride-sharing business to its food-delivery business,'' according to the company's news release. ``By taking to the air, Eats will be able to offer faster, farther reaching, more affordable, and more reliable deliveries to more customers and restaurants across the world.'' [With respect to the subject line of this item, we hope that the vision of autonomous flying vehicles is far better than the vision of the government officials. However, the likelihood of trustworthy autonomous flying e-VTOLs must also be significantly greater than that of flying pigs. PGN] ------------------------------ Date: Mon, 10 Sep 2018 10:58:44 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Tesla sued: Woman wants $300k for crashing on Autopilot while reading phone" (Liam Tung) I think that Tesla's attempts to thin the herd are not working very well. https://www.zdnet.com/article/tesla-sued-woman-wants-300k-for-crashing-on-autopilot-while-reading-phone/ Liam Tung | 7 Sep 2018 Tesla accused of negligence for selling a car, in this case a Model S, that failed to function as advertised. opening text: A Utah woman who crashed her Model S into a stationary firetruck in May is suing Tesla for damages, claiming she was informed that in Autopilot mode the car would automatically brake if it detected an obstacle in its path. The woman, Heather Lommatzsch, has alleged that Tesla salespeople told her this when she bought the Model S in 2016, but that before the crash the Tesla "failed to engage as advertised". In an interview with South Jordan police after the crash, Lommatzsch admitted she was looking at her phone before the collision, and witnesses said the Tesla didn't brake or attempt to avoid the crash. ------------------------------ Date: Sat, 8 Sep 2018 16:13:21 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Driver: GPS Made Me Go Wrong Way Onto I-93, Crash (Patch) https://patch.com/virginia/fairfaxcity/s/gi9p9/nh-driver-gps-made-me-go-wrong-way-i-93-crash How many signs and other visual clues must have been ignored. "GPS made me..." GPS 1; Common Sense, 0 ------------------------------ Date: Tue, 04 Sep 2018 17:57:43 -0700 From: Gene Wirchenko <genew () telus net> Subject: Wireshark fixes serious security flaws that can crash systems (Charlie Osborne) Charlie Osborne for Zero Day | 3 Sep 2018 Wireshark fixes serious security flaws that can crash systems through DoS Proof-of-concept code detailing related exploits has been released to the public. https://www.zdnet.com/article/wireshark-fixes-serious-security-flaws-that-can-crash-the-system-cause-dos/ ------------------------------ Date: Tue, 04 Sep 2018 18:02:36 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Premera Blue Cross accused of destroying evidence in data breach lawsuit" (ZDnet) Catalin Cimpanu for Zero Day | 3 Sep 2018 https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/ Class-action lawsuit plaintiffs claim US health insurer Premera Blue Cross intentionally destroyed evidence despite ongoing litigation. selected text: The plaintiffs of a class-action lawsuit against health insurance provider Premera Blue Cross are accusing the organization of "willfully destroying" evidence that was crucial for establishing accurate details in a security breach incident. In court documents filed last week obtained by ZDNet, plaintiffs claim that Premera intentionally destroyed a computer that was in a key position to reveal more details about the breach, but also software logs from a security product that may have shown evidence of data exfiltration. Establishing if hackers stole data from Premera's systems is crucial for the legal case. Breach victims part of the class-action will be to claim a right for monetary compensation, while Premera may argue that since hackers did not steal data from its servers, there is no tangible harm to victims. ------------------------------ Date: Mon, 10 Sep 2018 16:19:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Vicious Rumors Spread Like Wildfire On WhatsApp -- And Destroyed A Village (Buzzfeed) https://www.buzzfeednews.com/article/pranavdixit/whatsapp-destroyed-village-lynchings-rainpada-india ------------------------------ Date: Thu, 06 Sep 2018 10:41:27 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Vodafone: You used 1234 as your password and were hacked? You cover the cost" Charlie Osborne for Zero Day | 6 Sep 2018 https://www.zdnet.com/article/vodafone-you-used-1234-as-your-password-and-were-hacked-you-cover-the-cost/ Vodafone: You used 1234 as your password and were hacked? You cover the cost Hackers are behind bars for stealing $30,000 from accounts, but Vodafone wants their victims to pay the tab. selected text: If you use a simple, easy-to-guess password such as "QWERTY" or "1234," you might pay for your mistake by having someone access your online accounts without permission -- and you may also find yourself paying out for subsequent damages and lost funds. That is, if Vodafone reportedly has its way. According to local media idnes.cz, two men were able to access customer accounts by testing out "1234" as a password, enabling them to order new SIM cards without permission which were picked up at local branches. These SIM cards were activated and used in mobile phones without any further authentication, as the attackers already knew the phone number and name associated with each compromised account. According to idnes.cz, Vodafone has argued the customers are at fault as they are responsible for the strength of their password. A Vodafone spokesperson told the publication that the default, weak password was not an automatic element; but rather, employees were able to set up an account with "1234" if customers could not decide on their password choice in-store -- but they would have been warned to change it to something stronger later. The publication reports that some account holders impacted by the scheme have received debt collectors at their door to recoup lost funds. "If the account was misused by an unknown offender, the correct procedure is that the customer will report the situation to the Czech police and file a criminal complaint," the Vodafone spokesperson said. "Unfortunately, we cannot compensate for the charged amount." Jiri Kropac, the head of Threat Detection Labs at ESET, tested the portal on behalf of Bleeping Computer and confirmed that the portal's inherent security is poor as a password can only consist of four to six numbers. This is not difficult to brute-force attack. ------------------------------ Date: Thu, 06 Sep 2018 10:56:39 -0700 From: Gene Wirchenko <genew () telus net> Subject: "MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys" (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 4 Sep 2018 https://www.zdnet.com/article/mega-nz-chrome-extension-caught-stealing-passwords-cryptocurrency-private-keys/ MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys Tainted extension caught stealing passwords for Google, Microsoft, GitHub and Amazon accounts, but also Monero and Ethereum private keys. opening text: The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet has learned. The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. ------------------------------ Date: Mon, 10 Sep 2018 17:21:52 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Tens of iOS apps caught collecting and selling location data (ZDNet) https://www.zdnet.com/article/tens-of-ios-apps-caught-collecting-and-selling-location-data/ [See also a WiReD/Ars Technica report: iOS apps are secretly sharing location data for profit. https://www.theatlantic.com/magazine/archive/2008/07/is-google-making-us-stupid/6868 PGN] ------------------------------ Date: Tue, 11 Sep 2018 09:45:33 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The EU's copyright plans will let anyone mass-censor the Internet ( via NNSquad If the Article 11 "link tax" passes, European news sources are going to find themselves delisted from search engines (and most other sites) that have a European point of presence so fast that their heads will spin. Their search traffic will plummet. Hardly anyone will be willing to pay extortion to keep listing them. Bye bye! And if Article 13 content filtering passes, not only will there be massive blacklisting of European users from access to major sites (sorry, you are not permitted to use this site!), but I predict the new enforcement engines will be continually inundated with massive amounts of fake claims that will melt them all into smoldering slag in nothing flat. Did I say bye bye already? Yep, bye bye again! - L https://boingboing.net/2018/09/11/free-expression-v-big-content.html Combine these facts -- anyone can add anything to the blacklists, new blacklist entries can be added in bulk, the new entries are in effect the instant they're added -- and it's easy to see how malicious and unscrupulous actors will be able to censor the web with impunity. Any politician who commits a gaffe just before an election; any celeb or billionaire caught saying or doing something cruel; any fringe group wanting to suppress evidence of their harassment or violent deeds will be able to send bots to submit copyright claims to the major platforms faster than the human staff at the platforms could remove them, suppressing evidence of wrongdoing at crucial junctures. There's not really any way around this. If you're going to filter billions of works that anyone can submit, and if the filters have to kick in as soon as works are added, then abusers will always have the advantage. That said, it's important to note that the advocates for this plan rejected all proposals to punish people who fraudulently claimed copyright in works they didn't own: measures from fines to being excluded from making future copyright claims were rejected out of hand. ------------------------------ Date: Mon, 10 Sep 2018 17:25:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The story of why Chrome and Firefox will soon block sites with certain SSL certificates (Templarbit) In the near future, Google Chrome and Mozilla Firefox will begin distrusting SSL certificates from Symantec, GeoTrust, Thawte, VeriSign, Equifax, and RapidSSL. This change will take effect when Chrome 70 beta and Firefox 63 beta are released in early September. The stable public release of Chrome 70 and Firefox 63 is slated for October. https://www.templarbit.com/blog/2018/09/07/the-story-of-why-chrome-and-firefox-will-soon-block-sites-with-certain-ssl-certificates/ ------------------------------ Date: Thu, 6 Sep 2018 16:23:07 -0400 From: Monty Solomon <monty () roscom com> Subject: While Cybercriminals Continue To Target Real Estate Transactions, Take These Protective Measures (Forbes) https://www.forbes.com/sites/forbesrealestatecouncil/2018/07/11/while-cyber-criminals-continue-to-target-real-estate-transactions-take-these-protective-measures/ Also, Homebuyers, Beware: Hackers Targeting Real Estate Transactions https://www.nbcbayarea.com/news/local/Homebuyers-Beware-Hackers-Targeting-Real-Estate-Transactions-486870901.html Experts: Virtually All CA Real Estate Transactions Targeted By Hackers https://www.nbcbayarea.com/news/local/Experts-Virtually-All-CA-Real-Estate-Transactions-Targeted-By-Hackers-487165181.html ------------------------------ Date: Tue, 11 Sep 2018 13:07:18 -0700 From: Richard Stein <rmstein () ieee org> Subject: The explosive problem with recycling old electronics (WashPo) https://www.washingtonpost.com/video/business/technology/the-explosive-problem-with-recycling-old-electronics/2018/09/11/5720df5c-b566-11e8-ae4f-2c1439c96d79_video.html Thermal events (a.k.a. fires) from lithium-ion batteries (especially from older generation iPADs) arise during the recycling process. Device design problems complicate disassembly -- too much time consumed reduce recycling profits. ------------------------------ Date: Mon, 10 Sep 2018 11:10:45 -0700 From: Gene Wirchenko <genew () telus net> Subject: Didi Chuxing introduces new safety measures after passenger death (Cyrus Lee) Cyrus Lee, ZDNet https://www.zdnet.com/article/didi-chuxing-introduces-new-safety-measures-after-passenger-death/ Didi Chuxing's enhanced safety measures follow the suspension of its Hitch ride-sharing service in late August due to a brutal case in China where a female passenger was raped and killed by her driver in a Hitch ride. opening text: Chinese car-hailing platform Didi Chuxing on Saturday introduced a whole-ride recording function as a trial and suspended late-night services for a week, as the largest mobile ride-hailing platform kicks off an overhaul of its safety practices following the deaths of two passengers in less than 100 days. From September 8, Didi launched trials to record audio during rides across the ride-hailing services available on its platforms in mainland China. Didi platforms will also be suspended between 11 pm and 5 am from September 8 to 15, a Sina news report has said. I wonder if these two things will cause more trouble than they solve. ------------------------------ Date: Tue, 11 Sep 2018 13:27:21 -0700 From: Richard Stein <rmstein () ieee org> Subject: Are Digital Devices Altering Our Brains? (Scientific American) https://www.scientificamerican.com/article/are-digital-devices-altering-our-brains/ A follow on to Nicholas G. Carr's Atlantic article entitled, "Is Google Making Us Stupid?" "Some say our gadgets and computers can help improve intelligence. Others say they make us stupid and violent. Which is it?" "Stupid is as stupid does." -- Forrest Gump (https://www.moviequotesandmore.com/forrest-gump-quotes/ "Violence is the last refuge of the incompetent." -- Isaac Asimov, Foundation (https://www.goodreads.com/work/quotes/1783981-foundation ------------------------------ Date: Wed, 5 Sep 2018 01:02:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: These People Were Just Trying To Get To Maui When They Got On A Horrible Flight Where Everything Went Wrong (Buzzfeed) Hawaiian Airlines Flight 23 was originally set to take off Friday morning and was already taxiing when multiple passengers alerted the crew that they had received a horrifying photo of what appeared to be a dead child facedown in a crime scene with numerical markers. At least 15 passengers were sent the gruesome photo, Alameda County Sgt. Ray Kelly told Buzzfeed News. The crew showed the images to the pilot, who made the decision to return to the gate. It turned out that the photo came from a 15-year-old girl who was trying to send an image from her high school medical-biology class to her mother, who was sitting next to her, but accidentally AirDropped the photo to the other passengers around her. AirDrop allows the instant transfer of files among supported Apple devices, like iPhones and iPads, as long as the option is turned on. The "dead" child in the image was actually a mannequin. "She was telling her mom about the class, and her mom supposedly just got a new iPhone," Kelly said. "People were a little alarmed by it." The girl and her mother were not allowed to continue on the flight and were rebooked on a flight Saturday, Kelly said. They were questioned by officers from the Alameda County Sheriff's Office, who determined that there was no actual crime. https://www.buzzfeednews.com/article/mbvd/these-people-were-just-trying-to-get-to-maui-when-they-got ------------------------------ Date: Sat, 8 Sep 2018 00:54:59 -0400 From: Monty Solomon <monty () roscom com> Subject: BA Hack Leaves Airline Open to Fines Under Tough Data Rules (Bloomberg) https://www.bloomberg.com/news/articles/2018-09-07/ba-hacking-leaves-airline-open-to-fines-under-tough-data-rules ------------------------------ Date: Thu, 6 Sep 2018 16:24:41 -0400 From: Monty Solomon <monty () roscom com> Subject: New Home Dream Destroyed: Fraud Victims Fighting Back After Losing $89,000 https://www.nbcbayarea.com/news/local/Fraud-Victims-Demand-Answers-After-Losing-89000-488680331.html ------------------------------ Date: Fri, 7 Sep 2018 10:15:03 -0400 From: Monty Solomon <monty () roscom com> Subject: Google's Doors Hacked Wide Open By Own Employee (Forbes) https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/ ------------------------------ Date: Fri, 07 Sep 2018 10:59:36 -0700 From: Gene Wirchenko <genew () telus net> Subject: São Paulo subway operator gets sued for collecting passenger data (Angelica Mari) Angelica Mari for Brazil Tech | 6 Sep 2018 https://www.zdnet.com/article/sao-paulo-subway-operator-gets-sued-for-collecting-passenger-data/ Gathering data on public transport users is illegal as it's unauthorized and people have no choice in the matter, says local consumer rights institute. selected text: The Brazilian Institute of Consumer Protection (IDEC) has launched a civil lawsuit against São Paulo subway operator ViaQuatro around the collection of passenger data. The marketing technology launched in April consists of four sets of doors with screens where customer information is displayed as well as advertisements, with sensors collecting data on passengers standing in front of the doors such as emotions, approximate age and gender. In the civil lawsuit, it is argued that the initiative is illegal, given that public transport users did not authorize the collection of data - and had no choice in the matter, given the sensors are placed on the train doors. "The case is of overwhelming magnitude. Users have no right to choose: either they accept the collection of their data, or they have to look for another way of getting around in the city," says IDEC lawyer and digital rights expert, Rafael Zanatta. Zanatta adds the initiative is abusive, since public transport is an essential service and also violates the Constitution in addition to various federal laws. ------------------------------ Date: Fri, 7 Sep 2018 10:12:06 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Frustration and Finger-Pointing as GOP Pulls Out of Deal Talks on Hacked Materials (NYTimes) Leaders of the campaign arms for House Republicans and Democrats had labored for much of the summer over rules that would have governed how the committees and their candidates treated such material. https://www.nytimes.com/2018/09/06/us/politics/house-hacked-materials.html Petty Republican excuse for abandoning important deal. ------------------------------ Date: Fri, 07 Sep 2018 11:03:05 -0700 From: Gene Wirchenko <genew () telus net> Subject: Huawei busted for cheating over P20, Honor Play performance benchmarks (Liam Tung) Liam Tung | 7 Sep 2018 Our rivals do it, so we had no choice but to follow suit, argues Huawei. https://www.zdnet.com/article/huawei-busted-for-cheating-over-p20-honor-play-performance-benchmarks/ selected text: Huawei has been caught tweaking several of its high-end phones, including the P20 and P20 Pro, to outdo rivals in benchmark tests. Huawei justified the technique on the grounds that rivals were doing the same thing and it had no option but to respond. Huawei explained that when its software detects a benchmarking app, it goes into Performance Mode. The company is planning to give users access to this app too, which at present is hidden. ------------------------------ Date: Sat, 8 Sep 2018 20:32:16 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A stranger meant to donate $15 to a GoFundMe page. He accidentally gave more than $15,000. *The Washington Post* https://www.washingtonpost.com/local/a-stranger-meant-to-donate-15-to-a-gofundme-page-he-accidentally-gave-more-than-15000/2018/09/08/6a3de272-b2bb-11e8-aed9-001309990777_story.html No plausibility check, no "Are you really sure?" for huge amounts, powerless and hard to reach "Customer Happiness Team"? Nice. ------------------------------ Date: Tue, 11 Sep 2018 10:51:04 -0700 From: Gene Wirchenko <genew () telus net> Subject: "'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account" (Charlie Osborne) Charlie Osborne for Zero Day | 11 Sep 2018 https://www.zdnet.com/article/new-father-of-zeus-kronos-malware-variant-exploits-office-bug-to-hijack-your-bank-account/ 'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account The $7000 malware shows there is serious money to be made in the banking Trojan market. ------------------------------ Date: Thu, 6 Sep 2018 10:34:02 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Logged off: meet the teens who refuse to use social media (The Guardian) https://www.theguardian.com/society/2018/aug/29/teens-desert-social-media Excerpt: As the first generation to grow up online, Gen Z never had to learn social media, or at least not exactly. They glided through every iteration: Facebook (2004), Twitter (2006), Instagram (2010) Snapchat (2011) in real time, effortlessly adopting each one. But a life lived in pixels from your earliest age is no easy thing. "You start doing things that are dishonest," says Amanuel, who quit social media aged 16. "Like Instagram: I was presenting this dishonest version of myself, on a platform where most people were presenting dishonest versions of themselves." Like Amanuel, Jeremiah Johnson, 18, from Luton, grew weary of the pressures of sustaining an online persona. "It's a competition for who can appear the happiest," he says. "And if you're not happy and want to vent about it on social media, you're attention-seeking." After being "bugged" by his friends to get Instagram (he had stopped using Facebook aged 16), Johnson joined. He lasted six months. "If you're having a bad day and scrolling through it, you're constantly bombarded with pictures of people going to parties. Even if that's not an accurate portrayal of their lives, that's what you see. So I stopped using it. It became depressing. It was this competition of who's the happiest." He pauses. "Participating in that is not something I'm interested in." ------------------------------ Date: Mon, 10 Sep 2018 17:42:25 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Watch: Rascally Rat Jumps and Pulls Fire Alarm at DC Condo (NBC DC) https://www.nbcwashington.com/entertainment/Watch_-Rascally-Rat-Jumps-and-Pulls-Fire-Alarm-at-DC-Condo_Washington-DC-492773051.html The risk, besides rats? Too easy to trigger alarms. ------------------------------ Date: Thu, 06 Sep 2018 10:10:47 -0700 From: Gene Wirchenko <genew () telus net> Subject: Two Daily WTF Comments Yes, I know this is not a computer-related risk, but it is not that far off one. As technology changes, so do risks. Some new risks are simply old ones repackaged. For example, chain E-mails were originally chain letters. Be aware. Here are two comments that were posted at thedailywtf.com to the article "Classic WTF: Security By Letterhead": Comment 1: My wife tried to move our Cable TV account to a new address. This from the company advertising how easy it is. Problem is, she isn't officially on the account. They demand that only I can make the changes. She has all my info, but they still want to speak to me, to make sure I'm ok with it. So... they ask if they can call me at home. She's calling from the home #. So they ask for my cell number. She gives them my #. They call me, ask me if I'm BobbyTables, I say I am, they ask if I will allow my wife to change the account. I agree. Now she has full access. I nearly questioned them when they called me, on how they were sure it was really me, but my wife would have killed me. Comment 2: I have had something similar happen to me. I rent an apartment through a letting agency who (it turns out really did) change their bank, as a result my rent payments would need to go into a new bank account. I come home one day to find a letter on the doormat which tells me "Stop paying large amounts of money into this bank account, pay it into this other one instead!" which obviously, I looked upon suspiciously as not only could this be a scam but one that could have me threatened with eviction. Natural I get in touch with the letting agency and the conversation went something like this: Spoad: "Hello I've received a letter claiming to be from you stating that you have changed your bank account for rent payments, is this correct?" Estate monkey: "Well what are you calling me for?" Spoad: "Well I just wanted to check that it was indeed the case." Estate monkey: "Duh, of course it is that is why we sent you a letter!" Spoad: "Okay then I will redirect my payments immediately, I just wanted to check the letter was actually from you." Estate monkey: "Well of course it was, it was on our letterhead wasn't it?" So yeah, it seems in the world of the bureaucratic dullard, letterheads really are considered totally secure. What worries me more (although I should have lower hopes for humanity after working in IT for so long) is the agent's tone and response implying that I was the idiot for phoning, implies that no-one else did.... So presumably if I sent a similar letter to all my neighbours with my bank details on, they would just give me their rent money without so much as raising an eyebrow... because you know, letterheads are secure! ------------------------------ Date: Thu, 6 Sep 2018 11:21:32 -0700 From: Richard Stein <rmstein () ieee org> Subject: Re: How FireEye Helped Facebook Spot a Disinformation Campaign Which is the greater risk: 1) FireEye performing an apparent public service, or is this business merely serving their contractual (government) masters to advance a specific political agenda? 2) The general public's gullibility and inability to independently discriminate and avoid incendiary and/or specious information which threatens status quo political interests? Propaganda existed well before the Internet and social media. What did our predecessors do when faced with lies (e.g., Senator Joseph McCarthy and The Red Scare)? McCarthy was censured by the Senate and voted out of office after exposure by the press -- a more resilient and trustworthy information source that proved his mendacity. Social media platforms apparently require a 'Big Brother' capability, or a social credit score, to continuously authenticate and vet content viability and sources. Picking "fly poop from the pepper pile" is an editorial act best performed by unbiased, objective reviewers. Though costly to operate with carbon-based wisdom, a silicon-based equivalent represents a good game target for bots to play. Silicon-based editorial judgment can be bought by the highest bidder, or most prolific disinformation botnet, when algorithms can be arbitrarily tuned for bias. Quis custodiet ipsos custodes? (Who guards the guardians) of social media content publication? What are their ethics? Are regulation and oversight required to ensure bias-free, editorial review and publication? How will these regulations be fairly enforced? Education systems need to update curricula to include instruction on how to discern disinformation, and how to ask questions that vet published sources. "Lies My Teacher Told Me: Everything Your American History Textbook Got Wrong" by James W. Loewen is a good candidate for addition to the US syllabus. ------------------------------ Date: Thu, 6 Sep 2018 17:54:54 +0100 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Re: How do you get people to trust autonomous vehicles? (Stein, RISKS-30.82)
When silicon-driven vehicles equivalence or over-achieve (meaning greater than 1.18) this fatality rate, then public trust will have reached a justifiable tipping point favoring autonomous vehicles.
I think that should have been "less than 1.18" fatalities per 100 million vehicle miles. But even then, I disagree with the sentence. While there are still human road users, their behaviour will be affected by the presence of autonomous vehicles and the overall fatality rate is more important than the fatality rate attributed to autonomous vehicles alone. Furthermore, autonomous vehicles may be far better than human drivers in some road and weather conditions and far worse in others. They may kill fewer pedestrians but more cyclists, or (choosing a provocative example to illustrate the general point) fewer white females and more black males. I believe that the criteria for favouring autonomous vehicles need to be more detailed than just counting the directly-attributed fatalities. ------------------------------ Date: Sun, 09 Sep 2018 18:46:17 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Re: What3words: putting geographical addresses behind a closed API (Shapir, RISKS-30.82) AS> if I get to 221 Baker st. by mistake instead of 223 Baker st., it's AS> easy to look around. Ah, but not 222, at least not here in Taiwan. http://jidanni.org/geo/house_numbering/four.html And don't even dream of 224. ------------------------------ Date: Sun, 9 Sep 2018 17:51:06 -0400 From: "Keith F. Lynch" <kfl () KeithLynch net> Subject: Re: Personal domain names (Ross, RISKS-30.82) I've had a personal domain for 18 years, for the same reason, and because it allows unlimited email addresses. One major downside, however, is that spammers forge random addresses on my domain while posting from elsewhere. This not only causes large numbers of bounce messages to be sent to me, as many of their spams are sent to bogus addresses elsewhere, but causes other spammers to harvest those fake addresses on my domain from the spams that forged them, and start spamming those addresses. And every address on my domain gets through to me. For instance, perhaps someone in China sends millions of spams forged to be from ludendorff () keithlynch net. I get thousands of bounce messages, out of office messages, death threats, etc., from the spam victims. And a few weeks later I start getting spams from Brazil and elsewhere sent to ludendorff () keithlynch net, and to countless other fake addresses on my domain. ------------------------------ Date: Mon, 10 Sep 2018 11:17:18 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Re: The Untold Story of NotPetya, the Most Devastating Cyberattack in History (WiReD) My favorite part: After a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk's desperate administrators finally found one lone surviving domain controller in a remote office-in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company's domain controller data left untouched by the malware-all thanks to a power outage. "There were a lot of joyous whoops in the office when we found it," a Maersk administrator says. When the tense engineers in Maidenhead set up a connection to the Ghana office, however, they found its bandwidth was so thin that it would take days to transmit the several-hundred-gigabyte domain controller backup to the UK. Their next idea: put a Ghanaian staffer on the next plane to London. But none of the West African office's employees had a British visa. So the Maidenhead operation arranged for a kind of relay race: One staffer from the Ghana office flew to Nigeria to meet another Maersk employee in the airport to hand off the very precious hard drive. That staffer then boarded the six-and-a-half-hour flight to Heathrow, carrying the keystone of Maersk's entire recovery process. ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.83 ************************
Current thread:
- Risks Digest 30.83 RISKS List Owner (Sep 13)