RISKS Forum mailing list archives
Risks Digest 31.05
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 4 Feb 2019 15:12:37 PST
RISKS-LIST: Risks-Forum Digest Monday 4 February 2019 Volume 31 : Issue 05 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.05> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: A study of fake news in 2016 (Science via PGN) Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security by Robert Chesney, Danielle Keats Citron (SSRN) Japanese government plans to hack into citizens' IoT devices (ZDNet) "This smart light bulb could leak your Wi-Fi password" (ZDNet via Gene Wirchenko) Tech addicts seek solace in 12 steps and rehab (AP) How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands (Scientific American via Richard Stein) Taking apart a botnet ... (Naked Security via Rob Slade) What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm) iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a Week Ago (NYTimes) Apple revokes Google's ability to use internal iOS apps, just like Facebook (WashPost) Apple hits back at Facebook and revokes a key license (CNBC) Putting the exact size of land in ads (Dan Jacobson) Passwords, escrow, and fallback positions (CoinDesk via Rob Slade) My old RISKS nightmare comes true - partially (Rex Sanders) Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com) ICE set up phony Michigan university in sting operation (WashPost via Monty Solomon) Chinese maker of radios for police, firefighters struggles to outlast Trump trade fight (WashPost) Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune via Gabe Goldberg) UK auto theft (Claire Duffin via Chris Drewe) Problems with car key fobs (Gizmodo via Arthur T.) Google, you sent this to too many people, so it must be spam (Dan Jacobson) Re: Buy Bitcoin at the Grocery Store via Coinstar (John Levine) Re: Hidden Automation Agenda of the Davos Elite (Henry Baker) Re: Is it time for Linux? (J Coe) Re: If 5G Is So Important, Why Isn't It Secure? (Mark Thorson) Re: The Duty to Read the Unreadable (Amos Shapir) Re: Risks of Deepfake videos (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 2 Feb 2019 10:46:19 -0800 From: Peter G Neumann <Neumann () csl sri com> Subject: A study of fake news in 2016 (Science) Fake news on Twitter during the 2016 U.S. presidential election Science (AAAS) 363 issue 6425, 25 Jan 2019, pp. 374-378 This a noteworthy five-authored paper on their detailed examination. For example, only 1% of individuals accounted for 80% of fake news source exposures, and 0.1% accounted for 80% of fake news sources shared. For RISKS readers who are interested in this phenomenon, the article is worth reading. ------------------------------ Date: February 3, 2019 at 12:48:30 AM GMT+9 From: geoff goodfellow <geoff () iconia com> Subject: Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security by Robert Chesney, Danielle Keats Citron (SSRN) Contains a landmark law article on deepfakes: 107 California Law Review (2019, Forthcoming) U of Texas Law, Public Law Research Paper No. 692 U of Maryland Legal Studies Research Paper No. 2018-21 59 Pages Posted: 21 Jul 2018 Last revised: 23 Aug 2018 Robert Chesney, University of Texas School of Law Danielle Keats Citron, University of Maryland Francis King Carey School of Law; Yale University Yale Information Society Project; Stanford Law School Center for Internet and Society Date Written: July 14, 2018 Abstract Harmful lies are nothing new. But the ability to distort reality has taken an exponential leap forward with `deep fake' technology. This capability makes it possible to create audio and video of real people saying and doing things they never said or did. Machine learning techniques are escalating the technology's sophistication, making deep fakes ever more realistic and increasingly resistant to detection. Deep-fake technology has characteristics that enable rapid and widespread diffusion, putting it into the hands of both sophisticated and unsophisticated actors. While deep-fake technology will bring with it certain benefits, it also will introduce many harms. The marketplace of ideas already suffers from truth decay as our networked information environment interacts in toxic ways with our cognitive biases. Deep fakes will exacerbate this problem significantly. Individuals and businesses will face novel forms of exploitation, intimidation, and personal sabotage. The risks to our democracy and to national security are profound as well. Our aim is to provide the first in-depth assessment of the causes and consequences of this disruptive technological change, and to explore the existing and potential tools for responding to it. We survey a broad array of responses, including: the role of technological solutions; criminal penalties, civil liability, and regulatory action; military and covert-action responses; economic sanctions; and market developments. We cover the waterfront from immunities to immutable authentication trails, offering recommendations to improve law and policy and anticipating the pitfalls embedded in various solutions. https://papers.ssrn.com/sol3/papers.cfm%3Fabstract_id%3D3213954%26utm_source%3Dnewsletter%26utm_medium%3Demail%26utm_campaign%3Dnewsletter_axiosfutureofwork%26stream%3Dfuture ------------------------------ Date: Wed, 30 Jan 2019 11:55:34 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Japanese government plans to hack into citizens' IoT devices (ZDNet) The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/ ------------------------------ Date: Fri, 01 Feb 2019 20:32:42 -0800 From: Gene Wirchenko <genew () telus net> Subject: "This smart light bulb could leak your Wi-Fi password" (ZDNet) [Q: How many hackers does it take to change a light bulb? A: Only one, and keep him and it off your network.] Charlie Osborne for Zero Day | 1 Feb 2019 This smart light bulb could leak your Wi-Fi password. LIFX smart bulbs contained vulnerabilities that could be exploited with a little ingenuity and the help of a hacksaw. https://www.zdnet.com/article/this-smart-light-bulb-could-leak-your-wi-fi-password/ selected text: LimitedResults used the LIFX mini white as a test product, a $15.99 device which can be controlled via smartphone to change the temperature and dimness levels of lighting at home. After installing the bulb's accompanying app on an Android device and setting up the Wi-Fi connection, the researcher grabbed a saw to hack his way into the hardware within. After exposing the innards of the bulb and wiping away fireproof paste, the hacker found that the main component of the bulb is an ESP32D0WDQ6 system-on-chip (SoC) manufactured by Espressif. It didn't take long to solder a few pins to a board in order to connect to the LIFX hardware, and after this link was established, LimitedResults found that Wi-Fi credentials were stored in plaintext within the flash memory. ------------------------------ Date: Sun, 3 Feb 2019 11:34:37 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Tech addicts seek solace in 12 steps and rehab (AP) Martha Irvine, AP, December 26, 2018 https://www.apnews.com/38141d993106400f8228706334e9b7f4 BELLEVUE, Wash. (AP) — We like to say we're addicted to our phones or an app or some new show on a streaming video service. But for some people, tech gets in the way of daily functioning and self-care. We're talking flunk-your-classes, can't-find-a-job, live-in-a-dark-hole kinds of problems, with depression, anxiety and sometimes suicidal thoughts part of the mix. Suburban Seattle, a major tech center, has become a hub for help for so-called `tech addicts', with residential rehab, psychologists who specialize in such treatment and 12-step meetings. ------------------------------ Date: Mon, 4 Feb 2019 11:04:39 +0800 From: Richard Stein <rmstein () ieee org> Subject: How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands (Scientific American) https://www.scientificamerican.com/article/how-machine-learning-could-keep-dangerous-dna-out-of-terrorists-hands/ "But Rob Carlson, managing director at Bioeconomy Capital, a venture-capital firm in Seattle, Washington, is skeptical that stopping DNA-synthesis companies from being exploited will prevent bioterror attacks. 'If you look at what sorts of biological threats have cropped up to date, this isn't one of them,' he says. Most attacks have involved the release of existing pathogens grown in labs; in 2001, for instance, five people in the United States died and 17 were sickened after receiving anthrax-laced letters. "Terrorists are more likely to follow the blueprint of published research, rather than embark on a research project to design new organisms, Carlson says. He fears that any government efforts to regulate DNA synthesis would push would-be bioterrorists underground." Risk: Ineffective government investment to deter bioweapon deployment by terrorists. ------------------------------ Date: Mon, 4 Feb 2019 10:47:59 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Taking apart a botnet ... (Naked Security) The FBI is messing with Joanap, a botnet run by a major North Korean blackhat group. https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/ Joanap itself is fairly complicated, with infections being started by an SMB worm, which then installs the Joanap RAT (Remote Access Trojan). Command and control is done via a peer-to-peer distributed network. Which is where the FBI comes in. A court in the US granted them permission to set up fake servers pretending to be controllers on Joanap. As such, they could spy on individual machines, collect information, or even install software (possibly to remove the infections and patch vulnerabilities). In examining the ethics of active defence, I find this fascinating. http://www.infosecbc.org/events/new-calendar-event-2/ I'm pretty sure than in Canadian law the FBI action would actually be illegal, which is possibly why they are contacting host governments in the cases of non-US victims. (Oh, and remember to patch your systems, which is the only reason the blackhats were able to build Joanap in the first place ...) ------------------------------ Date: Wed, 30 Jan 2019 11:10:15 +0800 From: Richard Stein <rmstein () ieee org> Subject: What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm) https://www.scientificamerican.com/article/what-if-your-fitbit-could-run-on-a-wi-fi-signal/ "...molybdenum disulfide (MoS2) -- a two dimensional material because it is just three atoms thick -- can act like an antenna to convert radio signals from wi-fi, cell phones and radio or television broadcasts into power for wireless devices. "Palacios says the two-dimensional semiconductor can reap 30 to 50 microwatts from ambient wi-fi signals of about 100 microwatts, enough to operate pacemakers, hearing aids, strain sensors, communication links and many low-power IoT objects. Such a system could potentially operate without a battery, lowering weight and avoiding leakage from a medical implant's power source inside the body." http://catless.ncl.ac.uk/Risks/30/72%23subj29.1 discusses harvesting human body heat to power devices. Steer clear of TEMPEST facilities, or low ambient RF environments if you wear an implantable device powered by MoS2. Neglecting to use a battery backup may be hazardous to your health. ------------------------------ Date: Tue, 29 Jan 2019 18:58:50 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a Week Ago (NYTimes) https://www.nytimes.com/2019/01/29/technology/facetime-glitch-apple.html On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected discovery: Using FaceTime, Apple's video chatting software, he could eavesdrop on his friend's phone before his friend had even answered the call. His mother, Michele Thompson, sent a video of the hack to Apple the next day, warning the company of a "major security flaw" that exposed millions of iPhone users to eavesdropping. When she didn't hear from Apple Support, she exhausted every other avenue she could, including emailing and faxing Apple's security team, and posting to Twitter and Facebook. On Friday, Apple's product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report. But it wasn't until Monday, more than a week after Ms. Thompson first notified Apple of the problem, that Apple raced to disable Group FaceTime and said it was working on a fix. The company reacted after a separate developer reported the FaceTime flaw and it was written about on the Apple fan site 9to5mac.com, in an article that went viral. ------------------------------ Date: Fri, 1 Feb 2019 02:41:51 -0500 From: Monty Solomon <monty () roscom com> Subject: Apple revokes Google's ability to use internal iOS apps, just like Facebook (WashPost) The companies said they are hoping to resolve the issue quickly. https://www.washingtonpost.com/technology/2019/01/31/apple-revokes-googles-ability-use-internal-ios-apps-just-like-facebook/ ------------------------------ Date: Wed, 30 Jan 2019 15:27:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple hits back at Facebook and revokes a key license (CNBC) * TechCrunch found that Facebook had been paying people to install a research app that grants access to all of the user's phone and web activity. * Following the report, Apple said the app violates its policies. * A Facebook spokesperson said the app had "a clear on-boarding process" that asked participants for permission. CNBC: Apple hits back at Facebook and revokes a key license https://www.cnbc.com/2019/01/30/apple-says-facebook-violated-its-policies-with-its-research-app.html%3F__source%3Diosappshare%257Ccom.apple.UIKit.activity.Mail ------------------------------ Date: Sat, 02 Feb 2019 21:18:23 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Putting the exact size of land in ads "5,678 square meters prime farm land for sale, $xx0000. Call Mrs. Holmes at LLoyd 5-1212." Or if Junior happens to have the local cadaster list, he can go visit the property himself, disposing of Mrs. Holmes. Just sort the list on the size column, and `voila', only one parcel in town with that size! ------------------------------ Date: Sat, 2 Feb 2019 12:23:46 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Passwords, escrow, and fallback positions (CoinDesk) Crypto exchange QuadrigaCX seems to be filing for bankruptcy. It's got lots of money--locked up in cryptocurrency "cold storage." The password was only known to the CEO. The CEO died in December. https://www.coindesk.com/quadriga-creditor-protection-filing Lots and lots of legal battles are involved ... ------------------------------ Date: Thu, 31 Jan 2019 12:31:40 -0800 From: Rex Sanders <rsanders () usgs gov> Subject: My old RISKS nightmare comes true - partially On 28 Jan 2009 for RISKS 25.55 I wrote:
Subject: What if you can't pull the plug? Last night I literally awoke from a nightmare about my iPhone getting hacked, spewing spam and doing other nasty things. The nightmare was that I had no way to shut it off, and no way to disconnect it from the Internet.
Recently, while trying to move from an old iPhone to an iPhone 8 Plus - and following Apple's online instructions - the newer iPhone froze with the power ON. The "hold the power button down for a long time" trick didn't work. For one troubleshooting cycle, the 8+ stayed on-but-frozen for over 60 hours while connected to power. Luckily, the 8+ doesn't appear to be hacked by anything other than buggy upgrade software. Called Apple support -- they gave me another combination of button presses to unfreeze the phone. Except it took four tries to work. Apparently Apple changed the forced restart scheme twice since the iPhone's introduction. But if your phone is frozen, you probably don't have any way to look up the latest method. ------------------------------ Date: Fri, 1 Feb 2019 00:08:00 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com) Author writes: In November, I broke the law. I crossed over a solid white line to make a right turn at a traffic intersection. At the time I was unaware of my violation. I was on my way to a shopping mall in an unfamiliar part of town to buy my wife a gift for her birthday. My only defense is that I was following the instructions emitted from the map app on my cellphone. It told me to make a right turn. So I did. Little did I know I was being watched. https://devops.com/minor-crimes-and-misdemeanors-in-the-age-of-automation/ ------------------------------ Date: Fri, 1 Feb 2019 02:34:51 -0500 From: Monty Solomon <monty () roscom com> Subject: ICE set up phony Michigan university in sting operation (WashPost) Never heard of the University of Farmington? That's because it never actually existed. https://www.washingtonpost.com/nation/2019/01/31/ice-set-up-fake-university-hundreds-enrolled-not-realizing-it-was-sting-operation/ ------------------------------ Date: Fri, 1 Feb 2019 02:41:19 -0500 From: Monty Solomon <monty () roscom com> Subject: Chinese maker of radios for police, firefighters struggles to outlast Trump trade fight (WashPost) The Chinese firm Hytera is subject to a U.S. import ban after a judge ruled it infringed on patents held by Motorola Solutions. https://www.washingtonpost.com/business/economy/chinese-maker-of-radios-for-police-firefighters-promises-to-outlast-trump-trade-fight/2019/01/30/42a118a8-1f33-11e9-8b59-0a28f2191131_story.html ------------------------------ Date: Wed, 30 Jan 2019 11:58:13 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune) “Thefts involving electronic devices are on the up, and it's clear manufacturers could do more to make their vehicles secure,” the consumer organization quoted David Jamieson, the West Midlands police commissioner, as saying. However, the U.K.’s Society of Motor Manufacturers and Traders (SMMT) insisted that new cars “are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen.” <https://www.autoexpress.co.uk/car-news/105809/almost-all-keyless-car-systems-vulnerable-to-relay-attacks “We continue to call for action to stop the open sale of equipment with no legal purpose that helps criminals steal cars,” said SMMT CEO Mike Hawes. http://fortune.com/2019/01/28/keyless-car-theft-steal/ Who you gonna believe -- the manufacturers association or that empty space where your car was? ------------------------------ Date: Mon, 28 Jan 2019 22:11:17 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: UK auto theft (Re: RISKS-30.96) This has had much coverage in UK newspapers recently, such as this article from today: Claire Duffin, *The Daily Mail*, 28 Jan 2019 Almost all of the UK's best-selling cars can be 'unlocked in minutes' by cheap gadgets bought online as watchdog warns of spike in 'keyless thefts' * Four out of five of the most popular cars in the UK last year at risk of keyless theft. * Official figures for the year to September showed car thefts were up 10 per cent. * In one test consumer watchdog Which? found only the Vauxhall Corsa was safe. https://www.dailymail.co.uk/news/article-6638121/Almost-UKs-best-selling-cars-unlocked-minutes-cheap-gadgets-bought-online.html
Almost all of the UK's bestselling cars are at risk of keyless theft, a study shows. Many new cars now have keyless entry systems, or can have them added as an upgrade. It allows the driver to open and start the car without using a traditional key, as long as the fob is nearby. But thieves have taken advantage of this new technology. Using two devices, known as a relay amplifier and a relay transmitter, they can capture electromagnetic signals emitted by key fobs from where they are sitting inside the car owner's home. Working in pairs, one thief stands by the car with his transmitter, while a second waves the amplifier close to the house. The amplifier will detect a signal from the key fob, amplify it and send it to the accomplice's transmitter. This tricks the car into thinking the key is in close proximity, prompting it to open. Thieves can then drive the vehicle away using the push-button keyless ignition. The process can take less than one minute � and once they have the car, they can quickly replace locks and entry devices.
I'm guessing that the cars constantly send a signal inviting any fobs within range to respond, and if one does reply with the correct code for the car, it unlocks the doors and allows the engine to be started; it's designed to work only over a few yards/metres, but the thieves' relays enable the range to be extended. People often drop their keys in a bowl or case just inside the front door of their houses so that they can be grabbed as they leave. (In the olden days, thieves used magnets on rods passed through the letterbox to snaffle bunches of keys on keyrings, or would ring the doorbell and have an accomplice discreetly take keys while the householder was distracted.) By the way, Vauxhall was the UK brand name for GM cars, although it's recently been sold to a European automaker.) ------------------------------ Date: Sat, 02 Feb 2019 15:12:37 -0500 From: "Arthur T." <Risks201902.10.atsjbt () xoxy net> Subject: Problems with car key fobs (Gizmodo) People with car key fobs were staying away from a Canadian co-op store because they might not be able to start their cars. Anarchists? Gremlins? Competitors? No, just "a malfunctioning remote car starter" nearby. https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387 ------------------------------ Date: Sun, 03 Feb 2019 04:50:33 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Google, you sent this to too many people, so it must be spam
The big announcement came, From: "Google+ Team" <noreply () plus google com> Subject: Your personal Google+ account is going away on April 2, 2019
: X-VR-STATUS: SPAM Alas, a little too big, as it was nailed as spam by big-time mail filtering companie(s). Wonder what will happen when Facebook eventually sends theirs to an even larger list. My mom says that "X-VR-SPAMCAUSE: ggystttmpsimb..." means "GooGle, you sent this to too many people so it must be spam." ------------------------------ Date: 28 Jan 2019 22:55:16 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: Buy Bitcoin at the Grocery Store via Coinstar (Fortune) Coinstar? Those are the machines where you put in $10 in cash and it gives you a slip for $8. Seems just the thing for Bitcoin. ------------------------------ Date: Tue, 29 Jan 2019 07:32:45 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Hidden Automation Agenda of the Davos Elite (NYT) A couple of thoughts on automation: 1. What do we really want these soon-to-be-laid-off people to do? Does it make any sense to pay people to produce goods inefficiently, in the style of Soviet factories making goods that will never be consumed, just so they have a job? The economist Milton Friedman supposedly asked why workmen were using shovels instead of machinery to build a canal. The answer came back: "We need to provide more jobs." Friedman's response: "Then why not give them spoons instead of shovels." To his credit, Friedman championed a version of universal basic income (UBI) to allow for both economic efficiency and economic support for those displaced. I'm not sure that UBI provides much of an identity of self-worth for these ex-workers, but it is at least a start in the right direction. 2. Since the Great Recession starting in 2008-9, governments around the First World have kept interest rates at negative or zero ("ZIRP"). Who do you think benefits directly from ZIRP? The coal miner? The minimum wage employee? Not so much. When capital becomes cheaper than labor, it's a *no-brainer* to invest in automation, and the Davos elites have "backed up the truck" to gorge on zero-interest-rate money to invest in robotics and AI, knowing that eventually ZIRP would end, and this gravy train would stop. At that point, these investments would pay off as labor became more expensive relative to robots and automation. The truth is, most of the First World has a demographic problem, in that their populations are *falling*, so countries like Japan and China are going to become totally reliant upon robots just to support their ever-growing percentage of retired workers. So we're going to need robots and automation, but we're also going to need mechanisms to provide support and activities other than meaningless jobs to enable people to live full and meaningful lives. ------------------------------ Date: Tue, 29 Jan 2019 20:43:04 +0000 From: J Coe <spendday () gmail com> Subject: Re: Is it time for Linux? (Dave Crooke) I was waiting for another to reply to this message from Risk 31.02 as I feel my lowly station of systems engineer in a small team in an education setting I shouldn't be preaching to the masses, there are many more worth voices than my own. That being said, I don't feel Linux is the solution that some seems to claim it is. As always, all views are my own and do not represent anyone other than myself. I disagree with the ideas and ideals that Linux is some bastion of security while I will admit Linux does have the edge on Microsoft OS's I simply do not believe that in itself this enough to necessarily say it should be used over any operating system, Microsoft or otherwise. I also feel Linux has a perceived higher level of security than it actually does along with a number of userbase and technical climate realities that skews both hard and anecdotal evidence in Linux's favor. The first of these things is the Linux userbase. windows is the worlds most popular desktop OS. This leads by default to a less technical userbase, where Linux as a desktop OS is often used by the more technically adept. The more technically adept and I.T. security savvy are less likely to fall for certain types of attacks such as phishing and clicking on suspicious links. Both the higher volume of users and the chances of encountering one of these less savvy users means windows is the more profitable target when engaging on attacks when the net is cast wide. Despite its open source nature this doesn't make Linux impervious to vulnerabilities. Last year Windows 10 had 28 {1} vulnerabilities given a CVE rating of 9 or more. Debian (which I'm using and I could get the stats easily) had 20 in 2018 {2}. While 9 is a significant number Debian received a total of 938 CVE's in 2018 with windows 10 only receiving 254. Some of this can be chalked up to the open source model allowing vulnerabilities to be more easily identified but the concept that Linux has fewer vulnerabilities or doesn't ship with them is simply not true. Furthermore the low use case of thing like anti malware products on Linux means that there is currently a lack of research in this area. In December 2018 ESET discovered 21 "new" families of Linux based malware. The issue being these malware families weren't new, some appeared to be over 4 years old. Furthermore, ESET only discovered these families because they we're being removed by a competing malware ESET were actually investigating. When you ask a long-term Linux user when they last saw some Linux malware the answer will likely be never, but with the lack of strong widely used anti malware tools for Linux the real question would be how would you know? If everyone was to take the advice and switch to Linux exclusively for both home and work environment to outcome could result in worse security as threat actors target the new environment, more malicious actors looking for weaknesses and vulnerabilities and a lack of tools to provide a decent defense in depth response. While this may be a pie in the sky idea, I believe security principles should be both hardware and software agnostic and this simple changing of an OS doesn't necessarily make you more secure. Defense in depth, user training and engagement, proper configuration, and a healthy dose of skepticism and luck in equal measures. Is really the only way to provide a safe environment, not specific tools, tech. ------------------------------ Date: Tue, 29 Jan 2019 16:15:33 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Re: If 5G Is So Important, Why Isn't It Secure? I can think of two reasons, both of which make an equal amount of sense. a) If 5G was perfect how would we sell them 6G? We have to make money too. b) Security is like global warming -- if we can get by just by paying lip service to the notion and not doing anything effective about it, that's the easier and less expensive path. Until we have a real Pearl Harbor on the Internet, nobody that matters is going to care. It's going to take an incident that bankrupts a large high-profile company, paralyzes the Internet, kills hundreds of people, or forces the recall of millions of devices before what is optional becomes mandatory. ------------------------------ Date: Wed, 30 Jan 2019 10:22:38 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: The Duty to Read the Unreadable (RISKS-31.04) I once tried to read a shrink-wrap EULA (of commercial software) in its entirety; it took almost an hour, and that's just the reading, I cannot claim to have actually understood it -- despite having more than the 14.5 years of education cited as required by the article, I have no formal legal education. That's irrelevant anyway, because under that EULA, by clicking "I agree" I have put any future dispute I may have with the company under the jurisdiction of courts in the State of New York; there aren't many lawyers around here who know enough about NY law to file a case (not at any reasonable price), so this clause essentially puts possible legal resolution out of my reach. IOW, this is not really an "agreement", more like a CYA legal trick designed to exempt the company from legal responsibility to possible damage (accidental, and even intentional) their software might inflict upon their customers. ------------------------------ Date: Wed, 30 Jan 2019 10:48:42 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Risks of Deepfake videos (Risks 31.04) In the age of instant ubiquitous global communication, there is no need to manipulate reality in a professional level in order to make people believe in misinformation. See for example the anti-Vax case, where a pseudo scientific article (rejected later) which connected one type of (disused) vaccine to a rare type of autism -- or rather, just the rumour of the article, since it seems no one had actually read it anyway -- had caused so many people to stop vaccination completely, enough to cause new outbreaks of diseases thought to be long gone. Unfortunately, it seems too many people would just believe anything sent by their friends, rather than bother one click to check facts. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.05 ************************
Current thread:
- Risks Digest 31.05 RISKS List Owner (Feb 04)