Harvard Professor Harry Lewis recently posted a blog item that reviews the episodes leading up to and following Harvard having accused a large number of students of cheating in an open-book open-Web exam in an undergraduate Government course, suspending them en masse, and also surreptitiously searching e-mail accounts, and hiding many of the details from public view. Harry's blog item gives RISKS readers an insider follow-up to the two rather terse external views on this situation that Lauren Weinstein contributed to RISKS-27.19 (11 Mar 2013). 13 Oct 2013: Honor and Dishonor http://harry-lewis.blogspot.com/2013/10/honor-and-dishonor.html For those of you interested in delving further into the history, Harry's blogspot also includes seven previous postings that give a more extensive view of his reactions to how this situation evolved (badly). 3 Feb 2013: Bits and Pieces: Lingering questions about the `cheating scandal' 9 Mar 2013: Bits and Pieces: E-mail Privacy at Harvard 12 Mar 2013: Bits and Pieces: E-mail Snooping Update 6 Apr 2013: Bits and Pieces: Seizing the Opportunity to Restore Trust 27 Apr 2013: Bits and Pieces: E-mail Privacy Update 23 Jul 2013: Bits and Pieces: The Keating Report 2 Sep 2013: Bits and Pieces: E-mail Privacy Redux
Former U.S. Vice President Dick Cheney said the implanted defibrillator that helped keep him alive in 2007 had its wireless feature disabled because he feared terrorists could use it to kill him. Bloomberg, To read the entire article, go to http://bloom.bg/H50BeO The risk: fear that technology will be abused leads to disabling the technology. Of course, technology subject to abuse—e.g., medical devices vulnerable to hacking/tampering—has its own risks. Tough choices.
Second Thoughts on Voter ID, Editorial, *The New York Times*, 16 Oct 2013 http://www.nytimes.com/2013/10/17/opinion/second-thoughts-on-voter-id.html?src=rechp&_r=0 On 18 Oct 2013, Richard Posner, a highly respected federal judge, offered an unusual admission. He had made a mistake, he said, in voting to uphold one of the country's first voter-ID laws. As courts in Texas, North Carolina and other states deal with litigation over ever-stricter versions of such laws—all enacted in the name of preventing nonexistent fraud—the question is what effect Judge Posner's admirable candor could have. In 2005, Indiana passed a law requiring voters to show photo IDs at the polls. Opponents sued, saying the law would mainly prevent those most likely not to have photo IDs—poor, elderly, and minority voters—from voting. Judge Posner, a Reagan appointee to the United States Court of Appeals for the Seventh Circuit, rejected the challenge because he saw no evidence that any voters would be disenfranchised, and reducing vote fraud was a legitimate state goal—despite the fact that Indiana had never prosecuted anyone for that crime. The Supreme Court upheld the ruling in 2008, and proponents of voter-ID laws have relied on that opinion ever since. In an interview with HuffPost Live on Friday, Judge Posner acknowledged that he had failed to appreciate how voter-ID laws would be abused when he wrote the decision upholding the Indiana statute. “Maybe we should have been more imaginative. We weren't really given strong indications that requiring additional voter identification would actually disenfranchise people entitled to vote.'' Those indications were clear, of course, to judges who disagreed with Judge Posner at the time. In a new book, he writes that he was `guilty' of upholding a law “now widely regarded as a means of voter suppression rather than of fraud prevention.' Had he spoken those words a few years ago, the landscape of voter-ID laws might look very different.
Democrats say about 1/3 of the names on the purge list were incorrect. An article in *The Washington Post* says that 38,000 of 56,000 names proposed for purge by the State Board of Election were ultimately purged. That's pretty close to 1/3 being incorrect. http://www.washingtonpost.com/local/virginia-politics/federal-judge-rejects-democratic-challenge-to-virginia-voter-roll-purge/2013/10/18/26235068-3809-11e3-8a0e-4e2cf80831fc_story.html?wpisrc=nl_buzz
[Via Dave Farber's IP distribution] A system used by ships worldwide to broadcast their location for safety purposes lacks security controls and is vulnerable to spectacular spoofing attacks, researchers show. ... “We were really able to compromise this system from the root level,'' says Kyle Wilhoit, a researcher with Trend Micro's Future Threat Research team. By purchasing a 700-euro piece of AIS equipment and connecting it to a computer in the vicinity of a port, the researchers could intercept signals from nearby craft and send out modified versions to make it appear to other AIS users that a vessel was somewhere it was not. Using the same equipment and software, it is possible to force ships to stop broadcasting their movements using AIS by abusing a feature that lets authorities manage how nearby AIS transmitters operate. AIS transmissions could also be sent out that make fake vessels or structures such as lighthouses or navigational buoys appear, and to stage spoof emergencies such as a `man in the water' alert or collision warning. No direct attacks were staged on any real vessels. The researchers showed that their spoof signals were faithfully reproduced on the maps provided by online services that monitor AIS data, such as this one. <http://www.marinetraffic.com/ais/default.aspx?centerx=-118.2055¢ery=33.7485&zoom=9> One online service was fooled into showing a real tugboat disappearing from the Mississippi and reappearing on a Dallas lake, and depicting a fake vessel traveling off Italy on a course that spelled out the hacker term for a compromised system: `pwned'. http://www.technologyreview.com/news/520421/ship-tracking-hack-makes-tankers-vanish-from-view/
Serdar Yegulalp | InfoWorld, 21 Oct 2013 Credit bureau sold personal data from half a million users to fraudster posing as a Private Investigator, who then resold data on the black market http://www.infoworld.com/t/cyber-crime/crooks-stole-experian-data-the-old-fashioned-way-they-bought-it-229168
"In recent months though, insiders have encountered something altogether more worrying: a concerted attack on the very fabric of Wikipedia by PR companies that have subverted the online encyclopedia's editing hierarchy to alter articles on a massive scale-perhaps tens of thousands of them. Wikipedia is the world's most popular source of cultural, historical, and scientific knowledge-if their fears are correct, its all-important credibility could be on the line." http://j.mp/16nf2Rk (Vice via NNSquad)
Bruce Schneier, NSA Surveillance: The 21st-Century Panopticon, *The Atlantic*, http://www.theatlantic.com/politics/archive/2013/10/nsa-surveillance-the-21st-century-panopticon/280715/ Director of National Intelligence James Clapper told Congress the NSA doesn't collect information on millions of Americans. (Reuters) The basic government defense of the NSA's bulk-collection programs -- whether it be the list of all the telephone calls you made, your email address book and IM buddy list, or the messages you send your friends—is that what the agency is doing is perfectly legal, and doesn't really count as surveillance, until a human being looks at the data. It's what Director of National Intelligence James R. Clapper meant when he lied to Congress. When asked, "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" he replied, "No sir, not wittingly." To him, the definition of "collect" requires that a human look at it. So when the NSA collects—using the dictionary definition of the word—data on hundreds of millions of Americans, it's not really collecting it, because only computers process it. The NSA maintains that we shouldn't worry about human processing, either, because it has rules about accessing all that data. General Keith Alexander, director of the NSA, said that in a recent New York Times interview: "The agency is under rules preventing it from investigating that so-called haystack of data unless it has a 'reasonable, articulable' justification, involving communications with terrorists abroad, he added." There are lots of things wrong with this defense. First, it doesn't match up with U.S. law. Wiretapping is legally defined as acquisition by device, with no requirement that a human look at it. This has been the case since 1968, amended in 1986. Second, it's unconstitutional. The Fourth Amendment prohibits general warrants: warrants that don't describe "the place to be searched, and the persons or things to be seized." The sort of indiscriminate search and seizure the NSA is conducting is exactly the sort of general warrant that the Constitution forbids, in addition to it being a search by any reasonable definition of the term. The NSA has tried to secretly redefine the word "search," but it's forgotten about the seizure part. When it collects data on all of us, it's seizing it. Third, this assertion leads to absurd conclusions. Mandatory cameras in bedrooms could become okay, as long as there were rules governing when the government could look at the recordings. Being required to wear a police-issued listening device 24/7 could become okay, as long as those same rules were in place. If you're uncomfortable with these notions, it's because you realize that data collection matters, regardless of whether someone looks at it. Fourth, creating such an attractive target is reckless. The NSA claims to be one of the biggest victims of foreign hacking attempts, and it's holding all of this information on us? Yes, the NSA is good at security, but it's ridiculous to assume it can survive all attacks by foreign governments, criminals, and hackers—especially when a single insider was able to walk out of the door with pretty much all their secrets. Finally, and most importantly: Even if you are not bothered by the speciousness of the legal justifications, or you are already desensitized to government invasion of your privacy, there is a danger grounded in everything we have learned about how humans respond when put in positions of unchecked power. Assuming the NSA follows its own rules—which even it admits it doesn't always—rules can change quickly. The NSA says it only looks at such data when investigating terrorism, but the definition of that term has broadened considerably. The NSA is constantly pushing the law to allow more and more surveillance. Even Representative Jim Sensenbrenner, the author of the Patriot Act, says that it doesn't allow what the NSA claims it allows. It doesn't make sense to build systems that could facilitate a future police state. A massive trove of surveillance data on everyone is incredibly tempting for all parts of government to use. Once we have everyone's data, it'll be hard to prevent it from being used to solve conventional crimes and for all sorts of things. It's a totalitarian government's wet dream. The NSA's claim that it only looks when it's investigating terrorism is already false. We already know the NSA passes data to the DEA and IRS with instructions to lie about its origins in court—"parallel construction" is the term being used. What else is done with that data? What else could be? It doesn't make sense to build systems that could facilitate a future police state. This sort of surveillance isn't new. We even have a word for it: It's the Panopticon. The Panopticon was a prison design created by 18th-century philosopher Jeremy Bentham, and has been a metaphor for a surveillance state ever since. The basic idea is that prisoners live under the constant threat of surveillance. It's not that they are watched all the time—it's that they never know when they're being watched. It's the basis of Orwell's 1984 dystopia: Winston Smith never knew if he was being watched, but always knew it was a possibility. It's why online surveillance works so well in China to deter behavior; no one knows if and when it will detect their actions online. Panopticon-like surveillance—intermittent, but always possible—changes human behavior. It makes us more compliant, less individual. It reduces liberty and freedom. Philosopher Michael P. Lynch recently wrote about how it dehumanizes us: “when we lose the very capacity to have privileged access to our psychological information— the capacity for self-knowledge, so to speak, we literally lose our selves .... To the extent we risk the loss of privacy we risk, in a very real sense, the loss of our very status as subjective, autonomous persons.'' George Dyson recently wrote that a system that “is granted (or assumes) the absolute power to protect itself against dangerous ideas will of necessity also be defensive against original and creative thoughts.'' That's what living in a Panopticon gets you. Already, many of us avoid using `dangerous' words and phrases online, even innocuously. Or making nervous jokes about it when we do. By ceding the NSA the ability to conduct ubiquitous surveillance on everybody, we cede to it an enormous amount of control over our own lives. Once the NSA takes a copy of your data, you no longer control it. You can't delete it. You can't change it. You might not even know when the rules under which it uses your data change. And until Edward Snowden leaked documents that show what the NSA is doing, you didn't even know that the government had taken it. What else don't we know that the NSA has or does?
Amar Toor, The Verge, 21 Oct 2013 Agency reportedly recorded millions of French phone calls over 30-day period last year http://www.theverge.com/2013/10/21/4861202/nsa-reportedly-recorded-millions-of-french-phone-calls-us-ambassador-summoned
"A new global report (pdf) by the Organization for Economic Cooperation and Development finds that Americans rank well below the worldwide average in just about every measure of skill. In math, reading, and technology-driven problem-solving, the United States performed worse than nearly every other country in the group of developed nations." It seems to me that the results should be grounds for serious concern, even though (or perhaps particularly because) China isn't included in the charts. Particularly concerning seems to be the poor performance of the 16-24 compared to the 55-65 year-olds. [Let's hear it for us old people. PGN]
http://j.mp/1a2Irq6 (*Time* via NNSquad) The most ambitious product launch is uProxy, a new Web browser extension that uses peer-to-peer technology to let people around the world provide each other with a trusted Internet connection. This product is designed to protect the Internet connection of users in, say, Iran, from state surveillance or filtering. Google Ideas is providing funding and technical assistance for uProxy, which was developed by researchers at the University of Washington and Brave New Software. “If you look at existing proxy tools today, as soon as they're effective for dissidents, the government finds out about them and either blocks them or infiltrates them. Every dissident we know in every repressive society has friends outside the country whom they know and trust. What if those trusted friends could unblock the access in those repressive societies by sharing their own access? That was the problem we tried to solve.'' UProxy allows users in the U.S. to give their trusted friends in Iran-people they might already be emailing or chatting with-access to the open U.S. Internet. “The user in Iran can get unfiltered access to the Internet that's completely uncensored and will look just like it does in the U.S. It's completely encrypted and there's no way for the government to detect what's happening because it just looks like voice traffic or chat traffic. We wanted to build a proxy service that builds on top of trusted relationships that already exist.'' [Knowing what we know about the lack of security and anonymity, how likely is this to be useful in critical environments? PGN]
The Forward reported back in 2012 on a similar scam at the college level, where an online school sucks up US Federal grant money meant for low-income students, without actually graduating anyone, and where most of their students weren't even in the US: http://forward.com/articles/163766/how-jewish-college-uses-federal-funds-to-grow/ And a recent followup: http://forward.com/articles/184212/chabads-michigan-jewish-institute-may-close-after/ I doubt this school is the only one playing this game.
This is the most misleading Subject: line I can remember having appeared in RISKS. Even "contributes to" seems a stretch, especially since the articles clearly state GPS navigation being involved is *a guess*. "Stealing multiple cars, getting in multiple police chases, and crashing through border patrol vehicles" is more like it... There is an legitimate risk to be discussed here, indeed it appears its easy to miss the "you're crossing an international border" warning; but the results of that should be delay (including maybe having to turn around and take a much longer route), not being shot at!
In RISKS-27.55, Sam Steingold writes: > I actually welcome this scandal because it should bring home to people the > fact that we have lost "the expectation of privacy" battle. What battle? The way the Internet is built and operated, it has been a broadcasting network from day one. No intelligent person should have expected any privacy, any more than when walking on a public street.
Woody Leonhard | InfoWorld, 18 Oct 2013 Microsoft is struggling to figure out how to handle a widely reported problem when Windows 8 users update to Windows 8.1 http://www.infoworld.com/t/microsoft-windows/users-hit-blue-screen-0xc1900101-0x40017-error-windows-81-update-229058
Woody Leonhard | InfoWorld, 18 Oct 2013 Botched patch installs .Net Framework 3.5 without warning or consent -- even on systems that have studiously avoided .Net http://www.infoworld.com/t/microsoft-windows/resurrected-kb-951847-zombie-patch-fixed-now-has-new-problem-229062
Woody Leonhard | InfoWorld, 21 Oct 2013 Windows RT/8 updates have inspired a stream of complaints. Here's an overview of what's happened, how you might recover http://www.infoworld.com/t/microsoft-windows/problems-remain-after-microsoft-yanks-windows-rt-81-update-229131
FYI—Obviously, the US Government shutdown kept the NSA from doing final QA on this particular Windows backdoor^H^H^H^H^H^H^H^Hupdate. :-) http://news.softpedia.com/news/Microsoft-Still-Working-on-KB2862330-Windows-7-Update-Fix-391107.shtml October 15th, 2013, 05:31 GMT · By Bogdan Popa - The patch is still being delivered via Windows Update More and more users confirm issues with the KB2862330 Windows 7 update, as the bulletin apparently fails to install on lots of computers, but Microsoft remains pretty much tight-lipped on this subject. Ben Herila, Microsoft product manager, has confirmed through a small post that Redmond is still working to find the cause of the issues, explaining that a free-of-charge support incident is available to anyone willing to help the team deal with the problem. “We can offer anyone who has this issue and is willing to go through troubleshooting a free-of-charge support incident and Support will work with you 1-1 to get your computer(s) back into a working state. The teams who released this update do know that there may be a problem and are doing additional testing to identify the root cause of the issue that folks are experiencing.'' At this point, the patch is still being delivered via Windows Update, which means that in most cases, the bulletin is expected to install just fine. FILED UNDER: KB2862330 Windows 7 Windows Update Microsoft
This might be of interest to RISKS readership. Subject: GCHQ spooks update PC and mobile security advice for public sector; CESG offers strengths and weaknesses guide http://news.techworld.com/security/3474201/gchq-spooks-update-pc-and-mobile- security-advice-for-public-sector/?cmpid=TD1N20 https://www.gov.uk/government/collections/end-user-devices-security-guidance--2#group_1531
Narrating a compelling and interesting story about cryptography is not an easy endeavor Many authors have tried and failed miserably—attempting to create better anecdotes about the adventures of Alice and Bob. David Kahn did the best job of it when wrote The Codebreakers: The story of secret writing in 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it. A lot has change[d] since 1967, and while Secret History: The Story of Cryptology is not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it. ... Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple—but also newer systems such as AES and public-key cryptography. See more at: http://www.rsaconference.com/blogs/435/rothke/secret-history-the-story-of-cryptology1#sthash.9wdRSan7.dpuf See the full review here at: http://www.rsaconference.com/blogs/435/rothke/secret-history-the-story-of-cryptology1
Please report problems with the web pages to the maintainer