The RISKS Digest
Volume 28 Issue 21

Tuesday, 26th August 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Satellite in wrong orbit / digitalization disaster
Debora Weber-Wulff
Hackers Divert Sony Exec's Plane, Launch DoS Attack on PlayStation Network
Marc Schneider via Deborah Newman
Researchers demo 92% success rate in hacking smartphone apps
Sean Nealon via Geoff Goodfellow
A Single Android App Is Crippling the Nat'l Weather Service's Website
David Farber
"Facebook patching vulnerability that could force iPhones to make calls"
Candice So via Gene Wirchenko
"Netcore, Netis routers at serious risk from hardcoded passwords"
Jeremy Kirk via Gene Wirchenko
The Surveillance Engine: How the NSA Built Its Own Secret Google
Ryan Gallagher
Hands Up, Don't Snoop!
Henry Baker
CyberSec Coordinator Tells Why Lack of Tech Know-How Helps
Don Norman
Re: Google Map Tracks Your Every Move ...
Devon McCormick
Re: Computer Programming Is a Trade; Let's Act?
Ed Ravin
Re: This is what the future of a drone-filled America could look like
David Josephson
Re: A Better Credit Card
David E. Ross
Re: Vote! You Just Might Win $50,000
R. G. Newbury
Info on RISKS (comp.risks)

Satellite in wrong orbit / digitalization disaster

weberwu <weberwu@htw-berlin.de>
Mon, 25 Aug 2014 00:36:02 +0200
The Europeans are trying to set up their own GSM, and are shooting up
satellites like crazy. Except they appear to have miscalculated the orbits:
http://www.bbc.com/news/world-europe-28910662
Don't know if a computer failure is involved.
The ones already up there have mysterious power outages:
http://www.spacenews.com/article/civil-space/41643galileo-glitches-remain-a-mystery
Sounds like my laptop....

Disaster in digitalization costs four lives

Spiegel Online, a German news site, is reporting that an explosion that
happened in the northern German city of Itzehoe in March 2014 and killed
four people was due to a computer error:
http://www.spiegel.de/panorama/justiz/explosion-in-itzehoe-war-eine-computerpanne-schuld-a-986011.html

When transferring the plans for how the gas mains run from their previous,
analogue form to a digital mapping system, it seems that a few were
missed. Or perhaps it was a problem of the times: the maps were digitalized
in 1977, according the the radio and TV station NDR:
http://www.ndr.de/nachrichten/schleswig-holstein/Fehlerhafte-Karte-fuehrte-zu-Explosion-in-Itzehoe,itzehoe222.html.

A ditch digger ruptured a gas line that was not on the map—the ensuing
explosion killed one worker and three people in the houses affected, and
injured 15 others, including the operator of the digger.  Six houses were
rendered unusable.

The popular "news"paper Bild has an aerial picture of the damage:
http://www.bild.de/regional/hamburg/itzehoe/edv-umstellung-fuehrte-zu-gas-explosion-37229888.bild.html

The city is now busy comparing the digital maps with the analog ones (that
are still around) looking for possible other missing gas lines.

The moral of the story: Triple check digitalizations that could affect
lives, and don't throw out the analogue stuff.

Prof. Dr. Debora Weber-Wulff, HTW Berlin, Treskowallee 8, 10313 Berlin
+49-30-5019-2320 http://www.f4.htw-berlin.de/people/weberwu/


Hackers Divert Sony Exec's Plane, Launch DoS Attack on PlayStation Network (Marc Schneider)

Deborah Newman <debnewman@earthlink.net>
August 25, 2014 at 1:28:34 PM EDT
Marc Schneider, Billboard, 25 Aug 2014
http://www.billboard.com/biz/articles/news/legal-and-management/6229251/sony-twitter-bomb-threat-hackers-playstation-service

An American Airlines flight carrying Sony Online Entertainment president
John Smedley was diverted on Sunday after a hacker group dubbed the Lizard
Squad used Twitter to call in a bomb scare. Earlier in the day, the group
claimed responsibility for a denial-of-service attack that knocked out
Sony's PlayStation Network.

The bomb threat began with a tweet directed to American Airlines from Lizard
Squad that specified the flight number and its destination.

Lizard Squad @LizardSquad

.@AmericanAir
We have been receiving reports that @j_smedley's plane #362 from DFW to SAN
has explosives on-board, please look into this.  1:29 PM—24 Aug 2014

Unaware of what Lizard Squad was doing, Smedley continued to tweet about his
flight issues to his 40k-plus followers.  “Awesome. Flight diverted to
Phoenix for security reasons.  I hate American Airlines'' Something about
security and our cargo. Sitting on Tarmac.

During this time, the hackers began mocking Smedley. "Hey haven't heard from
you in an hour, is everything alright?" they snarked. The group also tried
to get the hashtag #PrayForFlight362 to trend, and they appear to be linking
themselves with both Anonymous and ISIS, the Islamic group responsible for
the beheading of journalist James Foley.

Lizard Squad @LizardSquad
Follow
Today we planted the ISIS flag on @Sony's servers #ISIS #jihad pic.twitter.com/zvqXb2f5XI

11:03 AM—24 Aug 2014

Smedley later acknowledged the diversion and said he would not discuss
further. "Justice will find these guys," he said. American Airlines said on
Twitter that it was aware of the threat and the FBI confirmed with Reuters
that it was investigating.

"We're attempting to slam Sony back into the ground," the Lizard group said
early Sunday. The DoS attacked worked and overwhelmed the system with
traffic, causing a brief outage, however, Sony said that no personal data
had been stolen from users.The feds are also looking into the disruption in
service to Sony's gaming system, which occurred just hours before.

Sony released the following statement: "The PSN and Sony Entertainment
Network are back online and people can now enjoy the services on their
PlayStation devices. The networks were taken offline due to a distributed
denial of service attack. We have seen no evidence of any intrusion to the
network and no evidence of any unauthorized access to users' personal
information.  We sincerely apologize for the inconvenience caused by this
issue."

A 2011 attack on the PSN Sony Entertainment Network caused a breach of
personal data for around 77 million users.

MUSICSTRAT, Digital Music Consultant, P: 212.734.2240  debnewman@earthlink.net


Researchers demo 92% success rate in hacking smartphone apps (Sean Nealon)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 24 Aug 2014 20:31:39 -1000
Sean Nealon, Hacking Gmail with 92 Percent Success, UCRiverside, 20 Aug 2014

UC Riverside assistant professor is among group that develops novel method
to attack apps on Android, and likely other, operating systems

RIVERSIDE, Calif. (www.ucr.edu)—A team of researchers, including an
assistant professor at the University of California, Riverside Bourns
College of Engineering <http://www.engr.ucr.edu/>, have identified a
weakness believed to exist in Android, Windows and iOS mobile operating
systems that could be used to obtain personal information from unsuspecting
users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82
percent and 92 percent of the time on six of the seven popular apps they
tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R
Block. Amazon, with a 48 percent success rate, was the only app they tested
that was difficult to penetrate.

The paper, "Peeking into Your App without Actually Seeing It: UI State
Inference and Novel Android Attacks
<http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf>,"
will be presented
<https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/chen>Friday,
Aug. 22 at the 23rd USENIX Security Symposium in San Diego
<https://www.usenix.org/conference/usenixsecurity14>. Authors of the paper
are Zhiyun Qian <http://www.cs.ucr.edu/~zhiyunq/>, of the Computer Science
and Engineering Department at UC Riverside; Z. Morley Mao
<http://web.eecs.umich.edu/~zmao/>, an associate professor at the
University of Michigan; and Qi Alfred Chen
<http://web.eecs.umich.edu/~alfchen/>, a Ph.D. student working with Mao ...

http://ucrtoday.ucr.edu/24266

Geoff.Goodfellow@iconia.com  http://geoff.livejournal.com


A Single Android App Is Crippling the Nat'l Weather Service's Website

"David Farber via ip" <ip@listbox.com>
Mon, 25 Aug 2014 19:15:26 -0400
http://thevane.gawker.com/a-single-android-app-is-crippling-the-natl-weather-serv-1626643943/+ericlimer


"Facebook patching vulnerability that could force iPhones to make calls" (Candice So)

Gene Wirchenko <genew@telus.net>
Tue, 26 Aug 2014 10:27:30 -0700
Candice So, *IT Business*, 25 Aug 2014
http://www.itbusiness.ca/article/facebook-patching-vulnerability-that-could-force-iphones-to-make-calls


"Netcore, Netis routers at serious risk from hardcoded passwords" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Tue, 26 Aug 2014 11:14:39 -0700
InfoWorld, Jeremy Kirk, 26 Aug 2014
More than two million of the devices on the Internet may be
vulnerable to hackers monitoring their Internet traffic, Trend Micro says
http://www.infoworld.com/d/networking/netcore-netis-routers-serious-risk-hardcoded-passwords-249140


The Surveillance Engine: How the NSA Built Its Own Secret Google

*Dewayne Hendricks* <dewayne@warpspeed.com>
Monday, August 25, 2014
[Note: This item comes from friend David Rosenthal.  DLH] (via Dave Farber)

Ryan Gallagher, The Surveillance Engine: How the NSA Built Its Own Secret
Google, 25 Aug 2014

https://firstlook.org/theintercept/article/2014/08/25/icreach-nsa-cia-secret-google-crisscross-proton/

The National Security Agency is secretly providing data to nearly two dozen
U.S. government agencies with a `Google-like' search engine built to share
more than 850 billion records about phone calls, e-mails, cellphone
locations, and Internet chats, according to classified documents obtained by
The Intercept.

The documents provide the first definitive evidence that the NSA has for
years made massive amounts of surveillance data directly accessible to
domestic law enforcement agencies. Planning documents for ICREACH, as the
search engine is called, cite the Federal Bureau of Investigation and the
Drug Enforcement Administration as key participants.

ICREACH contains information on the private communications of foreigners
and, it appears, millions of records on American citizens who have not been
accused of any wrongdoing. Details about its existence are contained in the
archive of materials provided to The Intercept by NSA whistleblower Edward
Snowden.

Earlier revelations sourced to the Snowden documents have exposed a
multitude of NSA programs for collecting large volumes of communications.
The NSA has acknowledged that it shares some of its collected data with
domestic agencies like the FBI, but details about the method and scope of
its sharing have remained shrouded in secrecy.

ICREACH has been accessible to more than 1,000 analysts at 23 U.S.
government agencies that perform intelligence work, according to a 2010
memo. A planning document from 2007 lists the DEA, FBI, Central Intelligence
Agency, and the Defense Intelligence Agency as core members.  Information
shared through ICREACH can be used to track people's movements, map out
their networks of associates, help predict future actions, and potentially
reveal religious affiliations or political beliefs.

The creation of ICREACH represented a landmark moment in the history of
classified U.S. government surveillance, according to the NSA documents.

“The ICREACH team delivered the first-ever wholesale sharing of
communications metadata within the U.S. Intelligence Community,'' noted a
top-secret memo dated December 2007.  “This team began over two years ago
with a basic concept compelled by the IC's increasing need for
communications metadata and NSA's ability to collect, process and store vast
amounts of communications metadata related to worldwide intelligence
targets.''

The search tool was designed to be the largest system for internally sharing
secret surveillance records in the United States, capable of handling two to
five billion new records every day, including more than 30 different kinds
of metadata on e-mails, phone calls, faxes, Internet chats, and text
messages, as well as location information collected from
cellphones. Metadata reveals information about a communication—such as
the TO and FROM parts of an e-mail, and the time and date it was sent, or the
phone numbers someone called and when they called—but not the content of
the message or audio of the call.

ICREACH does not appear to have a direct relationship to the large NSA
database, previously reported by The Guardian, that stores information on
millions of ordinary Americans' phone calls under Section 215 of the Patriot
Act. Unlike the 215 database, which is accessible to a small number of NSA
employees and can be searched only in terrorism-related investigations,
ICREACH grants access to a vast pool of data that can be mined by analysts
from across the intelligence community for `foreign intelligence'—a
vague term that is far broader than counterterrorism. ...


Hands Up, Don't Snoop!

Henry Baker <hbaker1@pipeline.com>
Mon, 25 Aug 2014 11:13:24 -0700
FYI—The "militarization" of U.S. state and local law enforcement has gone
far beyond body armor, assault rifles, night vision goggles and
IED-resistant troop carriers complete with desert camouflage.

This militarization has also extended to surveillance technologies such as
drones, security cameras with facial recognition, automated license plate
readers, cell tower spoofers (Stingray), etc., and "fusion centers" to share
all of this warrentlessly-acquired data.

The idea that Grand Rapids, MI, would need an intelligence "fusion center"
seems right out of Michael Moore's wonderful 1995 movie "Canadian Bacon", in
which a local sheriff (played by John Candy) starts a war with Canada.  The
U.S. Dept. of Homeland Security apparently didn't realize that "Canadian
Bacon" was intended to be a farce.

https://en.wikipedia.org/wiki/Canadian_Bacon

 - - - -

https://www.aclusocal.org/one-year-after-snowden/

One year after Snowden, local surveillance remains shrouded in secrecy
Posted on June 5, 2014

Nicole A. Ozer, ACLU of California

One year ago today, whistleblower Edward Snowden confirmed that the NSA was
secretly engaged in a massive program of warrantless surveillance of the
American people.  Since then, the ACLU has worked both in the courts and in
Congress to halt the agency's abuses of power and violations of our
constitutional rights.  But the NSA isn't the only agency guilty of
dragnet surveillance without oversight.  ***State and local governments***
have adopted surveillance technology at an astonishing rate, often without
the public's oversight and approval, and in some cases even hiding their
use from the courts.  Just like the NSA, our state and local agencies need
to be transparent and accountable to the people they serve.

Today, state and local law enforcement agencies have access to a wide range
of surveillance technologies, from drones to automated license plate
recognition (ALPR) systems to facial-recognition smartphone apps.  These
tools can potentially be used to infringe upon our fundamental rights to
privacy and freedom of expression and association, tracking our location,
associations, and more.  Yet all too often agencies not only acquire and use
these technologies without a robust public debate but work hard to keep them
secret.  This secrecy prevents valuable public input into limits and
safeguards to prevent potential harms.  It also undermines the principles of
transparency and accountability that are essential to our democratic system.

We shouldn't need a *local* Edward Snowden in order to ensure that public
debate and oversight accompany any proposed use of surveillance technology.
Instead, we should insist upon it up front.  We need our cities and counties
to adopt ordinances requiring local oversight of surveillance technology,
appoint privacy oversight committees, and place legal limits on how data
collected can be used.  And we need our state government to not just go
through the motions of considering a wide range of privacy-enhancing bills
but actually turn those bills into law.  Other states have already decided,
after public debate, that the unrestricted use of technologies such as ALPRs
or drones is not worth the fiscal or civil liberties cost.  Why is
California lagging behind?

So one year after the Snowden revelations started, we should celebrate the
growing efforts to end the federal government's unconstitutional
surveillance programs—but we should also make sure that we don't just
rein in the NSA and call it good.  Making sure that state and local agencies
also respect individual rights and the democratic process is also essential,
both for its own sake and in order to influence the federal conversation.
It's time to remind our government that it is supposed to be transparent to
the people, all the time—not just when an Edward Snowden forces it to
be.

Nicole A. Ozer is director of technology and civil liberties at the ACLU of California. Follow Nicole on Twitter.

 - - - -

http://phillydeclaration.org/2014/04/02/confirmed-pa-state-police-purchased-controversial-stingray-surveillance-technology-last-year/

Confirmed: PA State Police Purchased Controversial StingRay Surveillance
Technology Last Year

By Dustin Slaughter

The Declaration has learned that Pennsylvania State Police have been in
possession of a highly-controversial type of surveillance technology, known
as StingRay, since December of 2013.

The purchasing order, obtained by The Declaration through a PA Right-to-Know
request filed in February, is with a highly secretive company based in
Melbourne, Florida named Harris Corporation.  The documents indicate that
State Police purchased two of the devices last year at a total cost of
$232,772, likely through federal ***homeland security grant funding***.

The use of this powerful domestic surveillance technology is coming under
increasing scrutiny—and criticism—for its ability to trick
cell phones within a targeted radius into connecting to the device by posing
as a fake cell tower.  The easily-portable device can rest inside a police
cruiser, for instance, and once a StingRay gathers a phone's
“International Mobile Subscriber Number” (IMSI) and serial data, the
phone can be singled out for closer scrutiny, including real-time location
tracking.

More details on the State Police purchase: last year, authorities obtained
the latest version of the technology, HailStorm, an “upgrade” to
StingRay which, if used in combination with a software named Pen-Link,
enables authorities to communicate directly with cell service carriers over
an Internet connection to strengthen real-time location tracking.  The
Declaration is now in the process of filing a new information request for
any contractual agreements with Nebraska-based Pen-Link.

In addition to PSP's Hailstorm upgrade, the agency also bought Harpoon
`amplifier' antennae.  This gives authorities the ability “to project its
surveillance signal farther or from a greater distance depending on the
location of the targets,'' according to Ars Technica.

Organizations such as the ACLU have rightly criticized the use of these
devices as legally problematic, citing its use by federal and local law
enforcement as a violation of the Fourth Amendment's General Warrant clause,
because of its ability to scoop up phone data within a given radius from
people not under investigation.  An Electronic Frontier Foundation amicus
brief submitted in a landmark case last year challenging the government's
use of the StingRay called the device “the biggest technological threat to
cellphone privacy that you don't know about.''

The device is quite often used without a warrant.  Furthermore, its full
capabilities are rarely disclosed when investigators seek warrants from
judges.

A federal magistrate judge in the Southern District of Texas, when
authorities approached him requesting use of the device for electronic
surveillance in an ongoing investigation, became one of the few judges who
denied a warrant on the grounds that law enforcement wasn't specific enough
about their intended use of the device.  Crucially, Judge Brian L. Owsley
also noted that the government provided no explanation regarding how they
would handle captured cell data swept up from “seemingly innocent cell
phone users.”

Linda Lye, a staff attorney for the ACLU of Northern California, says of the
government's willful obfuscation in front judges:

By withholding information about this technology from courts in applications
for electronic surveillance orders, the federal government is essentially
seeking to write its own search warrants.

It stands to reason that the same obfuscation by state and local police
agencies could be occurring, including in Pennsylvania.

The questionable legality of these devices extends beyond authorities
deceptively attempting to gain judicial permission for StingRay use.  In
2003, Miami-Dade police purchased devices to surreptitiously monitor
activists protesting at a world trade conference, according to procurement
records obtained by Ars Technica.

The Declaration made repeated inquiries to a State Police media liaison
seeking details including: Whether the agency is using the devices primarily
for counter-terrorism purposes or a broader spectrum of investigations; what
privacy and data retention policies the agency may or may not have
implemented; and whether or not sharing agreements with other state law
enforcement agencies exist.  PSP has not responded.

Record requests filed by The Declaration to both the Pittsburgh Police
Department and Philadelphia Police Department seem to indicate that
Pittsburgh police have no contractual agreements with Harris Corporation; a
response from Philadelphia police is pending.

We will continue our attempts to learn more about PA law enforcement's use of this device, and will update our readers accordingly.

 - - - -

http://blog.tenthamendmentcenter.com/2014/07/local-spying-is-part-of-the-national-surveillance-web/

Local Spying is Part of the National Surveillance Web

The OffNow campaign primarily focuses on action against federal surveillance
programs.  But with the line between federal, state and local law
enforcement becoming increasingly blurred, Americans also need to pay
attention to local actions to see and understand the big picture.

Take for example a new program law enforcement agencies in Grand Rapids,
Mich. recently implemented.  According to a MLive/The Grand Rapids Press
report, downtown businesses now offer the Grand Rapids Police and Kent
County Sheriff's Department ***live access to their outdoor surveillance
cameras***.

The two agencies are tapping into private video feeds from existing cameras
mounted on the exterior of private commercial buildings downtown, the Kent
County emergency management coordinator said.

Previously, police would request video from private feeds during the course
of a criminal investigation.  Now, police will be able to monitor the feeds
in real time from county and city dispatch centers.

According to the report, local officials plan to pursue Department of
Homeland Security grants to “expand the surveillance capability downtown
with new and upgraded equipment.''

Obviously, this raises serious privacy concerns for residents of Grand
Rapids, but how does it tie into the larger surveillance state?

With the rapid evolution of information sharing between local, state and
federal law enforcement agencies, locally gathered information won't remain
`local' for very long.  Fusion centers already exist across the United
States.  As the Department of Homeland Security describes them, “State and
major urban area fusion centers serve as focal points within the state and
local environment for the receipt, analysis, gathering, and sharing of
threat-related information between the federal government and state, local,
tribal, territorial (SLTT) and private sector partners.''

Fusion centers make up part of the Information Sharing Environment (ISE) a
consortium that includes the NSA, FBI, Department of Defense and many
others.  The ISE facilitates information sharing, officially for
`national defense'.  But we know through leaked Snowden documents that
federal agencies share large amounts of illegally gathered information with
state and local law enforcement. and it has no connection with national
defense at all.  State and local law enforcement also share information
`upstream' to these federal agencies.

Simply put, when local governments seize the power to watch you, that
information will ultimately end up in the hands of federal agencies most
certainly trying to monitor the actions, communications and movement of
virtually every person on earth.

Add to this an FBI facial recognition program coming online this year and
you have an Orwellian nightmare scenario.  As the technology improves and
facial recognition ”learns” to identify more people, federal agencies
will gain the capability to track your every movement, in real time, through
networks of cameras like the ones in Grand Rapids.

The evolution will likely progress something like this.

1. Local businesses install cameras.
2. Local police gain access for `emergency' situations only.
3. Local police expand the definition of emergency.
4. Federal agencies provide funding and information sharing becomes a tacit part of the agreement.
5. Federal agencies have unlimited access to locally gathered data.

Essentially, the federal government can create a surveillance web across the
country using state and local law enforcement to maintain and run the
system.

To thwart the surveillance state, you need to not only watch the goings-on
in Washington D.C., you must also pay close attention to your state capitol
and city hall.

Mike Maharrey


CyberSec Coordinator Tells Why Lack of Tech Know-How Helps

Don Norman <dnorman@ucsd.edu>
Sun, 24 Aug 2014 17:12:52 -0700
Henry Baker worries about the new White House CyberSec Coordinator arguing
Why Lack of Tech Know-How Helps

> FYI—Technical ignorance is an advantage?  Perhaps Michael Daniel should
> start doing brain surgery tomorrow?
> Michael Daniel exhibits the hubris of those whose VerbalSAT >> MathSAT.

I worry about the hubris of those who think that technical expertise is
required. Why should a Math SAT be a relevant variable?

Our most difficult security issues are really policy and societal issues.
These require expert knowledge of policy and society. I have served on
several National Academy committees on security. I invariably find that the
technical issues are reasonably well understood: the difficulties are in
implementation, or sometimes in assessing the complex interactions of
security versus usability versus privacy (among others). The head of
Cybersecurity is not going to be writing code or determining encryption
schemes. The head will be determining policy, making those difficult
tradeoffs, and trying to figure out how to get sensible proposals through
the gamut of our representative system of government, limited budgets, and
lack of authority over the disparate agencies and private companies.

I wouldn't want Michael Daniel to do surgery on my brain, but I might very
well want to consult him to help determine whether we should have mandatory
reporting of medical error, or how government policies might be altered to
provide a more efficient and effective medical system.  Similarly, I assure
all of you that you do not want me coding security systems, but that doesn't
mean that my policy advice should be ignored. (Gee, if that were true, I
could have saved a lot of days of committee work.)

Rather than concern about technical ability, I applaud Daniel's comments:

"Being too down in the weeds at the technical level could actually be a
little bit of a distraction," Daniel, a special assistant to the president,
says in an interview with Information Security Media Group.

"You can get enamored with the very detailed aspects of some of the
technical solutions," he says.  "And, particularly here at the White House
... the real issue is to look at the broad, strategic picture and the impact
that technology will have."

He is absolutely right. To many people keep insisting on complex proofs of
the quality of cypher systems, only to have them bypassed by insiders, or by
keystroke loggers which don't care how complex the password is, or for that
matter, by dedicated, intentioned workers who find the security requirements
so onerous that they take shortcuts, help their colleagues share terminals
and accounts, and do whatever it takes to get the job done, thereby
weakening the strict security that some technocrat has imposed.

(As at the security conference I attended at Google in an open conference
room in an otherwise secure facility, where the security gurus propped open
the locked door so people could get to the toilets. So much for high
security.)

Math and technical skills are not sufficient knowledge for policy making.
High level executives need a different level of skills than the average
RISKS commenter.  Different skills are required for the multiple complex
layers of CyberSecurity.

Don Norman, UC San Diego Design Lab dnorman@ucsd.edu www.jnd.org


Re: Google Map Tracks Your Every Move ... (R-28.19)

Devon McCormick <devonmcc@gmail.com>
Mon, 25 Aug 2014 12:28:11 -0400
Let's not lose sight of one of the really big risks here: Google claims to
track your location but it does so very inaccurately—you should not rely
on this "data", even if it does come from a computer.

Just one example: I took a look at the link given to see my own tracking
information.  According to what I see there, at a little past 7 am, I was
four blocks from my apartment (about 20 minutes before I actually left it).

Subsequent to this, apparently I was going down the east side of Manhattan
when I suddenly jumped across the East River into Brooklyn for a while
before jumping back across the river to Manhattan.

Furthermore, during the day when I never left the floor where I work,
Google had me traveling to locations a block or two away.

It seems it's not exactly tracking my location but making a guess about it
based on my proximity to a signal repeater or something like that.  In the
case at which I looked, it was egregiously wrong but the errors could
easily be more subtle than this.


Re: Computer Programming Is a Trade; Let's Act?

Ed Ravin <eravin@panix.com>
Sun, 24 Aug 2014 17:29:58 -0400
Computer programming can't possibly be a trade: trades have much higher
standards.

This quote attributed to Gerald Weinberg is even truer now than when he
allegedly said it in the 1970's:

 "If builders built buildings the way programmers wrote programs, then
  the first woodpecker that came along would destroy civilization."

And that was in the days when the woodpecker had to fly to the tree to start
pecking away.  The question is not whether we are going to see catastrophic
collapses of our software / network infrastructure, but when.


Re: This is what the future of a drone-filled America could look like

"David Josephson" <dlj07@josephson.com>
Aug 22, 2014 10:09 PM
  [via Dave Farber]

Computer technologies have been conceived of decades before they became
real, and we understood that once certain levels of logic gate density, or
memory speed, or communications bandwidth became accessible, specific things
that were previously sci-fi would suddenly be available in stores.  The same
is true of aircraft. The gating technology for air vehicles is battery
energy density.

Since the 1930s we have been stuck with combustion engines that produce
about 2 kilowatt-hours of motive energy per kilogram of fuel (being about
20% efficient.)  Electric propulsion today is more efficient, but is limited
by battery technology to about 0.2 kWh/kg. We need to start having the sort
of discussions referred to in Sipus' article, because *when* batteries reach
1 or 1.5 kWh/kg things will change drastically. It won't be just toys and
police surveillance. The futurists like NASA's Mark Moore have been looking
at what's practical, and it is pretty exciting for transportation on demand
with far less impact on the planet than surface-based systems create.

Since I work mostly in acoustics, I've been involved in discussions for
several years on how to characterize the sound from new kinds of aircraft.
These efforts are just beginning—but for once, the designers realize that
being perceived as quiet is key to their acceptance. "Quiet" is not the same
as "not loud" and we are just now learning how to measure these things. To
their credit, NASA uses human listeners to judge how noisy things are rather
than some sound level meter intended for measuring how damaging some sound
might be to hearing.

We can take a NIMBY approach, or we can engage the industry as it develops
and steer what we want from it. Given the slow pace of battery technology,
it will be some time before this happens. I have no doubt that restricting
traffic to very specific routes and altitudes in real time will be part of
the recipe. With the level of navigation and computing available today, this
is almost trivial if all vehicles are cooperating in the system. By the time
energy-dense electric propulsion is practical, this will not seem
far-fetched. The "next generation" aeronautics effort at NASA, the
"Transformational Flight" program committee at the American Institute of
Aeronautics and Astronautics and a lot of other smart folks are looking at
the opportunities and the problems that remain to be solved. But energy
density and public acceptance remain the gating factors.

I would encourage people to look above the horizon a little and figure out
what is desired in 10, 20, 50 years from now rather than spending all their
time keeping the buzzy drones out of their backyard this week. The tradeoff
discussions about privacy, safety, noise and all the other points need to
happen, but it is not just about drones as they are envisioned today. What
would you do if the Uber of 2034 were a pod that settled silently on a
nearby rooftop or back lot and took you where you wanted to be without
having to travel on roads or rails?


Re: A Better Credit Card (RISKS-28.20)

"David E. Ross" <david@rossde.com>
Sun, 24 Aug 2014 14:40:43 -0700
How does this verification work when I do not have a cellphone (smart or
dumb)?


Re: Vote! You Just Might Win $50,000 (Thorson, RISKS-28.20)

"R. G. Newbury" <newbury@mandamus.org>
Mon, 25 Aug 2014 11:31:51 -0400
> If this passes, I'm moving to LA, changing my name to Mr. Lucky Ticket, and
> running in their elections.  My platform is we need many more and much
> larger prizes.

Change your name to:    Above, None Of The

and you will win in a landslide.

The only problem being that you will probably be at the TOP of the ballot.

  [For newer readers of RISKS, I note that this is the opposite situation
  from the person who had the automobile license plate "NO PLATE".  He wound
  up receiving all the tickets for the vehicles that had no license plate,
  because that's what the police wrote in the license field on each ticket.
  PGN]

Please report problems with the web pages to the maintainer

x
Top