The RISKS Digest
Volume 28 Issue 83

Sunday, 2nd August 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Space Ship Two crash investigation results
NTSB via Alister Wm Macintyre
GW 9525 EASA crash report *Alister Wm Macintyre)
FDA says don't use Hospira infusion pump due to hacking
Jeremy Epstein
Smart rifle can be hacked
Mark Thorson
Why you shouldn't trust your Intel/AMD/ARM chips
Henry Baker
Chertoff Feb 2015: No Backdoors!
Henry Baker
Re: Op-Ed Disappeared: *WaPo* production error
*WaPo via PGN
In Microsoft's Nokia Debacle, a View of an Industry's Feet of Clay
Windows XP: Embedded systems, what fun...
Gabe Goldberg
Windows 10 uses your bandwidth to send other people updates
Windows 10 Wi-Fi Sense feature shares your Wi-Fi network
Chris J Brady
Win10: Advertisers&FBI are the customers; you are the product
Henry Baker
U.S. Decides to Retaliate Against China's Hacking
Group that hacked Anthem shared weaponized 0-days with rival attackers
Vizio IPO plan shows how its TVs track what you're watching
Gabe Goldberg
OwnStar: Researcher hijacks remote access to OnStar
Study Of Spain's 'Google Tax' On News Shows How Much Damage It Has Done
SaaS: Surveillance as a Service
Henry Baker
Major flaw could let lone-wolf hacker bring down swaths of Internet
Wassenar on hold: Commerce caves on export rules
"Most Android phones can be hacked with a simple MMS message or multimedia file"
Lucian Constantin
Re: Android Stagefright Flaws Put 950 million devices at risk
Re: NZ Harmful Digital Communications Bill—now Spain
Chris Drewe
Re: Hackable Car
Anthony Thorn
Info on RISKS (comp.risks)

Space Ship Two crash investigation results

"Alister Wm Macintyre \(Wow\)" <>
Tue, 28 Jul 2015 14:34:38 -0500
US National Transportation Safety Board (NTSB) released results of their
investigation into the October 31, 2014 crash of SpaceShipTwo near Mojave,

This was a commercial space vehicle built for Virgin Galactic which broke up
during a rocket powered test flight, seriously injuring the pilot and
killing the co-pilot.

NTSB abstract, including findings, probable cause and recommendations:

We can download NTSB conclusions here: (6 page PDF)

My summary:

When a project is damned expensive, having a rush job, and cutting costs,
can lead to higher risk of something going haywire, and much more expensive
consequences when it does so.  In this case they cut corners on test pilot
training, and hazard analysis.  The FAA caught them at it, issued mitigation
requirements, but failed to follow-up to see if they were paying attention
to what the FAA had requested, which they were not.

Rescue for the injured pilot was delayed, thanks to rescue helicopters not
pre-positioned nearby on standby.

In my former day job, when we were designing new packages, I often suggested
that we have our auditors check whether the audit trails and accounting
controls were adequate.  This request always denied.  The NTSB has observed
a similar need in the design of commercial space craft.  Once something has
been manufactured with flaws, it is too expensive to fix it.  So safety
consultants ought to be involved at the design state.

A criticism of top level officialdom is that to find someone with relevant
experience, people are hired from the companies to be regulated, then after
their public service they go back to the same place, so their government
impartiality is doubted.  FAA has an opposite system for commercial
spacecraft inspection.  They have people on the payroll with relevant
experience, but instead they send inspectors who know nothing about what
they are looking at.

The above links have more detail.

NTSB periodically comes out with reports on other investigations, which can
be viewed here:

The NTSB has the job of investigating transportation mishaps such as pipe
lines blowing up.  There is no government mandate that anyone heed their
suggestions on what to do differently to prevent history from repeating.

Mainstream News Media (MSM) tells us lots of uninformed speculations about a
disaster right after it happens, but is seldom interested in the results of
the investigations, when they come out a year or so later. I am glad NTSB
investigates such events, as opposed to NASA USAF & other competitors whose
bias , how they do things, can get in the way of good evaluation of what
makes most sense for other operators.

GW 9525 EASA crash report

"Alister Wm Macintyre \(Wow\)" <>
Wed, 29 Jul 2015 10:52:45 -0500
According to July 2015 Crisis Response Journal Newsletter¦8295491f
from FireNet International Ltd: The European Aviation Commission published a
report on Germanwings Flight 9525 incident, from a task force led by the
European Aviation Safety Agency (EASA).  That's the airline crash in which
one pilot went to the bathroom, then got locked out of the cockpit, while
the other one allegedly had suicide by crashing the plane into a
mountainside.  News reports indicated that the suicide perpetrator had had
medical treatment which should have warned the airline, but privacy laws
interfered, so there is an apparent need for a better balance between
privacy of the individual, and public safety.

Here is link to that GermanWings Flight 9525 (500 k PDF) crash report, and
additional info:

FDA says don't use Hospira infusion pump due to hacking

Jeremy Epstein <>
Sat, 1 Aug 2015 15:26:33 -0400
Nothing here surprising.... except I'm surprised (and disappointed) that
this is the *first* time the FDA has taken this action.  It seems highly
unlikely that this is the only device subject to these sorts of attacks.

"The federal government says health care facilities should stop using
Hospira's Symbiq medication infusion pump because of its vulnerability to
hacking. The Food and Drug Administration said Friday it's the first time it
has warned caregivers to stop using a product because of a cybersecurity
risk." [...]

"Earlier this year the FDA and the Homeland Security Department's Industrial
Control Systems-Cyber Emergency Response Team issued warnings about
potential vulnerabilities of Hospira's LifeCare PCA 3 and PCA5 pumps.  The
company says newer products have additional protection against potential
breaches.  The company says its Plum 360 infusion pumps, which went on sale
in January, don't have the same vulnerability."

  (But do they have other vulnerabilities?  Probably!)

Smart rifle can be hacked

Mark Thorson <>
Thu, 30 Jul 2015 13:34:07 -0700
It's a freakin' gun!  Change your freakin' default password!

Why you shouldn't trust your Intel/AMD/ARM chips

Henry Baker <>
Tue, 28 Jul 2015 13:22:56 -0700
FYI—The "walking back" last week by Chertoff and his Group with respect
to Comey's hackdoor proposals) raises suspicions that NSA doesn't find
crypto quite so challenging as the FBI does.  NSA's recent tampering with
RNG's makes one wonder about possible NSL's to Intel/AMD/ARM, etc.

As the BBC article below indicates, hardware tampering at the source is a
well-trodden path for the NSA&GCHQ.

How NSA and GCHQ spied on the Cold War world
Gordon Corera, BBC News, 28 July 2015

American and British inte(lligence used a secret relationship with the
founder of a Swiss encryption company to help them spy during the Cold War,
newly released documents analysed by the BBC reveal.

The story of the German Enigma machine is well-known - a device built to
provide secure communications but which British code-breakers managed to
crack at Bletchley Park.  But there is another story - not fully told until
now - about what came after [that].

The demand for machines like Enigma grew after the end of the World War Two.
And one private company led the way in meeting that demand.  That company,
founded by a man called Boris Hagelin, was called Crypto AG.  Hagelin had
helped supply the US Army during the War before moving his business from
Sweden to Switzerland.

Crypto AG sold its machines around the world, offering security.  But what
customers did not know was that Hagelin himself had come to a secret
agreement with the founding father of American code-breaking, William F

Reports of a deal have circulated before.

In the 1980s, the historian James Bamford was researching his book The
Puzzle Palace about the US National Security Agency (NSA) and came across
references to the "Boris project" in Friedman's papers.

The NSA promptly had the papers locked up in a vault.

In 1995, journalist Scott Shane, then at the Baltimore Sun, found
indications of contacts between the company and the NSA in the 1970s, but
the company said claims of a deal were "pure invention".

The new revelations of a deal do not come from a whistleblower or leaked
reports, but are buried within 52,000 pages of documents declassified by the
NSA itself this April and investigated by the BBC.

Top-secret report

The relationship was based on a deep personal friendship between Hagelin and
Friedman, forged during the War.

The central document is a once top-secret 22-page report of a 1955 visit by
Friedman to Zug in Switzerland, where Crypto AG was based.

Some elements of the memo have been redacted - or blacked out - by the NSA.

But within the released material, are two versions of the same memo, as well
as a draft.

Each has different parts redacted. By placing them side by side and cross
referencing with other documents, it is possible to learn many - but not all
- details.

The different versions of the report make clear Friedman - described as
special assistant to the director, NSA - went with a proposal agreed not
just by US, but also British intelligence.

Friedman offered Hagelin time to think his proposal over, but Hagelin
accepted on the spot.

Different versions of the report:

Full text of redacted version

Full text of differently redacted version

The relationship, initially referred to as a "gentleman's agreement",
included Hagelin keeping the NSA and GCHQ informed about the technical
specifications of different machines and which countries were buying which

The provision of technical details "is a revelation of the first order,"
says Paul Reuvers, an engineer who runs the Crypto Museum website.

"That's extremely valuable.  It is something you would not normally do
because the integrity and secrecy of your own customer is mandatory in this

Machine specifics key

The key to breaking mechanical encryption machines - such as Enigma or those
produced by Hagelin - is to understand in detail how they work and how they
are used.

This knowledge can allow smart code breakers to look for weaknesses and use
a combination of maths and computing to work through permutations to find a

In one document, Hagelin hints to Friedman he is going to be able "to supply
certain customers" with a specific machine which, Friedman notes, is of
course "easier to solve than the new models".

Previous reports of the deal suggested it may have involved some kind of
backdoor in the machines, which would provide the NSA with the keys.

But there is no evidence for this in the documents (although some parts
remain redacted).

Rather, it seems the detailed knowledge of the machines and their operations
may have allowed code-breakers to cut the time needed to decrypt messages
from the impossible to the possible.

The relationship also involved not selling machines such as the CX-52, a
more advanced version of the C-52 - to certain countries.

"The reason that CX-52 is so terrifying is because it can be customised,"
says Prof Richard Aldrich, of the University of Warwick.

"So it's a bit like defeating Enigma and then moving to the next country and
then you've got to defeat Enigma again and again and again."

Some countries - including Egypt and India - were not told of the more
advanced models and so bought those easier for the US and UK to break.

In some cases, customers appear to have been deceived.

One memo indicates Crypto AG was providing different customers with
encryption machines of different strengths at the behest of Nato and that
"the different brochures are distinguishable only by 'secret marks' printed

Historian Stephen Budiansky says: "There was a certain degree of deception
going on of the customers who were buying [machines] and thinking they were
getting something the same as what Hagelin was selling everywhere when in
fact it was a watered-down version."

Among the customers of Hagelin listed are Egypt, Iraq, Saudi Arabia, Syria,
Pakistan, India, Jordan and others in the developing world.

In the summer of 1958, army officers apparently sympathetic to Egyptian
President Gamal Abdel Nasser overthrew the regime in Iraq.

Historian David Easter, of King's College, London, says intelligence from
decrypted Egyptian communications was vital in Britain being able to rapidly
deploy troops to neighbouring Jordan to forestall a potential follow-up coup
against a British ally.

The 1955 deal also appears to have involved the NSA itself writing
"brochures", instruction manuals for the CX-52, to ensure "proper use".

One interpretation is these were written so certain countries could use the
machines securely - but in others, they were set up so the number of
possible permutations was small enough for the NSA to crack.

In the 1955 memo, Friedman told Hagelin he was well aware of the
businessman's "disinclination" to be paid as part of the deal.  However,
Hagelin went on, according to the memo, to express his gratitude to the NSA
for "what we had done and were continuing to do for various member of his
family".  This included intervening to ensure a son-in-law had his active
duty status in the US Air Force retained and a cousin of Hagelin's wife
seemingly being employed at the NSA.

Crypto AG chief executive, Giulliano Otth refused to comment on the "intense
private dialogue on various personal and professional subjects" that had
grown out of the friendship between Friedman and Hagelin in the 1950s.  The
company now "enjoys an excellent reputation with all its customers", and the
algorithms used in its modern products gave customers exclusive control, he
told the BBC.  "That is why it is technically impossible for third parties
to exert influence.  Not even Crypto AG has access," he said.

In a statement, a GCHQ spokesman said the agency "does not comment on its
operational activities and neither confirms nor denies the accuracy of the
specific inferences that have been drawn from the document you are
discussing".  "The documents... should be read against a background in which
the UK, the US and their allies faced the likelihood of open hostilities
with the Soviet bloc," he added.

The NSA also declined to comment on the specific conclusions.

But its associate director for policy and records, Dr David Sherman, told
the BBC: "It is not surprising to me that [the US and UK] would be very
concerned about the security of the communications of those West European
countries - [and] want to know what systems they might be using so that the
now sensitive communications of the Nato alliance are not vulnerable to
penetration by the Soviet Union.

"And simultaneously I think they are very concerned not to allow what we now
call strong encryption - powerful encryption products and machinery - to
fall into the hands of their adversaries including the Soviet Union and

You can listen to Document: The Crypto Agreement on BBC Radio 4 at 16:00 BST
on 28 July.

Chertoff Feb 2015: No Backdoors!

Henry Baker <>
Thu, 30 Jul 2015 10:32:41 -0700
FYI—Chertoff at the University of Delaware, 11 Feb 2015:

"we probably should not make it a legal requirement that companies maintain
an ability to decrypt encrypted communications"

"as a society we generally do not take the view that it's the responsibility
of the citizen to make life easy for the police"

"Targeted is good; indiscriminate is probably not good."

[Transcription below done by myself from the YouTube video.]

"Security expert Michael Chertoff discusses cybersecurity challenges,

Published on 11 Feb 2015

Noted security expert Michael Chertoff, who served as secretary of the
U.S. Department of Homeland Security from 2005-2009, delivered the
first University of Delaware Cybersecurity Initiative Distinguished
Lecture on Feb. 10, 2015.  Visit for more info.


Q: So it makes a lot of sense that risk management should be
trust-based and collaborative, and yet we've seen in very recent
history a push from the government for the criminalization of crypto,
between statements from the President and the Department of Justice,
they've made anti-encryption statements, and we've also seen the
recent history of the government pushing Silicon Valley operations
like Skype to put vulnerabilities in their software, so my question
is: 'why should citizens cooperate with the government that only wants
its people to have personal cybersecurity when it's convenient ?'

Chertoff: So I think that's a fair question.

And I want to begin by saying a lot of these issues are debatable and
it's also true that the folks who are focused on having maybe limits
on crypto or want to have the capability to get into systems, are
actually often performing a different function from those who are
trying to defend systems, but I do think that what you point out, and
I think the discussion is beginning now, is we need perhaps to rethink
comprehensively some of the strategic trade-offs about what we do on
the offensive side and the defensive side.

So I'm going to give you a personal opinion, here.  Everything I've
said is a personal opinion, but I think that I've wrestled with the
question about whether we ought to restrict the ability to encrypt, as
a number of companies are now in the process of debating.  And if we
were to be a bit more precise, 'should we require companies that are
in the business of managing and running networks to have a back door
or to retain the capability to get into encrypted data apart from the
sender and the recipient?'.

This is, by the way, a recapitulation of a debate back in the 90's
about something that was called "Carnivore" which was a requirement
about what was then a concern about some of the communications

I guess I've come to the conclusion that we probably should not make
it a legal requirement that companies maintain an ability to decrypt
encrypted communications.

And I say that for two reasons.

I understand that there will be a cost to the government if you get a
device and you can't decrypt it and the company can't decrypt it and
the person who owns the device is not going to cooperate.  So I accept
that that's a cost in security.  But I think as a society we generally
do not take the view that it's the responsibility of the citizen to
make life easy for the police.  Otherwise, we would simply give
everybody a body camera and say you gotta wear this all the time and
record everything you do so when you commit a crime it's easy to
convict you.  So I'm not minimizing the security challenge, but I
think that as a society, we probably don't want to go that far.

There's a practical issue, too, which is: someone out there is going
to make a capability or device that's encrypted that doesn't have an
accessible opportunity for the person running the network to get at
the—to decrypt the data.  All that's going to happen is the bad
guys are going to go to that, and they're going to have the protection
anyway, and the good guys are going wind up without that protection,
and some greater vulnerability.

On the issue of, again, implanting vulnerabilities, again I think
strategically it's a bad idea for this country if it were to say for
example, let's create a vulnerability and insert it in software that's
generally available or generally made part of the marketplace.  Again,
because I think we wind up—although it's an easier way to get
stuff.  I think we wind up hurting our values and frankly hurting our
interests, our economic interests, in basically saying our software
and hardware is not as secure as it could be because we've
deliberately made it insecure.

Now, by the way, I separate that from, you know, if I knew a
particular device was going to be delivered to the bomb-maker in Yemen
who's, you know, working for Al Quaeda, I'd be perfectly happy to put
a vulnerability in that device.  But that would be targeted.

I think we need to treat creating vulnerabilities in the same way we
talk about doing things in the physical world.  Targeted is good;
indiscriminate is probably not good.

Again, I acknowledge the fact these are hard decisions, and I've been
in the law enforcement community one way or another in the last 25-30
years, and a lot of my colleagues probably would disagree with me, but
again I do think we—one thing that cyber challenges you to do is to
recognize that you got to look at 360 degrees of the problem.  All too
often, people are very well meaning, but they have a particular
mission, and what they do is, I'm going to accomplish this mission and
that's all I want to do.

The job of our political leadership and the people at the very top of
organizations is always to say wait, before we do this, let's look at all
the dimensions, pluses and minuses, and make a strategic decision across
the entire spectrum of our national interests, which include our civil
liberties, our economics and our security interests, about where to draw the
balance.  And so, I think this is going to be part of again what we want to
discuss academically.

Re: Op-Ed Disappeared: *WaPo* production error

"Peter G. Neumann" <>
Thu, 30 Jul 2015 18:10:13 PDT
Apparently the *disappeared* item noted in RISKS-28.82 returned: *WaPo* says

  Clarification: Due to a production error, a version of this column was
  temporarily posted prematurely before the editing process was complete.

Premature emission of information?  Ah, yes, premature release seems to
happen occasionally, including to an article I was involved in, which
accidentally was released before its embargoed time.

In Microsoft's Nokia Debacle, a View of an Industry's Feet of Clay

Monty Solomon <>
Fri, 31 Jul 2015 08:50:15 -0400

The technology business is especially vulnerable to rapid, unforeseen
transformation, sometimes leading to the mass extinction of giant companies.

Windows XP: Embedded systems, what fun...

Gabe Goldberg <>
Wed, 29 Jul 2015 10:38:43 -0400
Windows XP just can't get to its end-of-life fast enough

What does an electronic safe and a undersea fiber optic cable-laying ship
have in common? Both are still using Windows XP as their underlying
operating system. As Microsoft releases Windows 10 this week and we start
getting those annoying upgrade messages, it might be amusing to note exactly
how hard it is to rid XP from the entire world. Killing off kudzu is
probably easier.

Windows 10 uses your bandwidth to send other people updates

Lauren Weinstein <>
Fri, 31 Jul 2015 12:04:53 -0700
TheNextWeb via NNSquad

  Windows 10 launched on July 29 to much fanfare—it's a free upgrade for
  Windows 7, 8 and 8.1 users—but along with the privacy issues, there's
  another small thing you should check: by default, Windows 10 uses your
  Internet connection to share updates with others across the Internet.

Without your affirmative permission in advance, this is *stealing*

Windows 10 Wi-Fi Sense feature shares your Wi-Fi network

Chris J Brady <>
Thu, 30 Jul 2015 03:01:33 -0700
Windows 10 has introduced Wifi Sense - which will - by default - share your
wifi passwords amongst your visiting friends and relatives, including
unknown strangers sitting in a car outside your house.

"The feature, which can automatically accept a Wi-Fi network's terms and
conditions and provide your name, email address or phone number on your
behalf, also allows you to share access to password-protected Wi-Fi networks
with and Skype contacts, as well as Facebook friends (via an
opt-in), all on a per-service rather than per-person basis."

This is automatically configured if you choose Express Install.

Astonishingly this will be an 'opt-out' feature - if you are savvy enough to
realise and understand what the risks are.

What could possible go wrong?

Well a point missed by most reviewers is that Microsoft will establish a
truly enormous database of ip addresses, email addresses, and passwords etc.
- just asking to be hacked or reverse engineered.

Win10: Advertisers&FBI are the customers; you are the product

Henry Baker <>
Wed, 29 Jul 2015 11:21:47 -0700
FYI—Microsoft's new cloud facility in Bluffdale, UT, appears to be fully

Windows 10: the operating system only James Comey and Theresa Wright could

Windows 10 is free; free of any pretense at privacy.

'the operating system immediately syncs settings and *data* to the
company's servers'

'Cortana also learns about you by collecting data about how you use your
device and other Microsoft services, such as your music, alarm settings,
whether the lock screen is on, what you view and purchase, your browse and
Bing search history, and *more*'

Yes, but wait, there's "more" !

“Microsoft collects your voice input, as well as your name and nickname,
your recent calendar events and the names of people in your appointments,
and information about your contacts.''

“Windows 10 automatically encrypts the drive ... and generates a BitLocker
recovery key.  That's backed up to your OneDrive account.''

Right where James Comey can find it.

U.S. Decides to Retaliate Against China's Hacking

Monty Solomon <>
Fri, 31 Jul 2015 21:34:11 -0400

The Obama administration decided a response was needed after the Chinese
stole data on 20 million Americans from the Office of Personnel Management.

Group that hacked Anthem shared weaponized 0-days with rival attackers

Monty Solomon <>
Fri, 31 Jul 2015 08:09:58 -0400

Vizio IPO plan shows how its TVs track what you're watching

Gabe Goldberg <>
Tue, 28 Jul 2015 16:53:00 -0400
  [It's only fair—you watch TV, it watches you.]

We've never heard of Inscape before, but as explained in the S-1 Vizio filed
today, it's based on ACR (automatic content recognition) software licensed
from a third party, and viewers can opt-out of participating in it while
maintaining other connected features. That's actually fairly common in
modern TVs, and others like LG and Samsung have already rolled out features
based on the tech to do things like integrate with TV shows, or display ads
based on what the TV is showing. ACR software recognizes the video being
displayed, matches it up and phones home the data. According to Vizio, its
Inscape platform can pull some 100 billion anonymized datapoints from 8
million of its connected TVs every day.  That kind of data can be used for
ratings, and is valuable to both advertisers and content providers.

  [Henry Baker found similar items:

OwnStar: Researcher hijacks remote access to OnStar (Ars)

Monty Solomon <>
Fri, 31 Jul 2015 08:07:28 -0400

Study Of Spain's 'Google Tax' On News Shows How Much Damage It Has Done (TechDirt)

Lauren Weinstein <>
Wed, 29 Jul 2015 20:59:30 -0700

  However, the really telling part of the report is that this law that was
  passed in the name of helping news publications, ended up doing tremendous
  harm to many online publications—especially smaller sites that
  frequently (and happily) relied on Google News and other aggregators for a
  significant amount of traffic. The report points out that it wasn't just
  Google News that shut down because of this law: a whole bunch of local
  Spanish aggregators shut down themselves, switched business models
  entirely, or similarly left the Spanish market entirely.  The report notes
  that sites like Planeta Ludico, NiagaRank, InfoAliment and Multifriki shut
  down entirely, as they were scared of the economic and legal liability
  from the new law. The report notes the case of NiagaRank is particularly
  troubling as it has a wider impact on innovation in Spain ...

As Gomer Pyle would say, "Surprise, surprise, surprise." Great work,
Spain—if you're suicidal, that is.

SaaS: Surveillance as a Service

Henry Baker <>
Thu, 30 Jul 2015 07:36:40 -0700
"Rackspace hire two of three leaders of the US military's online operations

"... asking CPU makers to add security functions to silicon"—i.e., add
spying functions to silicon

Translation: pre-pwned CPU's for rent

Rackspace cooking up security-secret-sharing cloud cabal

Top-tier clouds invited into information-sharing club to speed defence

30 Jul 2015 at 06:31, Simon Sharwood

Rackspace is leading an effort to create a new group of top-tier cloud
companies that it hopes will share information about security in close to
real time.

Rackspace chief security officer Brian Kelly today told The Reg at a Sydney
event that he feels cloud companies have to take a lead to address security
challenges.  Rackspace, he said, operates a skunkworks in which it is
considering approaches such as asking CPU-makers to add security functions
to silicon in order to make dedicated security appliances less relevant.
That effort, he said, has seen Rackspace hire two of three leaders of the US
military's online operations squads because Rackspace wants that kind of
expertise and experience on staff.

Another approach Kelly feels is necessary is for cloud leaders to come
together to share information, so that when one detects an attack or a
threat, the others are quickly made aware of it.  All, it is hoped, will
therefore be better positioned to combat emerging threats.

Kelly said Rackspace has developed a platform to monitor its own systems for
attacks or emerging threats, and provide information on them at speed.  The
company hopes the new group will be willing to both consume that feed and
contribute to it.  Intel, Dropbox, Google, Microsoft and Amazon Web Services
are either on the target list or have already entered discussions about the

It's hoped the group will launch later this year.

Another new Rackspace initiative Kelly mentioned can be described as a
security operations centre-as-a-service.  Kelly said few organisations can
afford or have the capabilities to run a proper security operations centre
(SOC) and those that have subscribed to them often feel the experience is
poor because knowing about new threats is one thing but being ready and/or
able to combat them is another.

Kelly said Rackspace's service will deliver news of threats, but will meld
with its managed cloud to also offer remediation.

The new service is currently being piloted with two global customers, and is
planned to commence operations on 1 Oct 2015.

Major flaw could let lone-wolf hacker bring down swaths of Internet

Monty Solomon <>
Fri, 31 Jul 2015 08:05:45 -0400

Wassenar on hold: Commerce Department Caves on Export Rules

"Peter G. Neumann" <>
Thu, 30 Jul 2015 18:04:27 PDT
"The ambiguity in the definitions used in these rules creates an
extraordinary gray area which makes it difficult for independent researchers
and small companies to determine what is included under the proposed
controls, especially the technology category," said Adam Ghetti, CTO of
Ionic Security. "It will have a disproportionate impact on those who are not
well versed in export controls."

"Most Android phones can be hacked with a simple MMS message or multimedia file" (Lucian Constantin)

Gene Wirchenko <>
Thu, 30 Jul 2015 10:03:49 -0700
Lucian Constantin, InfoWorld, 27 Jul 2015
Vulnerabilities in the Android multimedia framework allow attackers
to remotely compromise devices with ease, a researcher said

Re: Android Stagefright Flaws Put 950 million devices at risk

Wols Lists <>
Thu, 30 Jul 2015 23:37:05 +0100
And, yet again, locked apps are a pain in the proverbial. Hangouts, and
its predecessor, are apps I would have deleted from my phone the day I
bought it, except that I don't have permission to do so! (That's the
phone I had to bin, because forced updates ate all available memory...)

Re: NZ Harmful Digital Communications Bill—now Spain (Re: O'Keefe)

Chris Drewe <>
Sat, 01 Aug 2015 19:01:55 +0100
It seems Spain now has something similar:

James Badcock, *The Telegraph*, Madrid
First victim of Spain's 'gag law' fined for criticising 'lazy' police
A man has been fined for calling Spanish police 'lazy'

  Eduardo Díaz described his local police force as "slackers" on Facebook
  and a few hours later, they turned up on his doorstep and fined him.

Re: Hackable Car (RISKS-28.81)

Anthony Thorn <>
Thu, 30 Jul 2015 09:49:12 +0200
Electronic Aids

I think Michael Bacon's stated preference for his "old clunker" without
electronic driving aids may constitute throwing out the baby with the

Arguably the electronic aids prevent more accidents than they cause.

For example I personally appreciate the active cruise control (maintains
distance to vehicle ahead) particularly in bad visibility or heavy traffic,
and if anything I am surprised by how good the systems are at least compared
to my PC (-;.

I am also reminded of the Air France 447 disaster where the pilot
misunderstood the the "electronic aids".  Probably more accidents are
prevented than are caused by these systems.

Of course this does not mean that the systems should not be improved.
Lastly if/when we have real evidence that electronic aids improve safety Mr
Bacon may HAVE to replace his "old clunker" !

Please report problems with the web pages to the maintainer