The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 01

Thursday 11 June 2014

Contents

Total Parenteral Nutrition software recall
Richard I Cook
A Computer Risk to Your Sleeping
jared gottlieb
Web browsing is copyright infringement, publishers argue
David Kravets via Dewayne Hendricks
When the Landline Is a Lifeline
Jon Brodkin via Dewayne Hendricks
IT pro gets 4 years in prison for sabotaging ex-employer's system
Chris Kanaracus via Monty Solomon
"Serious flaw in GnuTLS library endangers SSL clients and systems"
Lucian Constantin via Gene Wirchenko
Smart TVs subverted by radio attack
Michel Kabay
USDA and Submachine Guns: Latest Example of Mission Creep as Federal Policing Expands
Dave Farber
Computer passes Turing Test for first time by convincing judges it is a 13-year-old boy
Dante D'Orazio via Dewayne Hendricks
Would a Google car sacrifice you for the sake of the many?
David Weinberger via David Farber
Andrew Lippman
Internet Giants Erect Barriers to Spy Agencies
David Sanger and Nicole Perlroth via Lauren Weinstein
Cellphone operator reveals scale of government snooping
AP item via Lauren Weinstein
U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
Kim Zetter via Dewayne Hendricks
Why Are the US Marshals at the Center of All These Pen Registers?
emptywheel via David S. H. Rosenthal
Google Offers New Encryption Tool
Nicole Perlroth via Monty Solomon
"Redmond is patching Windows 8 but NOT Windows 7, say security bods"
Darren Pauli via Gene Wirchenko
EPIC reports Google to advertise on Nest thermostat, etc.
EPIC via Harry Hochheiser
FBI informant's role in cyberattacks by AntiSec
Prashanth Mundkur
Info on RISKS (comp.risks)

Total Parenteral Nutrition software recall

"Richard I Cook, MD" <ricookmd@gmail.com>
Sun, 25 May 2014 10:50:47 +0200
Total parenteral nutrition (intravenous feeding) is complicated to
administer and there are tools to assist in the preparation of
individualized dosing.  Because such nutrition is typically administered
weeks to years and the composition needs to change frequently (in instances,
daily) and because patients receiving this sort of treatment are invariably
quite ill, even relatively small flaws in the calculations can produce
significant physiological disturbances.

http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm398509.htm


A Computer Risk to Your Sleeping

jared gottlieb <jared@netspace.net.au>
Wed, 4 Jun 2014 09:40:25 -0600
A computer software and GUI sourced incident waking up a town in Colorado

Lafayette's 3 a.m. tornado-siren misfire blamed on human error,
'less-than-intuitive' software.
Officials say 'work around' in place, but new software needed.
Lafayette's tornado sirens mistakenly sound for 8 minutes in middle of night.

The Boulder County Sheriff's Office has determined that human error and a
"less-than-intuitive" software system were to blame for mistakenly off
Lafayette's tornado sirens in the middle of the night last month.

On May 22, Lafayette's emergency sirens were triggered at 3:07 a.m. by a
pager notification for an unrelated police operation. The sirens sounded for
about eight minutes until Boulder County dispatchers—alerted by incoming
calls from concerned Lafayette residents—shut them down at 3:15 a.m.,
officials said. ...

After investigators recreated the chain of events, officials said a
dispatcher accidentally set off the alarms while trying to send a staff
notification through the Computer Aided Dispatch (CAD) system, the same
software that launches the alert sirens, according to a release.

Officials believe that while trying to send out the notification, the
dispatcher received an error message and then tried to click an "OK" to
close the box. But the button to activate the alert sirens is directly
underneath the "OK" button in the error box, and the investigators believe
the dispatcher "inadvertently" selected that option. ...

Officials with the Boulder County Sheriff's Office dispatch center—which
handles Lafayette police dispatch duties—said it they have developed a
"work around" that will make it easier for dispatchers to confirm where
their pages are going. But they said the ultimate solution is to have the
Lafayette sirens operated through a standalone software system similar to
the one used by all other Boulder County alert sirens.

http://www.dailycamera.com/lafayette-news/ci_25892803/lafayettes-3-m-tornado-siren-misfire-blamed-human


Web browsing is copyright infringement, publishers argue (David Kravets)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Thursday, June 5, 2014
David Kravets, Ars Technica, 5 Jun 2014
Thankfully, European top court rules against the publishers' "irrational"
claims.
http://arstechnica.com/tech-policy/2014/06/web-browsing-is-copyright-infringement-publishers-argue/

Europeans may browse the Internet without fear of infringing copyrights, as
the EU Court of Justice ruled Thursday in a decision that ends a four-year
legal battle threatening the open Internet.

It was the European top court's second wide-ranging cyber ruling in less
than a month. The court ruled May 13 that Europeans had a so-called "right
to be forgotten" requiring Google to delete "inadequate" and "irrelevant"
data upon requests from the public. That decision is spurring thousands of
removal requests.

In this week's case, the court slapped down the Newspaper Licensing
Agency's (NLA) claim that the technological underpinnings of Web surfing
amounted to infringement.

The court ruled that "on-screen copies and the cached copies made by an
end-user in the course of viewing a website satisfy the conditions" of
infringement exemptions spelled out in the EU Copyright Directive. The
NLA's opponent in the case was the Public Relations Consultants Association
(PRCA). The PR group hailed the decision.

"We are utterly delighted that the CJEU has accepted all of our arguments
against the NLA, which represents eight national newspapers. The Court of
Justice, like the Supreme Court before them, understands that the NLA's
attempts to charge for reading online content do not just affect the PR
world, but the fundamental rights of all EU citizens to browse the
Internet," PRCA Director General Francis Ingham said. "This is a huge step
in the right direction for the courts as they seek ways to deal with the
thorny issues of Internet use and copyright law."

The NLA is the body that distributes reproductions of newspaper content,
including the Guardian's. Its main argument was the cost that the licensing
public relations companies pay for the reproductions should factor in to
what is temporarily copied on a reader's computer.

David Pugh, the NLA's managing director, said opponents were making the
case out to be as if the sky was falling, but it's not, he said. Pugh
believed the issue was much narrower than portrayed.

"In our view, [the temporary copying] exception is designed to protect ISPs
and telecoms companies when they're transmitting data from A to B in
networks. The PR spin put on this case was that if our ruling was allowed
to stand then users of the Internet would be criminalized for using a
browser, but that's never been what it's about," he said. [...]


When the Landline Is a Lifeline (Jon Brodkin)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Thursday, June 5, 2014
Jon Brodkin, *The New York Times* (via Dave Farber), 4 Jun 2014
http://www.nytimes.com/2014/06/05/opinion/when-the-landline-is-a-lifeline.html

AT&T and Verizon are pushing hard to shift traditional landline service,
which has mostly operated over copper lines, to a system of Internet-based
phones by around 2020. If the Federal Communications Commission approves the
switch as is, it could come as a shock to the 96 million Americans who still
rely on landlines.

The change itself is inevitable: the old copper lines are aging and
expensive to maintain. And the new system is already in use. As of December
2012, 42 million Americans had Internet-based phones. But moving to an all
Internet-based network will benefit Americans only if the F.C.C. is able to
protect them in the shift.

The new phones have some major technical flaws. They can't hold up during
long power failures or connect all emergency phone calls. But there are also
regulatory problems: The change in service could free the telecom industry
from its obligation to guarantee universal access and fair prices to
consumers.

As a result, people in remote or rural areas who rely on landlines could
end up paying a lot for a bad deal.

So-called common carrier rules have long required phone companies to offer
services to everyone, at reasonable rates. But in a series of decisions
beginning in 2002, the F.C.C. classified broadband Internet as an
“information service'' instead of a telecommunication service, freeing it
from these rules. For now, the F.C.C. hasn't weighed in on where the
Internet-based phones—also called VoIP, for voice over Internet protocol
-- stand, leaving them in regulatory limbo.

While the new phones all rely on the Internet, they don't all use the same
delivery mechanism. Fiber and cable are more reliable carriers than the
wireless network that cellphones also rely on. Without new regulations,
phone companies could refuse wired Internet service to remote areas where
it's not profitable to build it—a good 25 percent of AT&T's service area.

One key upside to the old telephone network is that it can draw electricity
from the copper wires, keeping residents connected to emergency services
even when power failures render lights and cellphones useless for days.
Alarm systems and medical alert devices often still rely on the traditional
landline system, and those will need to be safely moved to new networks.
Regardless, the phone companies are pushing ahead, sometimes without
permission from the F.C.C. In 2012, after Hurricane Sandy destroyed much of
the copper infrastructure in western Fire Island, N.Y., Verizon didn't want
to fix the phone lines. Instead, it proposed replacing them with Voice
Link, a substitute that connects to the cellular network.

Residents and government officials protested that these phones would be
less reliable and unable to last through power failures like the one that
had just crippled the island. Voice Link isn't compatible with fax machines
and medical alert systems, and its terms of service note that 911 calls
might not even go to emergency service providers but can be legally routed
to Verizon operators. [...]


IT pro gets 4 years in prison for sabotaging ex-employer's system (Chris Kanaracus)

Monty Solomon <monty@roscom.com>
Sun, 25 May 2014 17:59:18 -0400
Chris Kanaracus, Computerworld, 21 May 2014
Ricky Joe Mitchell must also pay more than $500,000 in restitution and fines

A former network engineer for oil and gas company EnerVest has been
sentenced to four years in federal prison after pleading guilty in January
to sabotaging the company's systems badly enough to disrupt its business
operations for a month.

Ricky Joe Mitchell of Charleston, West Virginia, must also pay $428,000 in
restitution and a $100,000 fine, according to an announcement this week from
U.S. Attorney Booth Goodwin's office.

In June 2012, Mitchell found out he was going to be fired from EnerVest and
in response he decided to reset the company's servers to their original
factory settings. He also disabled cooling equipment for EnerVest's systems
and disabled a data-replication process. ...

http://www.computerworld.com/s/article/9248499/IT_pro_gets_4_years_in_prison_for_sabotaging_ex_employer_39_s_system


"Serious flaw in GnuTLS library endangers SSL clients and systems" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 03 Jun 2014 12:43:03 -0700
Lucian Constantin, InfoWorld, 03 Jun 2014
Serious flaw in GnuTLS library endangers SSL clients and systems
A vulnerability patched in the GnuTLS library can potentially be
exploited from malicious servers to execute malware on computers
http://www.infoworld.com/d/security/serious-flaw-in-gnutls-library-endangers-ssl-clients-and-systems-243629


Smart TVs subverted by radio attack

Michel Kabay <mekabay@gmail.com>
Mon, 9 Jun 2014 08:25:41 -0400
In yet another demonstration of what happens when design includes weak
security, we have the appalling possibility that, say, Monty Python reruns
could be replaced by FAUX News broadcasts. Of course, some people argue that
FAUX News is actually a satirical series anyway.

http://www.bbc.co.uk/news/technology-27761756


USDA and Submachine Guns: Latest Example of Mission Creep as Federal Policing Expands

"Dave Farber via ip" <ip@listbox.com>
Sun, 8 Jun 2014 03:59:04 -0400
http://truth-out.org/news/item/24186-usda-and-submachine-guns-latest-example-of-mission-creep-as-federal-policing-expands#.U5QXqf8fbGU.gmail


Computer passes Turing Test for first time by convincing judges it is a 13-year-old boy (Dante D'Orazio)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Jun 8, 2014 4:14 PM
Dante D'Orazio, *The Verge*, 8 Jun 2014 (via Dave Farber)

http://www.theverge.com/2014/6/8/5790936/computer-passes-turing-test-for-first-time-by-convincing-judges-it-is

Eugene Goostman seems like a typical 13-year-old Ukrainian boy—at least,
that's what a third of judges at a Turing Test competition this Saturday
thought. Goostman says that he likes hamburgers and candy and that his
father is a gynecologist, but it's all a lie. This boy is a program created
by computer engineers led by Russian Vladimir Veselov and Ukrainian Eugene
Demchenko.

That a third of judges were convinced that Goostman was a human is
significant—at least 30 percent of judges must be swayed for a computer
to pass the famous Turing Test. The test, created by legendary computer
scientist Alan Turing in 1950, was designed to answer the question "Can
machines think?" and is a well-known staple of artificial intelligence
studies.

Goostman passed the test at the Turing Test 2014 competition in London on
Saturday, and the event's organizers at the University of Reading say it's
the first computer succeed. Professor Kevin Warwick, a visiting professor
at the university, noted in a release that "some will claim that the Test
has already been passed." He added that "the words Turing Test have been
applied to similar competitions around the world," but "this event involved
the most simultaneous comparison tests than ever before, was independently
verified and, crucially, the conversations were unrestricted."

The program nearly passed the test back in 2012, when 29 percent of judges
at another competition decided that it was a human. Despite the achievement,
the results are far from conclusive and they do not mean that the machines
are taking over the world—no matter what you read on the Internet. The
program is scripted with a personality that likely assisted in convincing
judges, and it is not the artificial intelligence you know from sci-fi
movies. This is no HAL from 2001: A Space Odyssey. For instance, the Turing
Test doesn't hinge on whether the computer's responses are correct or not --
it only involves the "humanness" of its answers. The test is carried out
over a text chat. Goostman's "age" may have also helped it pass the test. As
Veselov notes, "Our main idea was that he can claim that he knows anything,
but his age also makes it perfectly reasonable that he doesn't know
everything." [...]


Would a Google car sacrifice you for the sake of the many? (David Weinberger)

"David Farber via ip" <ip@listbox.com>
Sun, 8 Jun 2014 22:03:19 -0400
https://medium.com/@dweinberger/would-a-google-car-sacrifice-you-for-the-sake-of-the-many-e9d6abcf6fed

Plus: Networked Road Neutrality

1. The programmed morality of networked cars

Google self-driving cars are presumably programmed to protect their
passengers. So, when a traffic situation gets nasty, the car you're in will
take all the defensive actions it can to keep you safe.

But what will robot cars be programmed to do when there's lots of them on
the roads, and they're networked with one another?

We know what we as individuals would like. My car should take as its Prime Directive: “Prevent my passengers from coming to harm.'' But when the cars are networked, their Prime Directive well might be: “Minimize the amount of harm to humans overall.'' And such a directive can lead a particular car to sacrifice its humans in order to keep the total carnage down. Asimov's Three Rules of Robotics don't provide enough guidance when the robots are in constant and instantaneous contact and have fragile human beings inside of them.

It's easy to imagine cases. For example, a human unexpectedly darts
into a busy street. The self-driving cars around it rapidly communicate and
algorithmically devise a plan that saves the pedestrian at the price of
causing two cars to engage in a Force 1 fender-bender and three cars to
endure Force 2 minor collisions—but only if the car I happen to be
in intentionally drives itself into a concrete piling, with a 95% chance of
killing me. All other plans result in worse outcomes, where
“worse'' refers to some scale that weighs monetary damages,
human injuries, and human deaths.

Or, a broken run-off pipe creates a dangerous pool of water on the highway
during a flash storm. The self-driving cars agree that unless my car
accelerates and rams into a concrete piling, all other configurations of
joint actions result in a tractor trailing jack-knifing, causing lots of
death and destruction. Not to mention The Angelic Children's Choir
school bus that would be in harm's way. So, the swarm of robotic
cars makes the right decision and intentionally kills me.

In short, the networking of robotic cars will change the basic moral
principles that guide their behavior. Non-networked cars are presumably
programmed to be morally-blind individualists trying to save their
passengers without thinking about others, but networked cars will probably
be programmed to support some form of utilitarianism that tries to minimize
the collective damage. And that's probably what we'd
want. Isn't it?

But one of the problems with utilitarianism is that there turns out to be
little agreement about what counts as a value and how much it counts. Is
saving a pedestrian more important than saving a passenger? Is it always
right try to preserve human life, no matter how unlikely it is that the
action will succeed and no matter how many other injuries it is likely to
result in? Should the car act as if its passenger has seat-belted
him/herself in because passengers should do so? Should the cars be more
willing to sacrifice the geriatric than the young, on the grounds that the
young have more of a lifespan to lose? And won't someone please think about
the kids—those adorable choir kids?

We're not good at making these decisions, or even at having rational
conversations about them. Usually we don't have to, or so we tell
ourselves. For example, many of the rules that apply to us in public spaces,
including roads, optimize for fairness: everyone waits at the same stop
lights, and you don't get to speed unless something is relevantly different
about your trip: you are chasing a bad guy or are driving someone who
urgently needs medical care.

But when we are better able control the circumstances, fairness isn't always
the best rule, especially in times of distress. Unfortunately, we don't have
a lot of consensus around the values that would enable us to make joint
decisions. We fall back to fairness, or pretend that we can have it all. Or
we leave it to experts, as with the rules that determine who gets organ
transplants. It turns out we don't even agree about whether it's
morally right to risk soldiers' lives to rescue a captured comrade.

Fortunately, we don't have to make these hard moral decisions. The people
programming our robot cars will do it for us.

2. Networked Road Neutrality

Imagine the roadways are full of self-driving vehicles. Imagine that Google
remains in the lead, and the bulk of the cars carry their brand. And assume
that these cars are in networked communication with one another.

Can we assume that Google will support Networked Road Neutrality, so that
all cars are subject to the same rules, and there is no discrimination based
on contents (= passengers), origin, destination, or purpose of the trip?

Or would Google let you pay a premium to take the “fast
lane''? (For reasons of network optimization the fast lane probably
wouldn't actually be a designated lane but well might look much more like
how frequencies are dynamically assigned in an age of “smart
radios.'') We presumably would be ok with letting emergency vehicles
go faster than the rest of the swarm, but how about letting the rich folks
pay to go faster by programming the other robot cars to give way when a car
with its “Move aside!'' bit is on?

Let's say Google supports a strict version of Networked Road
Neutrality. But, suppose Comcast starts to make cars, and programs them to
get ahead of the cars that choose to play by the rules. Would Google cars
take action to block the Comcast cars from switching lanes to gain a speed
advantage—perhaps forming a cordon around them? Would that be
legal? Would selling a virtual fast lane on a public roadway be legal in the
first place? And who gets to decide? The FCC?

One thing is sure: It'll be a golden age for lobbyists.


Would a Google car sacrifice you for the sake of the many?

*Andrew Lippman* <lip@media.mit.edu>
Sunday, June 8, 2014
  [Via Dave Farber's IP distribution.  PGN]

It's easy to imagine dystopian outcomes and unanticipated consequences for
all actions.  Can the author of this note comment on the likelihood of the
occasion he postulates, or the likelihood of such programming?  To date,
there is no evidence of such programming and no reason to foresee it.

On the other hand, there is quite good reason to expect that as the number
of autonomous vehicles grows, we can expect safer roads, less stressed
drivers, and relief from rush hour agony behind the wheel [*].  We already
almost do that with lane change alarms and active cruise control.  We are
one short step away from letting go the wheel entirely in many
circumstances.  Further, a more likely path for these cars to take is that
the require an an attentive driver well before they own the roadways.  We
should live so long!

This kind of argument is reminiscent of the argument raised over caller ID
twenty-five years ago.  Yes, it can be misused, but are we better off for
it? I think so.

   [* PGN adds, What could possibly go wrong?  Some RISKS readers may
   disagree with this sentence, based on all sorts of threats,
   vulnerabilities, and past experience with human nature.]


Internet Giants Erect Barriers to Spy Agencies

Lauren Weinstein <lauren@vortex.com>
Fri, 6 Jun 2014 19:42:28 -0700
David Sanger and Nicole Perlroth, *The New York Times* via NNSquad, 6 Jun 2014
http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html

  "Just down the road from Google's main campus here, engineers for the
  company are accelerating what has become the newest arms race in modern
  technology: They are making it far more expensive and far more difficult
  for the National Security Agency and the intelligence arms of other
  governments around the world to pierce their systems."


Cellphone operator reveals scale of government snooping

Lauren Weinstein <lauren@vortex.com>
Fri, 6 Jun 2014 20:25:39 -0700
*The Washington Post* via  NNSquad
http://www.washingtonpost.com/world/middle_east/cellphone-operator-reveals-scale-of-govt-snooping/2014/06/06/b703183c-edc3-11e3-8a8a-e17c08f80871_story.html

  "But the most explosive revelation in Vodaphone's report is that in six
  countries, authorities require direct access to an operator's network,
  bypassing legal niceties like warrants and eliminating the need to get
  case-by-case cooperation from phone-company employees. It did not name the
  countries for legal reasons and to safeguard employees working there."


U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU (Kim Zetter)

Dewayne Hendricks <dewayne@warpspeed.com>
June 4, 2014 at 9:53:09 AM EDT
Kim Zetter, *WiReD*, 3 Jun 2014  (via Dave Farber)
<http://www.wired.com/2014/06/feds-seize-stingray-documents/>

A routine request in Florida for public records regarding the use of a
surveillance tool known as stingray took an extraordinary turn recently when
federal authorities seized the documents before police could release them.

The surprise move by the U.S. Marshals Service stunned the American Civil
Liberties Union, which earlier this year filed the public records request
with the Sarasota, Florida, police department for information detailing its
use of the controversial surveillance tool.

The ACLU had an appointment last Tuesday to review documents pertaining to a
case investigated by a Sarasota police detective. But marshals swooped in at
the last minute to grab the records, claiming they belong to the
U.S. Marshals Service and barring the police from releasing them.

ACLU staff attorney Nathan Freed Wessler called the move “truly
extraordinary and beyond the worst transparency violations'' the group has
seen regarding documents detailing police use of the technology.

“This is consistent with what we've seen around the country with federal
agencies trying to meddle with public requests for stingray information,''
Wessler said, noting that federal authorities have in other cases invoked
the Homeland Security Act to prevent the release of such records. “The feds
are working very hard to block any release of this information to the
public.''

Stingrays, also known as IMSI catchers, simulate a cellphone tower and trick
nearby mobile devices into connecting with them, thereby revealing their
location. A stingray can see and record a device's unique ID number and
traffic data, as well as information that points to its location. By moving
a stingray around, authorities can triangulate a device's location with
greater precision than is possible using data obtained from a carrier's
fixed tower location.

The records sought by the ACLU are important because the organization has
learned that a Florida police detective obtained permission to use a
stingray simply by filing an application with the court under Florida's
“trap and trace'' statute instead of obtaining a probable-cause
warrant. Trap and trace orders generally are used to collect information
from phone companies about telephone numbers received and called by a
specific account. A stingray, however, can track the location of cell
phones, including inside private spaces.

The government has long asserted it doesn't need a probable-cause warrant to
use stingrays because the device doesn't collect the content of phone calls
and text messages, but instead operates like pen-registers and
trap-and-traces, collecting the equivalent of header information. The ACLU
and others argue that the devices are more invasive than a trap-and-trace.

Recently, the Tallahassee police department revealed it had used stingrays
at least 200 times since 2010 without telling any judge because the device's
manufacturer made the police department sign a non-disclosure agreement that
police claim prevented them from disclosing use of the device to the
courts. ...


Why Are the US Marshals at the Center of All These Pen Registers? (emptywheel)

"David S. H. Rosenthal" <dshr@abitare.org>
June 4, 2014 at 12:18:08 EDT
Re: U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
[Note:  This comment comes to RISKS via Dewayne Hendricks and Dave Farber).

> U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
> Kim Zetter
> Jun 3 2014
> <http://www.wired.com/2014/06/feds-seize-stingray-documents/>

Why Are the US Marshals at the Center of All These Pen Registers?
By emptywheel
Jun 4 2014
<http://www.emptywheel.net/2014/06/04/why-are-the-us-marshals-at-the-center-of-all-these-pen-registers/>

The US Marshal Service shows up prominently in two Pen Register stories from
yesterday.

First, as part of a great story from WSJ's Jen Valentino-Devries mapping out
how many federal criminal electronic records requests never get unsealed?

In eight years as a federal magistrate judge in Texas, Brian Owsley approved
scores of government requests for electronic surveillance in connection with
criminal investigations—then sealed them at the government's request. The
secrecy nagged at him.

So before he left the bench last year, the judge decided to unseal more than
100 of his own orders, along with the government's legal justification for
the surveillance. The investigations, he says, involved ordinary crimes such
as bank robbery and drug trafficking, not “state secrets.'' Most had long
since ended.

A senior judge halted the effort with a one-paragraph order that offered no
explanation for the decision and that itself was sealed.

She released this summary of all the Federal Pen Register/Trap and Trace
requests in 2012. As she pointed out on Twitter, the greatest number of
requests don't come from FBI. They come from the USMS, which submitted
almost half of all requests that year, with 9,132.

Then, the ACLU revealed that, just before an appointment to view Sarasota,
Florida's requests under the Pen Register authority to use Stingray IMSI
catchers to identify cell locations, the US Marshals declared control over
the records, claiming they had deputized the local cop who had made the
requests. [...]


Google Offers New Encryption Tool

*Monty Solomon* <monty@roscom.com>
Thursday, June 5, 2014
Nicole Perlroth, *The New York Times*, 3 Jun 2014

The National Security Agency's snooping is about to get more difficult.

Google on Tuesday released the source code for a new extension to its Chrome
browser that will make it a lot easier for users to encrypt their email.

The tool, called End-to-End, uses an open-source encryption standard,
OpenPGP, that will allow users to encrypt their email from the time it
leaves their web browser until it is decrypted by the intended recipient. It
will also allow users to easily read encrypted messages sent to their web
mail service. The tool will require that users and their recipients use
End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the NSA.  Despite numerous cryptographic
advances over the past 20 years, end-to-end email encryption like PGP and
GnuPG is still remarkably labor-intensive and require a great deal of
technical expertise. User mistakes—not errors in the actual cryptography --
often benefited the NSA in its decade-long effort to foil encryption. ...

http://bits.blogs.nytimes.com/2014/06/03/google-offers-new-encryption-tool/

http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html

https://code.google.com/p/end-to-end/


"Redmond is patching Windows 8 but NOT Windows 7, say security bods"

Gene Wirchenko <genew@telus.net>
Mon, 09 Jun 2014 09:39:06 -0700
Darren Pauli, *The Register*, 6 Jun 2014
New tool checks differences, could lead to 0-day bonanza
http://www.theregister.co.uk/2014/06/06/patch_piker_redmond_means_win_8_fixes_skip_7_researchers_say/


EPIC reports Google to advertise on Nest thermostat, etc.

Harry Hochheiser <harry@alum.mit.edu>
Mon, 9 Jun 2014 01:34:16 +0000
Although the invasiveness of the advertising is the obvious first concern, a
bigger problem would seem to lie in the implications of the data that might
be collected. Will Google be able to infer—and sell to advertisers --
details about household habits? Who's been at home when, and what have they
eaten?  Can we really believe that no information would leak from these
gadgets back to Google's data centers?  [HH]

EPIC Alert, Volume 21.10, 30 May 2014 <http://www.epic.org>
Google Plans Advertising on Appliances, Including Nest Thermostat

In a letter to the US Securities and Exchange Commission, Google announced
plans to place targeted ads on Google-controlled appliances.  "A few years
from now, we and other companies could be serving ads and other content on
refrigerators, car dashboards, thermostats, glasses, and watches, to name
just a few possibilities," Google wrote. The proposal raises significant
privacy concerns for the "Internet of Things." Earlier in 2014, EPIC warned
the FTC about Google's acquisition of Nest Labs, maker of a smart
thermostat, stating, "Google regularly collapses the privacy policies of the
companies it acquires."  Nevertheless, the Commission approved Google's
acquisition without further review.

 [Lots of URLs included in the EPIC Alert, truncated for RISKS.  PGN]


FBI informant's role in cyberattacks by AntiSec

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Sat, 7 Jun 2014 01:15:33 -0700
Daily Dot and Motherboard have come out with reporting based on access to
sealed documents from the Monsegur trial.  Daily Dot focuses on the domestic
Stratfor hack, while Motherboard focuses on the international hacks, mainly
Brazil.

http://www.dailydot.com/politics/hammond-sabu-fbi-stratfor-hack/
http://motherboard.vice.com/read/exclusive-how-an-fbi-informant-helped-anonymous-hack-brazil

Monsegur was complimented for his "extraordinary cooperation" with the FBI.
Indeed, the word 'extraordinary' appears an extraordinary number of times in
his sentencing transcript:
http://cryptome.org/2014/05/monsegur-sentencing.htm

Please report problems with the web pages to the maintainer