The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 08

Saturday 19 July 2014

Contents

Dreams of rescuing a retired NASA probe come to an end
Tom Warren via Dewayne Hendricks
Lethal Weapon: The Self Driving Car
Steve Lamont
FRANCE: Blogger fined over review's Google search placement
BBC via Lauren Weinstein
Vint Cerf on The Colbert Report
Bill Daul
Boleto malware may lose Brazil $3.75bn
Chris J Brady
Disk-sniffing dogs find thumb drives, DVD's?
Katie Mulvaney via Henry Baker
Paid Android Wear apps don't work, thanks to DRM
Ron Amadeo via Monty Solomon
Goldman Sachs demands Google unsend one of its e-mails
Casey Johnston via Monty Solomon
Court-approved wiretaps defeating encryption, feds say
David Kravets via Monty Solomon
"Sex, spies, and the cloud: NSA revelations continue to weaken confidence"
David Linthicum via Gene Wirchenko
"Massachusetts high court orders suspect to decrypt his computers"
Cyrus Farivar via Gene Wirchenko
Congress is overdue in dealing with the cybersecurity threat
WashPost
"Better patch Flash: 'Rosetta Flash' attack can steal site cookies"
Serdar Yegulalp via Gene Wirchenko
Scholarly journal retracts 60 articles, smashes peer review ring
Fred Barbash via Henry Baker
It's Twitter vs. Free Speech, And Free Speech Is Losing - ReadWrite
Gabe Goldberg
"Microsoft zaps bogus SSL certs with emergency patch 2982792"
Woody Leonhard via Gene Wirchenko
"Horrifying confessions of a security sleuth"
Eric Knorr via Gene Wirchenko
Re: Unix "*" wildcards considered harmful
Gene Wirchenko
Michael Kohne
Dave Horsfall
Re: Facebook purposely manipulated news feeds to experiment with users' emotions
Bill Gunshannon
Info on RISKS (comp.risks)

Dreams of rescuing a retired NASA probe come to an end (Tom Warren)

Dewayne Hendricks <dewayne@warpspeed.com>
July 10, 2014 at 1:21:34 PM EDT
Tom Warren, *The Verge* 20 Jul 2014
Engines fail to reignite in $160,000 crowdfunding effort

  [A subsequent excellent item by Keith Cowing, co-leader of the ISEE-3
  Reboot Project (whom Tom Warren quotes, below), Lost and Found in Space:
  Crowdsourcing finds new frontiers with a spaceship's reboot. is an Op-Ed
  in today's issue of *The New York Times*, 19 July 2014—well worth
  reading!  It has a considerably more positive and construcive spin.  PGN]

<http://www.theverge.com/2014/7/10/5886807/isee-3-space-probe-rescue-ends>

Efforts to resurrect the vintage ISEE-3 space probe have ended in
disappointment. The probe was launched by NASA in 1978 to measure solar
winds, but decommissioned in 1997 as the craft drifted farther and farther
from Earth. A group of former NASA employees launched a $160,000
crowdfunding effort in 2008 to attempt to return the probe to active duty,
but despite a promising start earlier this week the mission is largely
over. The team successfully fired the ISEE-3's thrusters at the weekend, but
additional efforts to spin the craft into a new orientation towards Earth
have failed.

The promising engine firings over the weekend could have been the result of
burned fuel that was already in the fuel lines, but attempts on Tuesday and
Wednesday failed because the nitrogen tanks aren't working or are empty. "At
this point we're sort of scratching our heads," says Keith Cowing, a former
NASA employee working on the project, in an interview with NPR. "We may take
one last run at the spacecraft but this may be it for an attempt to bring it
back to Earth." The ISEE-3 space probe has now been switched to a mode that
allows its instruments to collect and beam back data to Earth.
Communications are expected to last around another three months before the
craft drifts too far away from Earth to realistically be rescued again.


Lethal Weapon: The Self Driving Car

Steve Lamont
Thu, 17 Jul 2014 10:10:14 -0700
http://www.bbc.com/news/technology-28344219

  Driverless cars, such as those being developed by Google, could be lethal
  weapons, the FBI has reportedly warned.  An internal report, obtained by
  *The Guardian*, said the vehicles could be "game changing" for law
  enforcement.  The report noted criminals using automated cars would have
  both hands free and be able to take their eyes off the road during a car
  chase.  But it said that driverless vehicles could help the emergency
  services by automatically clearing a path for them.

  In the report, which was marked restricted and obtained under a public
  records request, the FBI predicted the vehicles "will have a high
  impact on transforming what both law enforcement and its adversaries
  can operationally do with a car".

  And, under the heading "Multitasking", the FBI said that "bad actors will
  be able to conduct tasks that require use of both hands or taking one's
  eyes off the road which would be impossible today".  That raised the
  prospect that suspected criminals would be able to fire weapons at
  pursuing police cars. ]...]


FRANCE: Blogger fined over review's Google search placement

Lauren Weinstein <lauren@vortex.com>
Wed, 16 Jul 2014 12:02:59 -0700
BBC via NNSquad
http://www.bbc.com/news/technology-28331598

  A French judge has ruled against a blogger because her scathing restaurant
  review was too prominent in Google search results.  The judge ordered that
  the post's title be amended and told the blogger Caroline Doudet to pay
  damages [$2000!]. Ms Doudet said the decision made it a crime to be highly
  ranked on search engines.  The restaurant owner said the article's
  prominence was unfairly hurting his business.  Ms Doudet was sued by the
  owner of Il Giardino restaurant in the Aquitaine region of southwestern
  France after she wrote a blogpost entitled "the place to avoid in
  Cap-Ferret: Il Giardino".  According to court documents, the review
  appeared fourth in the results of a Google search for the restaurant. The
  judge decided that the blog's title should be changed, so that the phrase:
  "the place to avoid" was less prominent in the results.  The judge sitting
  in Bordeaux also pointed out that the harm to the restaurant was
  exacerbated by the fact that Ms Doudet's fashion and literature blog
  "Cultur'elle" had around 3,000 followers, indicating she thought it was a
  significant number.

 - - -

I hope French readers of this are as humiliated and embarrassed as they
should be. "Liberty, Equality, Fraternity"...? Looks like Inspector
Clouseau is running the store.


Vint Cerf on The Colbert Report

Bill Daul <bdaul@pacbell.net>
Wed, 16 Jul 2014 00:21:31 -0700
http://thecolbertreport.cc.com/  look for July 15th and Vint.


Boleto malware may lose Brazil $3.75bn

Chris J Brady <chrisjbrady@yahoo.com>
Mon, 7 Jul 2014 14:25:33 -0700
"Researchers from an American security company have unearthed a substantial
malware-based fraud ring.  The operation has infiltrated one of Brazil's
most popular payment methods, Boleto, for two years.  An estimated 495,753
Boleto transactions have been compromised, which means the hackers could
have stolen up to $3.75bn.

https://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil/

"... this will have been the largest electronic theft in history if even
half of the valued worth turns out to be in the hands of criminals,
according to the New York Times."


Disk-sniffing dogs find thumb drives, DVD's?

Henry Baker <hbaker1@pipeline.com>
Mon, 07 Jul 2014 18:37:52 -0700
FYI—No doubt, the dogs smell the FAT in the file system.  If dogs can
really do this, I foresee an uptick in coffee-scented thumb drives. ;-)

This stunt is analogous to "MPAA's Anti-Piracy Dogs Visit Elementary
School"; see article below; I wonder if dogs can smell the difference
between DVD+R's and DVD-R's...

Katie Mulvaney, *Providence Journal*, 5 July 2014
New methods to combat growth of Internet child porn in Rhode Island
http://www.providencejournal.com/breaking-news/content/20140705-new-methods-to-combat-growth-of-internet-child-porn-in-rhode-island.ece

State Police Detective Adam Houston takes Thoreau from his cruiser.  The
yellow lab, 2, is trained to sniff out devices such as thumb drives and hard
drives that child porn traffickers use to store photos of children.

From a bank of computers at state police headquarters, detectives tap into a
network of child pornography traffickers. ...

Golden Labrador

The state police, through the task force, are also taking a new approach.
The recent arrival of golden Labrador Thoreau makes Rhode Island the second
state in the nation to have a police dog trained to sniff out hard drives,
thumb drives and other technological gadgets that could contain child
pornography.

Thoreau received 22 weeks of training in how to detect devices in exchange
for food at the Connecticut State Police Training Academy.

Given to the state police by the Connecticut State Police, the dog assisted
in its first search warrant in June pinpointing a thumb drive containing
child pornography hidden four layers deep in a tin box inside a metal
cabinet.  That discovery led the police to secure an arrest warrant, Yelle
says.

“If it has a memory card, he'll sniff it out,'' Detective Adam Houston,
Thoreau's handler, says.

At times, child pornographers hide devices in ceiling tiles or even radios.

Houston demonstrated the dog's skills last month.  Houston walked the dog
through a room in which he had hidden devices.  A second pass went more
slowly, with Houston coaxing the dog.  “Show me. Show me.''

Thoreau furiously sniffed shelves, desks, cabinets.  The dog located a hard
drive inside a Ziploc bag in the upper shelf of a desk.  A flash drive and
thumb drive were also found, with the dog zeroing in on their location down
to the exact drawer.  In exchange, Thoreau got food.

“This is how he eats every day,'' says Houston, who cares for the dog
around the clock. ...

http://pctechtalk.com/topic/68819-mpaas-anti-piracy-dogs-visit-elementary-school/

  [Henry included an older relevant item:]

MPAA's Anti-Piracy Dogs Visit Elementary School
Started by kingace , Apr 25 2008 01:36 PM

Lucky and Flo used to help "educate" kids about the "importance of copyright
laws."

Lucky and Flo, the world's first-ever DVD-sniffing dogs, made a visit to
Clover Avenue Elementary School in Los Angeles a few days ago to kick-off a
three-city North American tour that will include visits to Mexico City and
Washington DC in honor of World Intellectual Property Day.

The MPAA teamed up with Los Angeles City Councilmember Wendy Greuel—Chair
of the Los Angeles Anti-Piracy Task Force—and Internet safety expert
Dr. Parry Aftab to talk to Clover's fourth and fifth graders about the
importance of copyright protection with the assistance of the MPAA's very
own Lucky and Flo.

"Lucky and Flo have traveled all over the world assisting law enforcement
officials in tracking down pirate operations and have helped raise global
awareness about the problem of motion picture piracy.  These special dogs
are helping us educate children about the importance of respecting
copyrights while presenting it in a fun and exciting way," said MPAA
executive vice president and director of worldwide anti-piracy operations
John Malcolm.

But, what's unclear is why such young children must be subject to such
efforts.  Certainly showing them two DVD-sniffing canines is meant to scare
them to some degree.  Why else would they tout their ability to sniff out
pirated goods?  I'll bet they even did a demonstration where they hid a
pirated DVD in one of the kids' lockers for Lucky or Flo to find, further
frightening young children into copyright law submission.

"Education is key to further any efforts undertaken to protect intellectual
property.  By speaking to kids at this age level we are working to instill
early-on the importance of protecting copyrights and the negative
consequences of piracy," said council member Greuel.  "Film piracy harms
local economies, kills jobs and impacts everyone who is involved in the
production and distribution of movies."

Yet, again we have a case of copyright holders using heavy-handed tactics to
"educate people."  Surely these elementary school age children are too young
to sell bootleg DVDs so is it digital piracy that it's concerned with?  If
this is the case I hope someone tells the kids that Lucky and Flo can't
detect pirated movies on your hard disk drive.

http://www.zeropaid.com/news/9429/MPAA%27s+Anti-Piracy+Dogs+Visit+Elementary+School


Paid Android Wear apps don't work, thanks to DRM (Ron Amadeo)

Monty Solomon <monty@roscom.com>
Tue, 8 Jul 2014 01:40:09 -0400
Ron Amadeo, Ars Technica, 7 Jul 2014
Apps install from phone to watch, but the encryption key gets lost.

With smartwatches running Android Wear slowly starting to trickle out into
the world, developers are coming to grips with Google's new wearable
platform. In doing so, they have found one of its first big bugs: paid apps
don't work. ...

http://arstechnica.com/gadgets/2014/07/google-drm-bug-blocks-paid-android-wear-apps/


Goldman Sachs demands Google unsend one of its e-mails (Casey Johnston)

Monty Solomon <monty@roscom.com>
Tue, 8 Jul 2014 01:43:04 -0400
Casey Johnston, Ars Technica, 2 Jul 2014
A court order is on the table for Google to undo Goldman Sachs' mistake.

Google won't delete Gmail message without a court order, but it will block.
Goldman Sachs has demanded a court order to get Google to unsend an e-mail
that the bank sent in error, according to Reuters' report Wednesday. The
e-mail contained "highly confidential" information addressed to the wrong
account, a mistake on Goldman Sachs' part that Google hasn't yet been
tempted to rectify. ...

http://arstechnica.com/business/2014/07/goldman-sachs-demands-google-unsend-one-of-its-e-mails/


Court-approved wiretaps defeating encryption, feds say (David Kravets)

Monty Solomon <monty@roscom.com>
Tue, 8 Jul 2014 01:46:28 -0400
David Kravets, Ars Technica, 2 Jul 2014
Authorities are likely to confront growing number of encrypted devices.

The use of court-approved wiretaps in domestic criminal cases in 2013
increased five percent from the year before, and authorities largely
defeated encryption methods on the mobile, landline, and other devices they
tapped, according to a report Wednesday from the US agency that oversees the
country's court system.

The Administrative Office of the United States Courts, using the latest
available figures, said there were 3,576 wiretaps reported.  That
represented a nine-percent bump in federal court orders and a three percent
increase from state judges. The report said that only one wiretap
application was denied for all of 2013.

When it comes to cracking encryption, the authorities said they encountered
encryption 41 times, up from 15 the year before. ...

http://arstechnica.com/tech-policy/2014/07/court-approved-wiretaps-defeating-encryption-feds-say/


"Sex, spies, and the cloud: NSA revelations continue to weaken confidence" (David Linthicum)

Gene Wirchenko <genew@telus.net>
Tue, 08 Jul 2014 09:17:30 -0700
David Linthicum, InfoWorld, 08 Jul 2014
Sex, spies, and the cloud: NSA revelations continue to weaken confidence
Washington Post investigation asserts that the NSA collects data
mostly from ordinary citizens, not potential terrorists
http://www.infoworld.com/d/cloud-computing/sex-spies-and-the-cloud-nsa-revelations-continue-weaken-confidence-245658

opening text:

According to a four-month investigation by *The Washington Post* based on
information provided by Edward Snowden, ordinary Internet users far
outnumber legally targeted foreigners in the communications intercepted by
the National Security Agency from U.S. digital networks.

Indeed, 9 of 10 account holders found in a large store of intercepted
electronic conversations, which Snowden provided in full to the Post, were
not the intended surveillance targets. Instead, they were gathered as part
of the NSA's monitoring of other people of interest.


"Massachusetts high court orders suspect to decrypt his computers" (Cyrus Farivar)

Gene Wirchenko <genew@telus.net>
Tue, 08 Jul 2014 19:18:59 -0700
Cyrus Farivar. Ars Technica, 26 Jun 2014
Law & Disorder / Civilization & Discontents
Suspect told cops: "Everything is encrypted and no one is going to get to it."
http://arstechnica.com/tech-policy/2014/06/massachusetts-high-court-orders-suspect-to-decrypt-his-computers/


Congress is overdue in dealing with the cybersecurity threat

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 14 Jul 2014 15:02:52 PDT
Editorial Board of *The Washington Post*, 13 Jul 2014

The Internet security company Symantec revealed recently that a group of
hackers known as Dragonfly infiltrated malware into legitimate software
belonging to three manufacturers of industrial control systems—the
stuff that controls factories and power grids. In one case, the contaminated
control software was downloaded 250 times by unsuspecting users before the
compromise was discovered.

This kind of cyberattack is not new, but it is audacious and dangerous. One
of the first such assaults was the Stuxnet campaign, which had sabotage as
its primary goal, against the Iranian nuclear program. By contrast,
Dragonfly was a multi-pronged infiltrator, aimed at cyber-espionage and
gaining long-term access to computers, with sabotage as a future option,
perhaps flicking off the electrical power to a city or shutting down a
factory. Dragonfly probably was state-sponsored from somewhere in Eastern
Europe.

Not alarmed? Then take a look at a proposal from the Securities Industry an
d Financial Markets Association. According to Bloomberg, Wall Street's
biggest trade group has suggested setting up a high-level U.S.
government-industry council to deal with cyberthreats. What do they fear?
Attacks that “destroy data and machines'' and could lead to runs on
financial institutions, loss of confidence in the banking system and
“devastating'' consequences for the economy. The group predicts attacks
could result in “account balances and books and records being converted to
zeros,'' Bloomberg reported on 8 Jul.

A torrent of cyberattacks—disruption, espionage, theft—is costing
U.S. business and government billions of dollars. This is reality, not
science fiction. In March, Chinese hackers broke into the U.S. government
agency that houses the personal information of all federal employees.

For several years, it has been clear to many in government and the private
sector that the nation needs to vastly improve protection of its private
networks and that only government has the sophisticated tools to do
that. But Congress has balked at legislation that would ease the necessary
cooperation.

Thus it was encouraging to see the Senate Select Committee on Intelligence
vote 12 to 3 last week to approve a cybersecurity bill that would begin to
bridge the gap. Its prospects in the full Senate are uncertain. A similar
bill passed the House last year.

Understandably, the legislation has triggered alarms about invasion of
privacy. There are legitimate fears that the National Security Agency and
U.S. Cyber Command will, in pursuit of cybersecurity, scoop up too much
information about Americans. Certainly, the disclosures by former contractor
Edward Snowden about how much the NSA vacuumed up in telephone and Internet
data have undermined confidence in the government. But this supercharged
privacy debate should not stand in the way of a good cybersecurity
bill. Rather, it is a reason for Congress to build in workable and
sufficient privacy protections and get on with passing legislation that is
long overdue.


"Better patch Flash: 'Rosetta Flash' attack can steal site cookies" (Serdar Yegulalp)

Gene Wirchenko <genew@telus.net>
Wed, 09 Jul 2014 17:58:16 -0700
Serdar Yegulalp | InfoWorld, 09 Jul 2014
Better patch Flash: 'Rosetta Flash' attack can steal site cookies
A new proof-of-concept attack exploits a bug in Adobe Flash that
allows stealing of user credentials across websites
http://www.infoworld.com/t/hacking/better-patch-flash-rosetta-flash-attack-can-steal-site-cookies-245801


Scholarly journal retracts 60 articles, smashes peer review ring (Fred Barbash)

Henry Baker <hbaker1@pipeline.com>
Fri, 11 Jul 2014 03:58:44 -0700
FYI—Is this case of scholar misconduct really rare, or merely rarely
uncovered?

Fred Barbash, *The Washington Post*, 10 Jul 2014
http://www.washingtonpost.com/news/morning-mix/wp/2014/07/10/scholarly-journal-retracts-60-articles-smashes-peer-review-ring/

Every now and then a scholarly journal retracts an article because of errors
or outright fraud.  In academic circles, and sometimes beyond, each
retraction is a big deal.

Now comes word of a journal retracting 60 articles at once.

The reason for the mass retraction is mind-blowing: A peer review and
citation ring was apparently rigging the review process to get articles
published.

You've heard of prostitution rings, gambling rings and extortion rings.  Now
there's a peer-review ring.

The publication is the Journal of Vibration and Control (JVC).  It publishes
papers with names like “Hydraulic engine mounts: a survey'', and
“Reduction of wheel force variations with magnetorheological devices.''

The field of acoustics covered by the journal is highly technical:

Analytical, computational and experimental studies of vibration phenomena
and their control.  The scope encompasses all linear and nonlinear vibration
phenomena and covers topics such as: vibration and control of structures and
machinery, signal analysis, aeroelasticity, neural networks, structural
control and acoustics, noise and noise control, waves in solids and fluids
and shock waves.

JVC is part of the SAGE group of academic publications.

Here's how it describes its peer review process:

[The journal] operates under a conventional single-blind reviewing policy in
which the reviewer's name is always concealed from the submitting author.

All manuscripts are reviewed initially by one of the Editors and only those
papers that meet the scientific and editorial standards of the journal, and
fit within the aims and scope of the journal, will be sent for peer review.
Generally, reviews from two independent referees are required.

An announcement from SAGE published July 8 explained what happened, albeit
somewhat opaquely.

In 2013, the editor of JVC, Ali H. Nayfeh, became aware of people using
`fabricated identities' to manipulate an online system called SAGE Track by
which scholars review the work of other scholars prior to publication.

Attention focused on a researcher named Peter Chen of the National Pingtung
University of Education (NPUE) in Taiwan and “possibly other authors at
this institution.''

After a 14-month investigation, JVC determined the ring involved `aliases'
and fake e-mail addresses of reviewers—up to 130 of them—in an
apparently successful effort to get friendly reviews of submissions and as
many articles published as possible by Chen and his friends.  “On at least
one occasion, the author Peter Chen reviewed his own paper under one of the
aliases he created,'' according to the SAGE announcement.

The statement does not explain how something like this happens.  Did the
ring invent names and say they were scholars?  Did they use real names and
pretend to be other scholars?  Doesn't anyone check on these things by,
say, picking up the phone and calling the reviewer?

In any case, SAGE and Nayfeh confronted Chen to give him an “opportunity to
address the accusations of misconduct,'' the statement said, but were not
satisfied with his responses.

In May, “NPUE informed SAGE and JVC that Peter Chen had resigned from his
post on 2 February 2014.''

Each of the 60 retracted articles had at least one author and/or one
reviewer “who has been implicated in the peer review'' ring, said a
separate notice issued by JVC.

Efforts by *The Washington Post* to locate and contact Chen for comment were
unsuccessful.

The whole story is described in a publication called *Retraction
Watch* under the headline: SAGE Publications busts `peer review
and citation ring.' ''

Update: Some additional information from the SAGE statement: “As the SAGE
investigation drew to a close, in May 2014 Professor Nayfeh's retirement was
announced and he resigned his position as Editor-in-Chief of JVC.  Three
senior editors and an additional 27 associate editors with expertise and
prestige in the field have been appointed to assist with the day-to-day
running of the JVC peer review process.  Following Professor Nayfeh's
retirement announcement, the external senior editorial team will be
responsible for independent editorial control for JVC.''

Note to readers: Thanks for pointing out my grammatical error. No excuses.

Fred Barbash, the editor of Morning Mix, is a former National Editor and
London Bureau Chief for *The Washington Post*.


It's Twitter vs. Free Speech, And Free Speech Is Losing - ReadWrite

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 Jul 2014 11:48:12 -0400
In Twitter's desperation to become a global competitor to Facebook, it's
running headlong into its commitment to free speech—and free speech is
losing.

http://readwrite.com/2014/05/27/twitter-pakistan-russia-blocked-tweets


"Microsoft zaps bogus SSL certs with emergency patch 2982792" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Fri, 11 Jul 2014 14:56:00 -0700
Woody Leonhard | InfoWorld, 11 Jul 2014
Security Advisory 2982792 revokes fake SSL certs for Windows
8/8.1/RT/Server 2012, but for Windows 7/Server 2008 the situation not as clear
http://www.infoworld.com/t/microsoft-windows/microsoft-zaps-bogus-ssl-certs-emergency-patch-2982792-246030

opening text:

Yesterday, Dustin Childs at the Microsoft Security Response Center advised
that Microsoft is revoking "improperly issued" SSL certificates for Google
sites and others. According to Security Advisory 2982792, the 45 bogus
certificates were issued by the National Informatics Centre, which works
under the root Certificate Authority of the Government of India Controller
of Certifying Authorities.

More troubling, the subordinate CAs could be used—indeed, may have
already been used—to issue even more bad certificates. Apparently, the
folks at Google caught the bad certs, and Yahoo is also affected.

  [Also noted by Gene Wirchenko: Woody Leonhard, InfoWorld, 14 Jul 2014
 "Black Tuesday patch KB 2962872 crashes InstallShield, causes slowdowns"
  http://www.infoworld.com/t/microsoft-windows/black-tuesday-patch-kb-2962872-crashes-installshield-causes-slowdowns-246112
  PGN]


"Horrifying confessions of a security sleuth" (Eric Knorr)

Gene Wirchenko <genew@telus.net>
Mon, 14 Jul 2014 21:15:01 -0700
Eric Knorr | InfoWorld, 14 Jul 2014
How bad is computer security in the business world?
Complete disarray, if you believe a friend of mine who's worked in the
industry forever. Behold his hair-raising tales
http://www.infoworld.com/t/security/horrifying-confessions-of-security-sleuth-246101


Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.07)

Gene Wirchenko <genew@telus.net>
Tue, 15 Jul 2014 22:03:03 -0700
      Two can play this game!  Now for the other side!

The original author got pilloried for this over on Full Disclosure, for
revealing a "bug" that's been known for around thirty years, and working
exactly as documented.  It's sad to see RISKS picking it up.

      Exactly as documented excuses anything?

If a person chops a foot off by swinging an axe around, whose fault is it?
The axe's?  The manufacturer's (both of the axe and the tool-she)?  Or,
heaven forbid, the user's fault?

      If the tool is dangerous to use and could have been designed to be
safer, then yes, the manufacturer should take the hit.  Think of product
safety recalls.  Ford Pinto, anyone?

We seem to have a culture of "It's not my fault!", and finding someone else
to blame does not bode well for the future.

      We do.  One example is blaming the user instead of correcting the
tool.  (I am sorry I gored your ox there, but it was his fault for being
there like a sitting duck.)

      I have tended to avoid C and UNIX because of the attitude to safety.


Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.06)

Michael Kohne <mhkohne@kohne.org>
Wed, 16 Jul 2014 08:20:46 -0400
Dave, not everyone in the industry has been around for 30 years to have
heard about this when it was initially noticed, nor have they deeply
contemplated the implications of wildcard behavior on their own.

It's certainly not anything new, but it's sure as anything a threat to
anyone who doesn't know about it. So bringing it up again, and possibly
giving it wide recognition is no bad thing.

I'm regularly working with people who are half my age, Dave. They don't
necessarily know about things like this because they haven't been told. And
if this kind of thing doesn't get brought up again now and then, they'll
never find out.


Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.0)6

Dave Horsfall <dave@horsfall.org>
Wed, 16 Jul 2014 07:47:28 +1000 (EST)
Again, it's not a bug but a user error, for which at least four workarounds
exist and have done so for many years.  The best one is the "--" option
(supported by all utilities using the GNU option parser) which means "no
further options beyond this point".  Thus, a safe form of the removal
command would be:

	rm <flags>—*

Unix provides a use with a toolbox, containing some sharp and heavy things.
It's not its job to protect users from themselves, but rather from each
other.


Re: Facebook purposely manipulated news feeds to experiment with users' emotions (*The Atlantic*, RISKS-28.06)

"Bill Gunshannon" <bill@cs.uofs.edu>
Tue, 8 Jul 2014 08:52:43 -0400
Lauren Weinstein <lauren@vortex.com> said:
> If this isn't enough to get you off of Facebook, frankly I don't
> know what is.

Sorry Lauren, can't agree with that, being one who's mental state is good
enough to not be that easily manipulated and who place little if any value
on anything that comes out of Facebook or any of the other meaningless Web
drivel.  I see no computer Risk in this at all.  Maybe it should have been
discussed in Psychology Today under the topic of "modern neurotics".

Bill Gunshannon, bill@cs.scranton.edu University of Scranton Scranton PA

Please report problems with the web pages to the maintainer

Top