[Not computer-related, but this could be what the risk impact of the Internet of Things will be like when it gets widely to the consumer level.] Laura Zuckerman, Reuters, 6 Aug 2014 http://www.reuters.com/article/2014/08/06/us-usa-drones-yellowstone-idUSKBN0G62I620140806 opening text: A tourist seeking to take pictures of Yellowstone National Park crashed a camera-equipped drone into its largest hot spring, possibly damaging the prized geothermal feature, a park official said on Wednesday. The incident follows the crash earlier this summer of a drone into a marina at Yellowstone Lake and a string of radio-controlled aircraft violations at Grand Teton National Park in Wyoming. [Where is the Drone Ranger when we need him? Hi-Yo Silver, served with Chemo waSabe? PGN]
(via Dewayne Hendricks via Dave Farber) Denver Nicks, *Time*, 9 Aug 2014 <http://time.com/3096341/email-encryption-hackers/> “They're going to keep coming after us,'' Ladar Levison, the creator of an encrypted e-mail service used by Edward Snowden, said at Defcon Friday. The creator of an ultra-secure e-mail service once said to be used by Edward Snowden unveiled his next project at a major hacker conference Friday: He and others like him want to change the very nature of e-mail forever. Ladar Levison, creator of the Lavabit encrypted e-mail provider, was forced in August of last year to give investigators access to an account reportedly used by Snowden, the National Security Agency leaker, after a tug-of-war with federal authorities. But rather than compromise the privacy of his other 400,000-plus e-mail users, Levison says, he shut the entire project down. A similar encrypted e-mail provider, Silent Circle, took heed and shuttered its own service to preempt any federal authorities that might come demanding information from it as well. Out of those ashes, Levison and others launched the Dark Mail project, which is developing Dime, a set of new e-mail protocols its creators hope will revolutionize the way the world communicates online. “If I sound a little bit upset, it's because I am,'' Levison told a packed ballroom Friday at Defcon, a top hacker conference held annually in Las Vegas, Nevada. I'm not upset that I got railroaded and I had to shut down my business,'' said Levison. I'm upset because we need a Mil-Spec [military grade] cryptographic mail system for the entire planet just to be able to talk to our friends and family without any kind of fear of government surveillance.'' Levison devoted much of his talk to arguing there's a need for a secure e-mailing system in a world where government entities like the NSA have broad legal authority—and even broader technical capabilities—to conduct surveillance en masse, both in the United States and abroad. “With the type of metadata collection that's going on today, we have guilt by association, Imagine being put on a no fly list because you happen to sit next to a criminal at a convention like this.'' Jon Callas, Chief Technology Officer of Silent Circle and a co-founder of the Dark Mail project, told TIME that “the biggest problem we have today with e-mail is that it was designed in the early 1970s and it was not designed for the problems we have today. Even the standard e-mail encryption that we have today protects the content but not the metadata.'' Metadata—information like the identity of the sender or the time and date a message was sent—has been a key target of NSA surveillance. “Ironically, we have been protecting the stuff that they're not collecting,'' Callas said. Dime uses multiple layers of cryptography—think Russian nesting dolls -- to protect an e-mail's content and metadata from beginning to end as an e-mail is passed through the Internet from a sender to a recipient, or recipients. The idea is to create an e-mail system in which no service provider has all the information about a message, so there is no entity (like Lavabit, for example) for federal authorities to come down on. ...
Nicole Perlroth and David Gelles, *The New York Times*, 5 Aug 2014 A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million e-mail addresses, security researchers say. The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information. ... http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html
[Via Dave Farber] Back in 1994-95 we had a special Federal Networking Council group on security dealing with this same issue. We tried to convince the vendors to make their hardware 'safe out-of-the-box'. It is amazing that not much has changed in 20 years. [Dave had written:] For the past 10+ years I have given talks that point out the serious lack of security in our Internet software and our computer hardware. I warned that as we count on the net as part of our economic , social etc. life , we will regret not having paid attention to fixing these problems (which may be very hard to fix). Oh, well. Dave F. Begin forwarded message: *From: *Gordon Peterson <email@example.com> *Subject: **Breach of 1.2 billion user names and passwords* *Date: *August 7, 2014 at 8:02:12 PM EDT *To: *undisclosed-recipients:; No doubt you've already heard about this new data breach, which the news media has been all over. The silly thing is the implied suggestion that you ought to go to all the sites you've got logins for and change your passwords on each one. What the news media isn't pointing out is that there are almost half a million sites with the vulnerabilities that these Russian cybercriminals exploited to collect these login credentials. Changing your login credentials, even if you did it for EVERY site you use, doesn't really protect you very much if the cybercriminals can just go out again to those (still-)vulnerable sites (say, next week) and re-collect the new passwords! The same way they got them previously. What needs to happen is that the companies responsible for these vulnerable website creation tools need to get busy and fix their software tools, and then the people using that software need to apply the fixes to their websites that they built using the vulnerable versions. Until they (all!!) do that, changing your passwords is of very limited value.
Kevin Poulsen, *WiReD* (via Dave Farber) http://www.wired.com/2014/08/operation_torpedo/ Security experts call it a `drive-by download': a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It's one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers' clutches within minutes. Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement's knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it;s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants. Critics also worry about mission creep, the weakening of a technology relied on by human rights workers and activists, and the potential for innocent parties to wind up infected with government malware because they visited the wrong website. “This is such a big leap, there should have been congressional hearings about this,'' says ACLU technologist Chris Soghoian, an expert on law enforcement's use of hacking tools . “If Congress decides this is a technique that's perfectly appropriate, maybe that's OK. But let's have an informed debate about it.'' ... Indeed, a time for a good debate about this. My concern is primarily the concern for innocent parties here. And of course it goes deeper—how does that malware end up on my computer if I have antivirus software running? Do we start worrying that the provider of the malware has persuaded an AV vendor to NOT flag a given drive-by download as hostile? A good reason to have second opinion AV software—one made in the US and one made, for example, in Russia or some other nation whose interests don;t always align with those of the US. Of course, using Russian software makes me nervous for other reasons—so what to do? Any thoughts? Herb Lin, Chief Scientist, Computer Science and Telecommunications Board The National Academies (202) 841-0525 http://www.cstb.org
Reuters via NNSquad http://www.reuters.com/article/2014/08/08/us-russia-internet-idUSKBN0G81RV20140808 Russia further tightened its control of the Internet on Friday, requiring people using public Wifi hotspots provide identification, a policy that prompted anger from bloggers and confusion among telecom operators on how it would work. The decree, signed by Prime Minister Dmitry Medvedev on July 31 but published online on Friday, also requires companies to declare who is using their web networks. The legislation caught many in the industry by surprise and companies said it was not clear how it would be enforced. A flurry of new laws regulating Russia's once freewheeling Internet has been condemned by President Vladimir Putin's critics as a crackdown on dissent, after the websites of two of his prominent foes were blocked this year. Putin, who alarmed industry leaders in April by saying the Internet is "a CIA project", says the laws are needed to fight "extremism" and "terrorism."
US demands citizens show ID to access public transport, courts, buildings "State driver's licenses from these 12 states and 2 territories are no longer good enough, because those states did not sign up for DHS's National ID effort", says DHS. As of July 21, 2014, people from these states can no longer enter federal property where the public can't go (e.g. they can't get inside NASA facilities); and next year, can't enter federal property at all. In 2016, they can't be passengers on airplanes. The refusenik states: Alaska, Arizona, Kentucky, Louisiana, Maine, Massachusetts, Minnesota, Montana, New Jersey, New York, Oklahoma, Washington. Praise these state legislatures & administrations for refusing to conspire with the feds against their own citizenry to construct a National ID system. Ask your Congresspeople to repeal the Real ID Act, which is what DHS is using to try to club these states into complying. Of course all of this is unconstitutional; the feds can't claim that citizens aren't allowed to travel, or attend "public" trials, because they don't have or show a document. That would be, uh, I'm groping for the word... Stalinistic? Totalitarian? It can't happen here. So what is this DHS page about? http://www.dhs.gov/sites/default/files/publications/real-id-enforcement-in-brief-20140205.pdf And this one from the National Conference of State Legislatures? http://www.ncsl.org/research/transportation/count-down-to-real-id.aspx
A J.D. Power executive said that 32 percent of all infotainment-related complaints were a result of voice-recognition errors. http://nyti.ms/1oqRGXC
http://gizmodo.com/the-nsa-is-funding-a-project-to-roll-all-programming-la-1619295603 [CHECK THIS ONE??] Hmm, we have been there before several times. Maybe we will be *lucky* this time djf
RISKS readers, for bringing this matter to your attention, I will graciously accept payment of only $119 each. Protection at a price you can afford. Robert X. Cringely, InfoWorld, 08 Aug 2014 Is your name among the stash of 1.2 billion stolen passwords? An Internet security firm can tell you—for pennies per day! http://www.infoworld.com/t/cringely/sale-false-sense-of-internet-security-the-low-low-price-of-120-247977 selected text: The Webosphere was abuzz recently with a report released by Hold Security that more than 1 billion passwords, across 400,000-plus compromised websites, had been stolen by a heinous and invisible Russian crime ring, which Hold has decided to give the malevolent-sounding name of CyberVor. Given how similar breaches seem to happen every other day, most of us took the news on faith born from resigned despair. This crap keeps happening over and over and over, so why start wondering now? Then Hold states it's willing to investigate the passwords and accounts of individuals who want to know whether they're affected, pending payment of $120 per person/customer/sucker. For the vast majority of us, the breach report has to be accepted on its face, but do some digging and you'd be hard-pressed to find any news outlet that verified Hold's claims through a third party. In fact, most used the original New York Times story as the sole foundation for their pieces and went on to describe other such tragic breaches, usually Target's, which was also broken by the intrepid digital detectives at Hold.
Krebs via NNSquad http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocker-ransomware/ "Until today, Microsoft Windows users who've been unfortunate enough to have the personal files on their computer encrypted and held for ransom by a nasty strain of malware called CryptoLocker have been faced with a tough choice: Pay cybercrooks a ransom of a few hundred to several thousand dollars to unlock the files, or kiss those files goodbye forever. That changed this morning, when two security firms teamed up to launch a free new online service that can help victims unlock and recover files scrambled by the malware."
Why do you immediately rule out the obvious and completely effective fix of having Google stop conducting what appear to be searches of my private e-mail for potential criminal activity? Frankly, the easiest solution in the world is to forbid Google from doing this, except in the presence of an appropriate court order. Then the whole problem, and the whole potential 'get someone arrested by sending them child porn' scenario goes away. Good engineering generally means doing the simplest thing possible. And the simplest thing possible is not searching everyone's e-mail looking for forbidden images. And before anyone says 'think of the children', first go read about the regular instances of 'swatting' where a low-life sends the cops to break down some innocent person's door. If this kind of thing is allowed to continue, it just gets easier to get your 'enemies' arrested.
FYI—Dan Geer gave an outstanding talk at Black Hat a few days ago, and his talk is well worth reading/listening in its entirety. Here are comments on some of his points: * Moore's Law has killed the House of Representatives' power of the purse. Surveillance has become so cheap, that cutting the budget (e.g., the Amash Amendment) won't do much to stop it. http://amash.house.gov/speech/amash-nsa-amendment-fact-sheet * Net Neutrality: Common carrier or tiered with full unlimited liability; ISP's can't have it both ways. Excellent suggestion; perhaps Dan should be appointed to the FCC. * Software liability: open source avoids liability; closed source, you're on your own with full unlimited liability; you can't have it both ways. Once again, Dan nails it, but this will require substantial changes to copyright law. * Embedded systems: limited lifetime or remote management; no in between. I'm extremely suspicious about "remote management" and who's in charge of that remote; I'm not at all convinced after Kindle revoked "1984" (how ironic was that?). http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html * Right to be forgotten: I vehemently disagree with Dan on this one; it is a recipe for democratic disaster. George Santayana was right: "Those who cannot remember the past are condemned to repeat it". Governments are the most likely to want to bury certain embarrassments, so the "right to be forgotten" is also the "road to hell"; it is paved with good intentions but leads to tyranny. E.g., notice how China is so intent upon "forgetting" Tiananmen Square. We've already seen govt lying about missing IRS and Obamacare e-mails. Govt accountability demands the ability to watch govt actions, no matter how embarrassing. Double-entry bookkeeping was invented to detect & prevent fraud; proper bookkeeping relies on a _write-once_, _no erasure_ ledger system. If mistakes are made, offsetting entries are made to correct them, but the historical record is preserved. https://en.wikipedia.org/wiki/Double-entry_bookkeeping_system If necessary, Wikipedia & Google & govts will have to create a Bitcoin-type ledger blockchain to guarantee the no-erasure property of history: https://en.wikipedia.org/wiki/Bitcoin * No Internet voting. I agree 100% with Dan on this one; however, note that Internet voting is incompatible with Dan's "forgetting" suggestion. * Abandonment of source code; immediate conversion to public domain. Excellent suggestion; perhaps better for all sorts of "abandoned" copyrights, not just computer code. * Convergence of physical space and cyberspace. The "Death of Distance" on the Internet has allowed Chinese & Russian cyberwarriors & criminals into our homes and businesses right here in River City. But much of the confusion about cybercrime & cyberwar has to do with the confusion between "real" property and "intellectual property" (aka patent & copyright monopolies). As Thomas Jefferson put it so eloquently: "... no one possesses the less because everyone possesses the whole of it. He who receives an idea from me receives [it] without lessening [me], as he who lights his [candle] at mine receives light without darkening me." The U.S. military is full of soldiers who have made copies of mp3's/dvd's, used BitTorrent, and sang "Happy Birthday". How many of these soldiers are going to make the ultimate sacrifice to protect a copyright on "Happy Birthday", especially as their enjoyment of "Happy Birthday" is not lessening anyone else's enjoyment of the same song ? http://www.snopes.com/music/songs/birthday.asp
On Sun, Aug 10, 2014 at 6:13 PM, Lin, Herb <HLin@nas.edu> wrote: > I rule it out from the beginning not because it;s necessarily the wrong > solution, but it's just too easy. I'm frankly tired of people taking > absolutist stands on these points, when policy makers need to weigh > competing interests and make decisions that in some sense address concerns > of opposing sides—both of which are legitimate. Absolutist stands on things like these are usually taken because they are the only stand that can conceivably be implemented and verified. Black-and-white 'don't do that' is easy to implement. Anything else is easy for bad actors to subvert, weasel out of, or find a loophole in. > Maybe we do have to choose. But I'm not prepared to accept the > requirement that it's one or the other without some deep analysis. Yes, actually, we appear to have to choose. Though since we know relatively little about what's really going on here, it's not clear that we get to choose. Because Google is a corporation, they can pretty do what they want, and we really don't get much of a say. > As for the specifics, consider. > > 1. Google ALREADY searches your mail to serve up ads and to identify and > segregate spam. We accept those as features rather than as bugs. Yes we do. Because it pays the bills. And because it can't be used to entrap us in ways that could land us in a cell. > 2. Google is not looking for an image. It's looking for a particular > > hash that corresponds to known child porn, i.e., image that have been > > adjudicated to be CP. An irrelevant semantic difference. Don't know why you brought it up. If you think anyone on the law enforcement side of this equation is going to understand the nuanced difference between a hash and the image that hash represents, then you don't have enough contact with the real world. The law enforcement people aren't technologists, and the concept of 'hash collision' and how it's not proof in and of itself is not something they are going to understand without a lot of explaining. And that doesn't happen till you've been in jail for the better part of a year awaiting trial. > 3. There are federal and state laws that criminalize the mere > *possession** of CP. Yep. > 4. Google notifies law enforcement authorities that John Doe's e-mail > contains a hash that is found in a database of hashes of known CP images. > LE then gets a warrant to search the e-mail account of John Doe. And this is where the problem lies - Google appears to have DELIBERATELY looked for evidence of wrongdoing. If that doesn't seem substantially different than what they do to generate ad revenue, I don't know how to explain it to you. > Law enforcement obtains warrants for searches on probable cause. You may > think that having a suspect hash is not probable cause—I would disagree, > but the real question is what the judge thinks. It depends on how that suspicion was obtained. If there were some routine maintenance process and Google happened to come across evidence of CP, then fine. But it appears that they are DELIBERATELY searching for it. Which is not that far away from a cop calling in his own 'anonymous' tip in order to do something he wants to do. I *do* worry about the scenario you describe. The only foolproof solution to that is to eliminate the law that criminalizes the possession of CP. That's a separate issue that we could debate. I think I'm in favor of it, but I don't know what you would say, though I have a guess. But there the tradeoff is “the benefit of criminalization of CP worth the risks of misguided prosecution'', and I would prefer not to engage that debate. I would MUCH rather ask “is there a way to keep the benefits of criminalization while reducing though probably not eliminating the risks of misguided prosecution?'' I actually have no opinion on the criminalization of the possession of CP images. I can't conceive of how we'd test the thing, so I assume we have to leave it in place. All I'm saying is that having a private enterprise (which is one of the few near-monopoly e-mail providers) be deliberately looking for evidence of wrongdoing in order to create probable cause for a search warrant is NOT in the best interests of a free nation. Today it's hashes of child porn images. Tomorrow what will it be? The word 'marijuana' in an e-mail? How about 'ecstasy'? Perhaps they should scan for passages of books and pass that to the copyright holders? Unless the rule is "don't do that", there's really no limit. THAT was the basis of my original question. > herb Thanks!
I hope I was not the only person who recoiled at this article in RISKS 28.14 with the statement: "Computer programming is now a trade that someone can develop a basic proficiency in within weeks or months, secure a first job, and get onto the same path to upward mobility offered to in-demand, highly-paid peers, Mims says." [NOTE: I was shocked by this item, and ran it with the hopes that we would have some strong blowback. TNX, Spaf! PGN] We have a terrible problem right now with even CS students being pushed out with insufficient training in security, privacy, and safety! How bad are things going to be when people are given cursory introduction to a language and an editor, then set to work making production code? What is being suggested is at a level less than we even require of our first year undergrads, and their code is not something that anyone should rely on! The article, quoting Mr. Mims, goes on to say "He contends we have entered an age in which demanding that every programmer has a degree is like asking every bricklayer to have a background in architectural engineering." This is a rather poor analogy, and demonstrates he doesn't have a clue about the field. It is more akin to saying that every doctor doesn't need to go to medical school—simply teach them how to cut and stitch, and write a script for an antibiotic, then get them employed! I will concede that some of the CS material taught to majors as part of many degrees may not be useful in a career doing programming. However, CS is a LOT more than programming, and a college education is a lot more than CS! A CS graduate with more breadth and depth than simply vocational training is going to have more opportunities in her/his career. That "upward mobility" is based on a whole lot more than simply knowing how to code PHP or C, and a few weeks of instruction isn't going to provide it. One of the reasons we have such lousy code is that so many people only bother to use metrics such as time on task or time being trained—issues of competence and quality are difficult to measure, so they are ignored. The result is a never-ending stream of security flaws, privacy leaks, and user frustration with things that don't work correctly. If we start adding more people to the mix who know even less about what makes quality software.... ouch!
The article by Christopher Mims suggests that the re will be a deficit of employees to fill an expected 1 million programming jobs in the United States, with web site developers being the glut of those missing employees. The article further suggests that little to none experience is needed to fill those jobs, certainly not a software engineering or computer-related degree. This is the Wall Street Journal talking so it's not surprising such nonsense would be suggested, not from a corporate arena which routinely advocates outsourcing American jobs to third world countries which employs the equivalent of unskilled High School students getting paid virtual slave wages, all while managers who outsource fully expect the quality of the software being produced to either meet engineered quality or software which is considered “good enough.'' Within the world's glut of software being produced daily we already have endless quality problems, software which is produced by actual engineers, people with extensive training and experience, people who know what they're doing and yet still get a great many things wrong. The Wall Street Journal wants to demand that software engineering tasks are so worthless and plebeian that anybody can do it, including unskilled people with no experience and that's flat-out wrong, it's the mindset of a corporate manager or board member who thinks outsourcing American jobs actually works, not the mindset of layoff-surviving engineers who have to take outsourced software foisted upon them by managers and try to make it work. If there really is a deficit of programmers on the horizon, only skilled, experienced engineers are going to be capable of attaining th e already-poor quality of software which is currently the norm. Supposing that “anybody can program'' and handing the task to just anybody is exactly how a nation fails to compete with countries that actually pay honest wages for skilled employees. Fredric L. Rice
I wonder if anyone [...] knows what it would take for telcos to block someone from calling you showing your own spoofed caller ID aside from the political ramifications (free speech, etc.). I don't know how much of a problem this is becoming, but getting one call today that spoofed my caller ID, set me off. I listened for a few seconds to the telemarketing recording and recognized the beginning of a pitch for lowering our credit card interest rate. Unfortunately, I tossed the phone on the bed and let the message play out, instead of at least taking a crack at trying to elicit a phone number and/or company name from whomever would get on the line if I indicated interest. When I came back to the phone, I hung up and then filled out a complaint on the FCC's consumer complaint site: https://esupport.fcc.gov/ccmsforms/form1088.action?form_type88B The law banning this spoofing makes it illegal if it's done to "...cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value... " Sure, they can't even put people in jail for the fraud committed that led to the financial collapse, much less for something that will be this hard to prove. I don't know if laws against identity theft might also be used, although I doubt it.
I just filed MUST NOT say "***** REBOOT LINUX *****" before safe to do so https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757543 Else clods like me wouldn't guess that fsck is still syncing as we are talking... and obediently hit the reboot button (hey man, CAPS) and scrambled my files :(
Please report problems with the web pages to the maintainer