The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 16

Tuesday 12 August 2014

Contents

Drone crashes into famed hot spring at Yellowstone National Park
Laura Zuckerman via Gene Wirchenko
Hackers Unveil Their Plan To Change E-mail Forever
Denver Nicks via Steve Goldstein
Russian Hackers Amass Over a Billion Internet Passwords
Perlroth/Gelles) via Monty Solomon
Re: Breach of 1.2 billion user names and passwords
Tice DeYoung via DF
Visit the Wrong Website, and the FBI Could End Up in Your Computer
Kevin Poulsen via Herb Lin
Russia demands Internet users show ID to access public Wifi
Reuters via Lauren Weinstein
Re: Russia+US demand users show ID to access public facilities
John Gilmore
Voice Recognition Still a Top Complaint, Study Says
Monty Solomon
NSA Is Funding a Project to Roll All Programming Languages Into One
David Farber
"On sale: False sense of Internet security, for the low, low price of $120"
Gene Wirchenko
New Site Recovers Files Locked by CryptoLocker Ransomware
Krebs via Lauren Weinstein
Top Geer: Re: Cybersecurity as Realpolitik
Henry Baker
Re: Google scanning e-mail for child porn
Michael Kohne
Michael Kohne replying to Herb Lin
Re: Computer Programming Is a Trade; Let's Act Like It
Gene Spafford
Fredric Rice
Spoofed Called ID
marty
MUST NOT say "***** REBOOT LINUX *****" before safe to do so
Dan Jacobson
Info on RISKS (comp.risks)

Drone crashes into famed hot spring at Yellowstone National Park

Gene Wirchenko <genew@telus.net>
Sun, 10 Aug 2014 18:33:08 -0700
  [Not computer-related, but this could be what the risk impact of the
  Internet of Things will be like when it gets widely to the consumer level.]

Laura Zuckerman, Reuters, 6 Aug 2014
http://www.reuters.com/article/2014/08/06/us-usa-drones-yellowstone-idUSKBN0G62I620140806

opening text:

A tourist seeking to take pictures of Yellowstone National Park crashed a
camera-equipped drone into its largest hot spring, possibly damaging the
prized geothermal feature, a park official said on Wednesday.

The incident follows the crash earlier this summer of a drone into a marina
at Yellowstone Lake and a string of radio-controlled aircraft violations at
Grand Teton National Park in Wyoming.

  [Where is the Drone Ranger when we need him?  Hi-Yo Silver, served with
  Chemo waSabe?  PGN]


Hackers Unveil Their Plan To Change E-mail Forever (Denver Nicks)

Steve Goldstein <steveg_va@comcast.net>
August 10, 2014 at 20:54:19 EDT
  (via Dewayne Hendricks via Dave Farber)

Denver Nicks, *Time*, 9 Aug 2014
<http://time.com/3096341/email-encryption-hackers/>

“They're going to keep coming after us,'' Ladar Levison, the creator of an
encrypted e-mail service used by Edward Snowden, said at Defcon Friday.

The creator of an ultra-secure e-mail service once said to be used by Edward
Snowden unveiled his next project at a major hacker conference Friday: He
and others like him want to change the very nature of e-mail forever.

Ladar Levison, creator of the Lavabit encrypted e-mail provider, was forced
in August of last year to give investigators access to an account reportedly
used by Snowden, the National Security Agency leaker, after a tug-of-war
with federal authorities. But rather than compromise the privacy of his
other 400,000-plus e-mail users, Levison says, he shut the entire project
down. A similar encrypted e-mail provider, Silent Circle, took heed and
shuttered its own service to preempt any federal authorities that might
come demanding information from it as well.

Out of those ashes, Levison and others launched the Dark Mail project,
which is developing Dime, a set of new e-mail protocols its creators hope
will revolutionize the way the world communicates online.

“If I sound a little bit upset, it's because I am,'' Levison told a packed
 ballroom Friday at Defcon, a top hacker conference held annually in Las
 Vegas, Nevada.

I'm not upset that I got railroaded and I had to shut down my business,''
said Levison.  I'm upset because we need a Mil-Spec [military grade]
cryptographic mail system for the entire planet just to be able to talk to
our friends and family without any kind of fear of government
surveillance.''

Levison devoted much of his talk to arguing there's a need for a secure
e-mailing system in a world where government entities like the NSA have broad
legal authority—and even broader technical capabilities—to conduct
surveillance en masse, both in the United States and abroad.  “With the
type of metadata collection that's going on today, we have guilt by
association, Imagine being put on a no fly list because you happen to sit
next to a criminal at a convention like this.''

Jon Callas, Chief Technology Officer of Silent Circle and a co-founder of
the Dark Mail project, told TIME that “the biggest problem we have today
with e-mail is that it was designed in the early 1970s and it was not
designed for the problems we have today. Even the standard e-mail encryption
that we have today protects the content but not the metadata.''

Metadata—information like the identity of the sender or the time and date
a message was sent—has been a key target of NSA surveillance.
“Ironically, we have been protecting the stuff that they're not
collecting,'' Callas said.

Dime uses multiple layers of cryptography—think Russian nesting dolls --
to protect an e-mail's content and metadata from beginning to end as an
e-mail is passed through the Internet from a sender to a recipient, or
recipients.  The idea is to create an e-mail system in which no service
provider has all the information about a message, so there is no entity
(like Lavabit, for example) for federal authorities to come down on. ...


Russian Hackers Amass Over a Billion Internet Passwords (Perlroth/Gelles)

Monty Solomon <monty@roscom.com>
Thu, 7 Aug 2014 00:39:53 -0400
Nicole Perlroth and David Gelles, *The New York Times*, 5 Aug 2014

A Russian crime ring has amassed the largest known collection of stolen
Internet credentials, including 1.2 billion user name and password
combinations and more than 500 million e-mail addresses, security researchers
say.

The records, discovered by Hold Security, a firm in Milwaukee, include
confidential material gathered from 420,000 websites, including household
names, and small Internet sites. Hold Security has a history of uncovering
significant hacks, including the theft last year of tens of millions of
records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements
and a reluctance to name companies whose sites remained vulnerable. At the
request of The New York Times, a security expert not affiliated with Hold
Security analyzed the database of stolen credentials and confirmed it was
authentic. Another computer crime expert who had reviewed the data, but was
not allowed to discuss it publicly, said some big companies were aware that
their records were among the stolen information. ...

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html


Re: Breach of 1.2 billion user names and passwords

"Tice DeYoung" <ticed@verizon.net>
Aug 9, 2014 7:36 PM
  [Via Dave Farber]

Back in 1994-95 we had a special Federal Networking Council group on
security dealing with this same issue.  We tried to convince the vendors to
make their hardware 'safe out-of-the-box'.  It is amazing that not much has
changed in 20 years.

  [Dave had written:]

  For the past 10+ years I have given talks that point out the serious lack
  of security in our Internet software and our computer hardware. I warned
  that as we count on the net as part of our economic , social etc. life ,
  we will regret not having paid attention to fixing these problems (which
  may be very hard to fix).

  Oh, well.
  Dave F.

Begin forwarded message:

*From: *Gordon Peterson <gep2@terabites.com>
*Subject: **Breach of 1.2 billion user names and passwords*
*Date: *August 7, 2014 at 8:02:12 PM EDT
*To: *undisclosed-recipients:;

No doubt you've already heard about this new data breach, which the news
media has been all over.

The silly thing is the implied suggestion that you ought to go to all the
sites you've got logins for and change your passwords on each one.

What the news media isn't pointing out is that there are almost half a
million sites with the vulnerabilities that these Russian cybercriminals
exploited to collect these login credentials.

Changing your login credentials, even if you did it for EVERY site you use,
doesn't really protect you very much if the cybercriminals can just go out
again to those (still-)vulnerable sites (say, next week) and re-collect the
new passwords!  The same way they got them previously.

What needs to happen is that the companies responsible for these vulnerable
website creation tools need to get busy and fix their software tools, and
then the people using that software need to apply the fixes to their
websites that they built using the vulnerable versions.

Until they (all!!) do that, changing your passwords is of very limited
value.


Visit the Wrong Website, and the FBI Could End Up in Your Computer (Kevin Poulsen)

*Herb Lin* <HLin@nas.edu>
Thursday, August 7, 2014
Kevin Poulsen, *WiReD* (via Dave Farber)
http://www.wired.com/2014/08/operation_torpedo/

Security experts call it a `drive-by download': a hacker infiltrates a
high-traffic website and then subverts it to deliver malware to every single
visitor. It's one of the most powerful tools in the black hat arsenal,
capable of delivering thousands of fresh victims into a hackers' clutches
within minutes.

Now the technique is being adopted by a different kind of a hacker—the
kind with a badge. For the last two years, the FBI has been quietly
experimenting with drive-by hacks as a solution to one of law enforcement's
knottiest Internet problems: how to identify and prosecute users of criminal
websites hiding behind the powerful Tor anonymity system.

The approach has borne fruit—over a dozen alleged users of Tor-based
child porn sites are now headed for trial as a result. But it;s also
engendering controversy, with charges that the Justice Department has
glossed over the bulk-hacking technique when describing it to judges, while
concealing its use from defendants. Critics also worry about mission creep,
the weakening of a technology relied on by human rights workers and
activists, and the potential for innocent parties to wind up infected with
government malware because they visited the wrong website.  “This is such a
big leap, there should have been congressional hearings about this,'' says
ACLU technologist Chris Soghoian, an expert on law enforcement's use of
hacking tools .  “If Congress decides this is a technique that's perfectly
appropriate, maybe that's OK. But let's have an informed debate about it.''
...

Indeed, a time for a good debate about this.  My concern is primarily the
concern for innocent parties here.  And of course it goes deeper—how does
that malware end up on my computer if I have antivirus software running?  Do
we start worrying that the provider of the malware has persuaded an AV
vendor to NOT flag a given drive-by download as hostile?  A good reason to
have second opinion AV software—one made in the US and one made, for
example, in Russia or some other nation whose interests don;t always align
with those of the US.  Of course, using Russian software makes me nervous
for other reasons—so what to do?

Any thoughts?

Herb Lin, Chief Scientist, Computer Science and Telecommunications Board
The National Academies  (202) 841-0525   http://www.cstb.org


Russia demands Internet users show ID to access public Wifi

Lauren Weinstein <lauren@vortex.com>
Fri, 8 Aug 2014 13:12:02 -0700
Reuters via NNSquad
http://www.reuters.com/article/2014/08/08/us-russia-internet-idUSKBN0G81RV20140808

  Russia further tightened its control of the Internet on Friday, requiring
  people using public Wifi hotspots provide identification, a policy that
  prompted anger from bloggers and confusion among telecom operators on how
  it would work.  The decree, signed by Prime Minister Dmitry Medvedev on
  July 31 but published online on Friday, also requires companies to declare
  who is using their web networks. The legislation caught many in the
  industry by surprise and companies said it was not clear how it would be
  enforced.  A flurry of new laws regulating Russia's once freewheeling
  Internet has been condemned by President Vladimir Putin's critics as a
  crackdown on dissent, after the websites of two of his prominent foes were
  blocked this year.  Putin, who alarmed industry leaders in April by saying
  the Internet is "a CIA project", says the laws are needed to fight
  "extremism" and "terrorism."


Re: Russia+US demand users show ID to access public facilities

"John Gilmore" <gnu@toad.com>
Aug 8, 2014 7:43 PM
US demands citizens show ID to access public transport, courts, buildings

"State driver's licenses from these 12 states and 2 territories are no
longer good enough, because those states did not sign up for DHS's National
ID effort", says DHS.  As of July 21, 2014, people from these states can no
longer enter federal property where the public can't go (e.g. they can't get
inside NASA facilities); and next year, can't enter federal property at all.
In 2016, they can't be passengers on airplanes.

The refusenik states: Alaska, Arizona, Kentucky, Louisiana, Maine,
Massachusetts, Minnesota, Montana, New Jersey, New York, Oklahoma,
Washington.  Praise these state legislatures & administrations for refusing
to conspire with the feds against their own citizenry to construct a
National ID system.  Ask your Congresspeople to repeal the Real ID Act,
which is what DHS is using to try to club these states into complying.

Of course all of this is unconstitutional; the feds can't claim that
citizens aren't allowed to travel, or attend "public" trials, because they
don't have or show a document.  That would be, uh, I'm groping for the
word... Stalinistic?  Totalitarian?

It can't happen here.  So what is this DHS page about?

http://www.dhs.gov/sites/default/files/publications/real-id-enforcement-in-brief-20140205.pdf

And this one from the National Conference of State Legislatures?

http://www.ncsl.org/research/transportation/count-down-to-real-id.aspx


Voice Recognition Still a Top Complaint, Study Says

Monty Solomon <monty@roscom.com>
Sun, 10 Aug 2014 09:59:06 -0400
A J.D. Power executive said that 32 percent of all infotainment-related complaints were a result of voice-recognition errors.
http://nyti.ms/1oqRGXC


NSA Is Funding a Project to Roll All Programming Languages Into One

"David Farber via ip" <ip@listbox.com>
Mon, 11 Aug 2014 10:12:59 -0400
http://gizmodo.com/the-nsa-is-funding-a-project-to-roll-all-programming-la-1619295603
[CHECK THIS ONE??]

Hmm, we have been there before several times. Maybe we will be *lucky* this
time djf


"On sale: False sense of Internet security, for the low, low price of $120"

Gene Wirchenko <genew@telus.net>
Mon, 11 Aug 2014 10:23:18 -0700
RISKS readers, for bringing this matter to your attention, I will graciously
accept payment of only $119 each.  Protection at a price you can afford.

Robert X. Cringely, InfoWorld, 08 Aug 2014
Is your name among the stash of 1.2 billion stolen passwords? An Internet
security firm can tell you—for pennies per day!
http://www.infoworld.com/t/cringely/sale-false-sense-of-internet-security-the-low-low-price-of-120-247977

selected text:

The Webosphere was abuzz recently with a report released by Hold Security
that more than 1 billion passwords, across 400,000-plus compromised
websites, had been stolen by a heinous and invisible Russian crime ring,
which Hold has decided to give the malevolent-sounding name of CyberVor.

Given how similar breaches seem to happen every other day, most of us took
the news on faith born from resigned despair. This crap keeps happening over
and over and over, so why start wondering now? Then Hold states it's willing
to investigate the passwords and accounts of individuals who want to know
whether they're affected, pending payment of $120 per
person/customer/sucker.

For the vast majority of us, the breach report has to be accepted on its
face, but do some digging and you'd be hard-pressed to find any news outlet
that verified Hold's claims through a third party. In fact, most used the
original New York Times story as the sole foundation for their pieces and
went on to describe other such tragic breaches, usually Target's, which was
also broken by the intrepid digital detectives at Hold.


New Site Recovers Files Locked by CryptoLocker Ransomware

Lauren Weinstein <lauren@vortex.com>
Thu, 7 Aug 2014 16:32:21 -0700
Krebs via NNSquad
http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocker-ransomware/

  "Until today, Microsoft Windows users who've been unfortunate enough to
  have the personal files on their computer encrypted and held for ransom by
  a nasty strain of malware called CryptoLocker have been faced with a tough
  choice: Pay cybercrooks a ransom of a few hundred to several thousand
  dollars to unlock the files, or kiss those files goodbye forever. That
  changed this morning, when two security firms teamed up to launch a free
  new online service that can help victims unlock and recover files
  scrambled by the malware."


Re: Google scanning e-mail for child porn (RISKS-28.13)

Michael Kohne <mhkohne@kohne.org>
Sun, 10 Aug 2014 10:59:34 -0400
Why do you immediately rule out the obvious and completely effective fix of
having Google stop conducting what appear to be searches of my private
e-mail for potential criminal activity? Frankly, the easiest solution in the
world is to forbid Google from doing this, except in the presence of an
appropriate court order.

Then the whole problem, and the whole potential 'get someone arrested by
sending them child porn' scenario goes away.

Good engineering generally means doing the simplest thing possible. And the
simplest thing possible is not searching everyone's e-mail looking for
forbidden images.

And before anyone says 'think of the children', first go read about the
regular instances of 'swatting' where a low-life sends the cops to break
down some innocent person's door. If this kind of thing is allowed to
continue, it just gets easier to get your 'enemies' arrested.


Top Geer: Re: Cybersecurity as Realpolitik (RISKS-28.15)

Henry Baker <hbaker1@pipeline.com>
Sat, 09 Aug 2014 14:16:01 -0700
FYI—Dan Geer gave an outstanding talk at Black Hat a few days ago, and
his talk is well worth reading/listening in its entirety.  Here are comments
on some of his points:

* Moore's Law has killed the House of Representatives' power of the purse.
  Surveillance has become so cheap, that cutting the budget (e.g., the Amash
  Amendment) won't do much to stop it.

http://amash.house.gov/speech/amash-nsa-amendment-fact-sheet

* Net Neutrality: Common carrier or tiered with full unlimited liability;
  ISP's can't have it both ways.  Excellent suggestion; perhaps Dan should
  be appointed to the FCC.

* Software liability: open source avoids liability; closed source, you're on
  your own with full unlimited liability; you can't have it both ways.  Once
  again, Dan nails it, but this will require substantial changes to
  copyright law.

* Embedded systems: limited lifetime or remote management; no in between.
  I'm extremely suspicious about "remote management" and who's in charge of
  that remote; I'm not at all convinced after Kindle revoked "1984" (how
  ironic was that?).

http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html

* Right to be forgotten: I vehemently disagree with Dan on this one; it is a
  recipe for democratic disaster.  George Santayana was right: "Those who
  cannot remember the past are condemned to repeat it".  Governments are the
  most likely to want to bury certain embarrassments, so the "right to be
  forgotten" is also the "road to hell"; it is paved with good intentions
  but leads to tyranny.  E.g., notice how China is so intent upon
  "forgetting" Tiananmen Square.

We've already seen govt lying about missing IRS and Obamacare e-mails.  Govt
accountability demands the ability to watch govt actions, no matter how
embarrassing.

Double-entry bookkeeping was invented to detect & prevent fraud; proper
bookkeeping relies on a _write-once_, _no erasure_ ledger system.  If
mistakes are made, offsetting entries are made to correct them, but the
historical record is preserved.

https://en.wikipedia.org/wiki/Double-entry_bookkeeping_system

If necessary, Wikipedia & Google & govts will have to create a Bitcoin-type
ledger blockchain to guarantee the no-erasure property of history:

https://en.wikipedia.org/wiki/Bitcoin

* No Internet voting.  I agree 100% with Dan on this one; however, note that
  Internet voting is incompatible with Dan's "forgetting" suggestion.

* Abandonment of source code; immediate conversion to public domain.
  Excellent suggestion; perhaps better for all sorts of "abandoned"
  copyrights, not just computer code.

* Convergence of physical space and cyberspace.  The "Death of Distance" on
  the Internet has allowed Chinese & Russian cyberwarriors & criminals into
  our homes and businesses right here in River City.  But much of the
  confusion about cybercrime & cyberwar has to do with the confusion between
  "real" property and "intellectual property" (aka patent & copyright
  monopolies).  As Thomas Jefferson put it so eloquently:

"... no one possesses the less because everyone possesses the whole of it.
He who receives an idea from me receives [it] without lessening [me], as he
who lights his [candle] at mine receives light without darkening me."

The U.S. military is full of soldiers who have made copies of mp3's/dvd's,
used BitTorrent, and sang "Happy Birthday".  How many of these soldiers are
going to make the ultimate sacrifice to protect a copyright on "Happy
Birthday", especially as their enjoyment of "Happy Birthday" is not
lessening anyone else's enjoyment of the same song ?

http://www.snopes.com/music/songs/birthday.asp


Re: Google scanning e-mail for child porn (Lin, RISKS-28.13)

Michael Kohne <mhkohne@kohne.org>
Mon, 11 Aug 2014 09:22:43 -0400
On Sun, Aug 10, 2014 at 6:13 PM, Lin, Herb <HLin@nas.edu> wrote:

> I rule it out from the beginning not because it;s necessarily the wrong
> solution, but it's just too easy.  I'm frankly tired of people taking
> absolutist stands on these points, when policy makers need to weigh
> competing interests and make decisions that in some sense address concerns
> of opposing sides—both of which are legitimate.

Absolutist stands on things like these are usually taken because they are
the only stand that can conceivably be implemented and verified.
Black-and-white 'don't do that' is easy to implement. Anything else is easy
for bad actors to subvert, weasel out of, or find a loophole in.

> Maybe we do have to choose.  But I'm not prepared to accept the
> requirement that it's one or the other without some deep analysis.

Yes, actually, we appear to have to choose. Though since we know relatively
little about what's really going on here, it's not clear that we get to
choose. Because Google is a corporation, they can pretty do what they want,
and we really don't get much of a say.

> As for the specifics, consider.
>
> 1. Google ALREADY searches your mail to serve up ads and to identify and
> segregate spam.  We accept those as features rather than as bugs.

Yes we do. Because it pays the bills. And because it can't be used to
entrap us in ways that could land us in a cell.

> 2. Google is not looking for an image.  It's looking for a particular >
> hash that corresponds to known child porn, i.e., image that have been >
> adjudicated to be CP.

An irrelevant semantic difference. Don't know why you brought it up. If you
think anyone on the law enforcement side of this equation is going to
understand the nuanced difference between a hash and the image that hash
represents, then you don't have enough contact with the real world. The law
enforcement people aren't technologists, and the concept of 'hash collision'
and how it's not proof in and of itself is not something they are going to
understand without a lot of explaining. And that doesn't happen till you've
been in jail for the better part of a year awaiting trial.

> 3. There are federal and state laws that criminalize the mere
> *possession** of CP.

Yep.

> 4. Google notifies law enforcement authorities that John Doe's e-mail
> contains a hash that is found in a database of hashes of known CP images.
> LE then gets a warrant to search the e-mail account of John Doe.

And this is where the problem lies - Google appears to have DELIBERATELY
looked for evidence of wrongdoing. If that doesn't seem substantially
different than what they do to generate ad revenue, I don't know how to
explain it to you.

> Law enforcement obtains warrants for searches on probable cause. You may
> think that having a suspect hash is not probable cause—I would disagree,
> but the real question is what the judge thinks.

It depends on how that suspicion was obtained. If there were some routine
maintenance process and Google happened to come across evidence of CP, then
fine. But it appears that they are DELIBERATELY searching for it. Which is
not that far away from a cop calling in his own 'anonymous' tip in order to
do something he wants to do.

I *do* worry about the scenario you describe.  The only foolproof solution
to that is to eliminate the law that criminalizes the possession of CP.
That's a separate issue that we could debate.  I think I'm in favor of it,
but I don't know what you would say, though I have a guess.  But there the
tradeoff is “the benefit of criminalization of CP worth the risks of
misguided prosecution'', and I would prefer not to engage that debate.  I
would MUCH rather ask “is there a way to keep the benefits of
criminalization while reducing though probably not eliminating the risks of
misguided prosecution?''

I actually have no opinion on the criminalization of the possession of CP
images. I can't conceive of how we'd test the thing, so I assume we have to
leave it in place.

All I'm saying is that having a private enterprise (which is one of the few
near-monopoly e-mail providers) be deliberately looking for evidence of
wrongdoing in order to create probable cause for a search warrant is NOT in
the best interests of a free nation. Today it's hashes of child porn
images. Tomorrow what will it be? The word 'marijuana' in an e-mail? How
about 'ecstasy'? Perhaps they should scan for passages of books and pass
that to the copyright holders? Unless the rule is "don't do that", there's
really no limit.

THAT was the basis of my original question.

> herb

Thanks!


Re: Computer Programming Is a Trade; Let's Act Like It

Gene Spafford <spaf@purdue.edu>
Sun, 10 Aug 2014 17:58:58 -0400
I hope I was not the only person who recoiled at this article in RISKS 28.14
with the statement:

  "Computer programming is now a trade that someone can develop a basic
  proficiency in within weeks or months, secure a first job, and get onto
  the same path to upward mobility offered to in-demand, highly-paid peers,
  Mims says."

    [NOTE: I was shocked by this item, and ran it with the hopes that we
    would have some strong blowback.  TNX, Spaf!  PGN]

We have a terrible problem right now with even CS students being pushed out
with insufficient training in security, privacy, and safety!  How bad are
things going to be when people are given cursory introduction to a language
and an editor, then set to work making production code?  What is being
suggested is at a level less than we even require of our first year
undergrads, and their code is not something that anyone should rely on!

The article, quoting Mr. Mims, goes on to say "He contends we have entered
an age in which demanding that every programmer has a degree is like asking
every bricklayer to have a background in architectural engineering."

This is a rather poor analogy, and demonstrates he doesn't have a clue about
the field. It is more akin to saying that every doctor doesn't need to go to
medical school—simply teach them how to cut and stitch, and write a
script for an antibiotic, then get them employed!

I will concede that some of the CS material taught to majors as part of many
degrees may not be useful in a career doing programming.  However, CS is a
LOT more than programming, and a college education is a lot more than CS!  A
CS graduate with more breadth and depth than simply vocational training is
going to have more opportunities in her/his career.  That "upward mobility"
is based on a whole lot more than simply knowing how to code PHP or C, and a
few weeks of instruction isn't going to provide it.

One of the reasons we have such lousy code is that so many people only
bother to use metrics such as time on task or time being trained—issues
of competence and quality are difficult to measure, so they are ignored.
The result is a never-ending stream of security flaws, privacy leaks, and
user frustration with things that don't work correctly.  If we start adding
more people to the mix who know even less about what makes quality
software.... ouch!


Re: Computer Programming Is a Trade; Let's Act Like It (RISKS-28.14)

Fredric Rice <fred@crystallake.name>
Fri, 08 Aug 2014 09:55:56 -0700
The article by Christopher Mims suggests that the re will be a deficit of
employees to fill an expected 1 million programming jobs in the United
States, with web site developers being the glut of those missing employees.
The article further suggests that little to none experience is needed to
fill those jobs, certainly not a software engineering or computer-related
degree.  This is the Wall Street Journal talking so it's not surprising such
nonsense would be suggested, not from a corporate arena which routinely
advocates outsourcing American jobs to third world countries which employs
the equivalent of unskilled High School students getting paid virtual slave
wages, all while managers who outsource fully expect the quality of the
software being produced to either meet engineered quality or software which
is considered “good enough.''  Within the world's glut of software being
produced daily we already have endless quality problems, software which is
produced by actual engineers, people with extensive training and experience,
people who know what they're doing and yet still get a great many things
wrong. The Wall Street Journal wants to demand that software engineering
tasks are so worthless and plebeian that anybody can do it, including
unskilled people with no experience and that's flat-out wrong, it's the
mindset of a corporate manager or board member who thinks outsourcing
American jobs actually works, not the mindset of layoff-surviving engineers
who have to take outsourced software foisted upon them by managers and try
to make it work.  If there really is a deficit of programmers on the
horizon, only skilled, experienced engineers are going to be capable of
attaining th e already-poor quality of software which is currently the
norm. Supposing that “anybody can program'' and handing the task to just
anybody is exactly how a nation fails to compete with countries that
actually pay honest wages for skilled employees.  Fredric L. Rice


Spoofed Called ID (via Dave Farber)

"marty@burack.nu" <marty@burack.nu>
August 7, 2014 at 4:48:14 PM EDT
I wonder if anyone [...] knows what it would take for telcos to block
someone from calling you showing your own spoofed caller ID aside from
the political ramifications (free speech, etc.).

I don't know how much of a problem this is becoming, but getting one call
today that spoofed my caller ID, set me off.  I listened for a few seconds
to the telemarketing recording and recognized the beginning of a pitch for
lowering our credit card interest rate.  Unfortunately, I tossed the phone
on the bed and let the message play out, instead of at least taking a crack
at trying to elicit a phone number and/or company name from whomever would
get on the line if I indicated interest.  When I came back to the phone, I
hung up and then filled out a complaint on the FCC's consumer complaint
site: https://esupport.fcc.gov/ccmsforms/form1088.action?form_type88B

The law banning this spoofing makes it illegal if it's done to "...cause any
caller identification service to knowingly transmit misleading or inaccurate
caller identification information with the intent to defraud, cause harm, or
wrongfully obtain anything of value... "  Sure, they can't even put people
in jail for the fraud committed that led to the financial collapse, much
less for something that will be this hard to prove.

I don't know if laws against identity theft might also be used, although I
doubt it.


MUST NOT say "***** REBOOT LINUX *****" before safe to do so

Dan Jacobson <jidanni@jidanni.org>
Sat, 09 Aug 2014 13:30:31 +0800
I just filed MUST NOT say "***** REBOOT LINUX *****" before safe to do so
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757543

Else clods like me wouldn't guess that fsck is still syncing as we are
talking... and obediently hit the reboot button (hey man, CAPS) and
scrambled my files :(

Please report problems with the web pages to the maintainer

Top