The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 19

Thursday 21 August 2014

Contents

Computer Eyesight Gets a Lot More Accurate
John Markoff via Dewayne Hendricks
This chart shows the world's Internet usage shifting to smartphones
Jon Russell via Dewayne Hendricks
Hacking Traffic Lights is Amazingly Really Easy
David Farber
How to Save the Net: Don't Give In to Big ISPs
Reed Hastings via NNSquad
Customer data may have been exposed by malware at UPS stores in 24 states
HuffPost via David Farber
Leaked Docs Show Spyware Used to Snoop on U.S. Computers
Propublica via Monty Solomon
Google Map Tracks Your Every Move. Check Your 'Location History' to Verify It
David Farber
Microsoft yanks botched Black Tuesday patches KB 2982791, KB 2970228, KB 2975719, and KB 2975331
Woody Leonhard via Gene Wirchenko
Re: Pervasive Medicare Fraud Proves Hard to Stop
Abelson/Lichtblau via Kevin Fu
Re: Human cryptography is the key to online voting
Lyndon Nerenberg
Re: Lawful Hacking ...
Eric Amick
Re: Google scanning e-mail
Dimitri Maziuk
Re: Some taking a hard line against paying by E-ZPass
Stephen Bryant
Re: Cybersecurity as Realpolitik: Black Hat keynote
Alister Wm Macintyre
Re: Breach of 1.2 billion user names and passwords
Alister Wm Macintyre
Info on RISKS (comp.risks)

Computer Eyesight Gets a Lot More Accurate (John Markoff)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Tuesday, August 19, 2014
John Markoff, *The New York Times*, 18 Aug 2014 (via Dave Farber)

http://bits.blogs.nytimes.com/2014/08/18/computer-eyesight-gets-a-lot-more-accurate/

Just as the Big Bad Wolf promised Little Red Riding Hood that his bigger
eyes were “the better to see you with,'' a machine's ability to see the
world around it is benefiting from bigger computers and more accurate
mathematical calculations.

The improvement was visible in contest results released Monday evening by
computer scientists and companies that sponsor an annual challenge to
measure improvements in the state of machine vision technology.

Started in 2010 by Stanford, Princeton and Columbia University scientists,
the Large Scale Visual Recognition Challenge this year drew 38 entrants from
13 countries. The groups use advanced software, in most cases modeled
loosely on the biological vision systems, to detect, locate and classify a
huge set of images taken from Internet sources like Twitter. The contest was
sponsored this year by Google, Stanford, Facebook and the University of
North Carolina.

Contestants run their recognition programs on high-performance computers
based in many cases on specialized processors called GPUs, for graphic
processing units.

This year there were six categories based on object detection, locating
objects and classifying them. Winners included the National University of
Singapore, the Oxford University, Adobe Systems, the Center for Intelligent
Perception and Computing at the Chinese Academy of Sciences, as well as
Google in two separate categories.

Accuracy almost doubled in the 2014 competition and error rates were cut in
half, according to the conference organizers.

“This year is really what I consider a historical year for the challenge,''
said Fei-Fei Li, the director of the Stanford Artificial Intelligence
Laboratory and one of the creators of a vast set of labeled digital images
that is the basis for the contest.  “What really excites us is that
performance has taken a huge leap.''

Despite the fact that contest is based on pattern recognition software that
can be `trained' to recognize objects in digital images, the contest itself
is made possible by the Imagenet database, an immense collection of more
than 14 million images that have been identified by humans. The Imagenet
database is publicly available to researchers at http://image-net.org/.

In the five years that the contest has been held, the organizers have twice,
once in 2012 and again this year, seen striking improvements in accuracy,
accompanied by more sophisticated algorithms and larger and faster
computers.

In 2012 the contest was won by Geoffrey E. Hinton, a cognitive scientist at
the University of Toronto, and two of his students. Mr. Hinton is a pioneer
in the field of artificial neural networks, and in 2013 he joined Google
with his students Alex Krizhevsky and Ilya Sutskever.

This year the entrants had the option of either disclosing the details of
their algorithms or keeping them proprietary, and all of the winning groups
chose to share details of their technical innovations. That was significant,
according to Dr. Li, because it is possible to move quickly from research to
commercial applications.

Machine vision has countless applications, including computer gaming,
medical diagnosis, factory robotics and automotive safety systems. Recently
a number of car makers have added the ability to recognize pedestrians and
bicyclists and stop automatically without driver intervention. [...]


This chart shows the world's Internet usage shifting to smartphones (Jon Russell)

Dewayne Hendricks <dewayne@warpspeed.com>
August 19, 2014 at 11:35:40 AM EDT
This chart shows the world's Internet usage shifting to smartphones
Jon Russell, The Next Web, 19 Aug 2014 (via Dave Farber)

<http://thenextweb.com/shareables/2014/08/19/watch-world-move-towards-smartphones-one-simple-chart/>

It's well known that mobile phones are increasingly the primary device for
accessing the Internet across the world. Here's a great way to illustrate
that using Google's Public Data service.

Plotting smartphone usage against PC usage produces this fascinating chart
which literally shows the rise of smartphone usage over the past three
years.

It's worth bearing in mind that this data comes from TNS Germany—which,
though a reputable source of information, means there may be anomalies.
Nonetheless, it demonstrates one of the most important technological trends
of the decade. ...


Hacking Traffic Lights is Amazingly Really Easy

"David Farber via ip" <ip@listbox.com>
Thu, 21 Aug 2014 11:58:07 -0400
http://thehackernews.com/2014/08/hacking-traffic-lights-is-amazingly_20.html


How to Save the Net: Don't Give In to Big ISPs (Reed Hastings)

Lauren Weinstein <lauren@vortex.com>
Tue, 19 Aug 2014 17:58:06 -0700
  "It's worth noting that Netflix connects directly with hundreds of ISPs
  globally, and 99 percent of those agreements don't involve access fees. It
  is only a handful of the largest U.S. ISPs, which control the majority of
  consumer connections, demanding this toll. Why would more profitable,
  larger companies charge for connections and capacity that smaller
  companies provide for free? Because they can.  This is the reason we have
  opposed Comcast's proposed acquisition of Time Warner Cable. Comcast has
  already shown the ability to use its market position to require access
  fees, as evidenced by the Netflix congestion that cleared up as soon as we
  reached an agreement with them. A combined company that controls over half
  of US residential Internet connections would have even greater incentive
  to wield this power."
    Reed Hastings, WiReD via NNSquad,
    http://www.wired.com/2014/08/save-the-net-reed-hastings/


Customer data may have been exposed by malware at UPS stores in 24 states (HuffPost)

"David Farber via ip" <ip@listbox.com>
Thu, 21 Aug 2014 10:05:12 -0400
This is getting boring . djf

http://www.huffingtonpost.com/2014/08/21/malware-breach-ups_n_5697157.html


Leaked Docs Show Spyware Used to Snoop on U.S. Computers

Monty Solomon <monty@roscom.com>
Thu, 21 Aug 2014 01:10:41 -0400
http://www.propublica.org/article/leaked-docs-show-spyware-used-to-snoop-on-u.s.-computers


Google Map Tracks Your Every Move. Check Your 'Location History' to Verify It

"David Farber via ip" <ip@listbox.com>
Thu, 21 Aug 2014 12:02:11 -0400
There is the url in the news item on how to check your history. djf

http://thehackernews.com/2014/08/google-map-tracks-your-every-move-check.html

"Google has been involved in several controversies including among the
companies that was claimed to cooperate with US surveillance agencies on
their global data-mining programmes, and just yesterday the popular Media
tycoon Rupert Murdoch labeled Google worse than the NSA, saying “NSA
privacy invasion bad, but nothing compared to Google.''

Now another, but already known controversy over the Internet giant has
raised many concerns over privacy of users who carry their smartphones with
them. We all have sensors in our pockets that track us everywhere we go
i.e., Smartphones.

GOOGLE TRACKS YOU EVERYWHERE YOU GO.


Microsoft yanks botched Black Tuesday patches KB 2982791, KB 2970228, KB 2975719, and KB 2975331 (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Tue, 19 Aug 2014 10:19:56 -0700
Woody Leonhard | InfoWorld, 18 Aug 2014
Microsoft recommends that users uninstall last week's update—even
if their machines are working fine
http://www.infoworld.com/t/microsoft-windows/microsoft-yanks-botched-black-tuesday-patches-kb-2982791-kb-2970228-kb-2975719-and-kb-2975331-248582

selected text:

The problems are so bad that you'd be well-advised to uninstall the
offending Automatic Update patches, even if your machine is working fine at
the moment. It's possible, but by no means certain, that as long as the bad
patches are at work, installing certain applications or modifying your fonts
in specific odd (but entirely legitimate) ways may brick your
machine. Microsoft buries that recommendation in the fine print of its FAQ
for MS14-045.


Re: Pervasive Medicare Fraud Proves Hard to Stop (Abelson/Lichtblau)

Kevin Fu <kevinfu@umich.edu>
Tue, 19 Aug 2014 01:53:11 -0400
This *NYTimes* article focuses on the dramatic part of Medicare fraud---the
horse-out-of-the-barn scenario of catching bad guys red handed.  But the
problem is more interesting than that, but perhaps less dramatic.  If you
read the GAO reports or attend the House hearings, you'll find that the
problem breaks down into subtle terms of:

  Fraud.
  Waste.
  Abuse.

One of the more effective mitigation strategies mentioned in the GAO report
is the use of stronger registration controls and vetting of new vendors
(stop the bad guys from setting up shop), and the use of surety bonds (make
the bad guy take a risk).  The surety bonds are not sexy, but they can be
more effective than just chasing horses.  However, there will always be some
horses to chase I suppose.

U.S. GAO reports:
http://www.gao.gov/assets/670/664381.pdf
http://www.gao.gov/products/GAO-11-409T

My U.S. House testimony:
http://energycommerce.house.gov/hearing/examining-options-combat-health-care-waste-fraud-and-abuse


Re: Human cryptography is the key to online voting (RISKS-28.18)

Lyndon Nerenberg <lyndon@orthanc.ca>
Mon, 18 Aug 2014 15:31:02 -0700
> who has received an Australian Research Council Future Fellowship worth
> almost $800,000 to build user-owned passwords.  PGN]

The dollar value of the award validates the worthiness of his words?
You know better than that.


Re: Lawful Hacking ... (RISKS-28.19)

Eric Amick <eric.amick@verizon.net>
Mon, 18 Aug 2014 17:03:35 -0400
... Using Existing Vulnerabilities for Wiretapping the Internet

> As Dietrich Bonhoeffer, ... famously noted:

It was Martin Niemöller.


Re: Google scanning e-mail (Brown, RISKS-28.18)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Mon, 18 Aug 2014 18:39:02 -0500
> Should Google be looking for drug deals, too?

Yes. Once they can tell drug deals from discounted generic pills, they
should be looking. To improve the targeting of their advertising.

Because you want fewer false positives, you want to be able to tell a drug
dealer from a diabetic looking for insulin. Or a pedophile from a young
mother shopping for pampers.

Because computers are stupid, all they can do is search for patterns in a
stream of e-mails. You have to figure out what the pattern means. You have
to tell them: this pattern is X, that one's Y. This one we want for ads,
that one we're legally required to report to LEAs.

It has nothing to do with what you might think reprehensible or illegal,
sorry.

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Re: Some taking a hard line against paying by E-ZPass (Reisert, RISKS-28.17)

<Stephen.Bryant@sungard.com>
Tue, 19 Aug 2014 14:40:49 +0000
I am not one of those who is worried about EZ-Pass.  I have used it since
2001 and it has saved me countless long waits for a toll booth.  Yes, they
know where I've been, but at least I know that they know.

But I have sometimes used the cash lane instead.  There have been times when
the EZ-Pass-only lanes have been jammed up, and I'd rather pay cash (this is
an xor choice on the Mass Pike) than be one of dozens of cars merging and
creeping though an overcrowded lane.

So I vote for keeping both.


Re: Cybersecurity as Realpolitik: Black Hat keynote (Gold, R-28.18)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 19 Aug 2014 14:19:07 -0500
Barry Gold wrote about the importance of a right to start over with a
replacement Internet identity.

* So that's what we need.  A right to change your name and start over,
  possibly in a new place or at least a new website and/or ISP.  Yes?

I saw some time ago that there was some move from governments to make it
illegal for a person to give false information about who they are, to any
Internet service.  Could someone point me at a url with an update on whether
that is still a real threat?

There are long standing needs in the physical world, for people to get new
identities, or more than one identity.

* Children should not be using real identities until they have sufficiently
  matured to know what info about themselves is too dangerous for the public
  to know.

* Victims of real-world harassment, like domestic abuse & stalking—they
  need to get a new identity, new e-mail address, new phone #, then supply
  that to most trusted friends and family, while keeping the new contact
  info confidential from whoever is the threat.  Judgment errors in who to
  trust, means that this replacement may need to be done multiple times.

* Witness protection on the Internet.

* There's our life associated with our career, and on the job vs.  our
  private life outside of work place—different identities for each
  reality.

* There's where we must use PII for government dictated interaction --
  taxes, finances—and there's where PII has no place, social media --
  different Internet ID for the 2 realities.

There was a crook using Facebook who got caught, but I wonder how many out
there are not yet caught.

1. People on Facebook were giving what was believed to be their real
   name, real geography, lots of personal info.

2. The crook got lists of banks and credit unions in the identified
   geography, then started calling them.

3. “If I forget my password, what do I need to tell you, short of coming
   into the bank in person?''

4. “Can you look up to see if there is an account in my name?''
   (Using name of person from Facebook, who lived in that city)

5. Then checking the info about the person on Facebook, to get the info
   needed for the security questions at the banks.

6. Then engaging in fraud against the people whose Facebook info matched
   their bank security info.


Re: Breach of 1.2 billion user names and passwords (Gold, R-28.18)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 19 Aug 2014 13:57:40 -0500
Barry Gold wrote about challenges of password management, in a world of
nasty e-spies, and he concluded

> Screw this.  I'm going back to storing them in a Word file.

One of his concerns was risk of a key-tracker.  I think our security needs
to be able to evaluate what is running in the background, specifically
looking for things like a key-tracker.

I have access to more than one `working' PC in my home:

* Cave Man—supplied by my employer, which is 20+ years ancient, OS --
also ancient.

* Heaven's to Betsy - personal PC, going on 10 years old.

* Einstein = Latest acquisition, custom setup supplied to me last month by
V.

Long range plan, when one PC has problems, use another on Internet to
research solutions.

Normally use one personal PC for day to day interests, use other to research
aps I am interested in using.

I have met other people with similar arrangements, such as

* several people in one household, or office work place, each with their own
PC, interlinked for sharing printers and other devices.

* A person has both a desk top and lap top and mobile hand-held device,
occasionally interconnects them to share latest copies of some info.

One idea is that we could

* have a Word or Excel File on ONE PC with the passwords needed for another
PC.

* Refrain from using any Internet identity from more than one PC.

That way, if the PC with the passwords got penetrated, they would not be
valid for IDs used from that PC.

Unfortunately, I now use scores of different ID, and had wanted to have
Excel with columns for: ID; its password; Site; other info.  The reason for
different ID—if I get breached at a particular site, all they have is
the ID and password I use at that site, not the ID and password used at
scores of other sites.  So I would need to have one file for each id.  It
would be convenient for me if they were all in one folder—go to folder,
click on file whose name is the ID, and in there is Excel with password that
ID uses at each of several different sites.  Alternatively files named after
site—click on them & see ID and password used for that site.  But all in
one folder might be too obvious for crooks—they find one id or password
or site, recognize what it is, rapidly find the others.

Could someone comment on the validity and risks of my approach ideas?

I recognize a more ideal solution would be to have the file on a PC or other
device which will NEVER be connected to the Internet, but would have
copy/paste capability using some kind of smart card reader normally used by
business cards.  The stand-alone device copies the password & related info
to like a business card.  The Internet connection device reads this in, then
we copy/paste from there to where needed.  This way, the stand-alone unit
can only be penetrated by physical burglary, or insider, where a trusted
visitor is a mistake, or we forget ourselves and permit data flow in other
direction, such as when we implement some upgrade.

Some day I'd like to be able to again play all the old DOS MPS games &
recognize such a system would have to be stand alone so it would be Ok to
not get upgraded to a reality which no longer supports those games.  There
were also games I enjoyed on OS no longer around.

Please report problems with the web pages to the maintainer

Top