The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 34

Thursday 6 November 2014

Contents

Digital Security and Source Protection for Journalists
Susan McGregor
"All governments must protect the ability of journalists to write and speak freely"
digby
Virginia Police Have Been Secretively Stockpiling Private Phone Records
G.W. Schultz
Google ordered to pay a woman $2,250 for Street View image showing cleavage
Megan Geuss
Virginia judge: Police can demand a suspect unlock a phone with a fingerprint
Megan Geuss
Cop charged with stealing nude pics from women's phones
Cyrus Farivar
"The icky part of tech support: Porn and other NSFW surprises"
Tam Harbert
After massive Danish hack, Gottfrid Svartholm Warg sentenced to 3.5 years
Cyrus Farivar
Which Messaging Technologies Are Truly Safe and Secure?
EFF
Critics bash the EFF Secure Messaging Scorecard
Lauren Weinstein
FBI wants black hats for digital black bag ops
Ed Pilkington
$750k Fine for exporting crypto
Jeroen van der Ham
An Unprecedented Look at Stuxnet—the World's First Digital Weapon?
Matthew Kruk
Skipping the Front Desk, and Checking In With a Click
Monty Solomon
Fall of the Banner Ad: The Monster That Swallowed the Web
Monty Solomon
Malicious Software Campaign Targets Apple Users in China
Monty Solomon
Augmenting Your Password-Protected World
Monty Solomon
NSA Director Makes Another Visit to Silicon Valley
Monty Solomon
Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?"
Amos Shapir
Absentee ballot of deceased Boston mayor not counted
Wexelblat
Online voting rife with hazards
Amos Shapir
Re: Risks of assuming votes are accurate
Rodney Van Meter
Rashid Motala
Info on RISKS (comp.risks)

Digital Security and Source Protection for Journalists (Susan McGregor)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 5 Nov 2014 9:26:21 PST
In the post-Snowden era, a report written by Susan McGregor
<susan.e.mcgregor@gmail.com> (Columbia University's Tow Center for Digital
Journalism) is timely and highly relevant—especially to digital
journalists and lawyers who might wish to defend them!  (I believe Susan
would welcome constructive comments, because this online report has not yet
been published in final form.  PGN)

  http://susanemcg.gitbooks.io/digital-security-for-journalists/

   [This topic is clearly a source-pot (or sore-spot, if you prefer).
   What's Source for the Goose may goose the ganderer.  PGN]


"All governments must protect the ability of journalists to write and speak freely" (digby on the White House)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Nov 2, 2014 7:37 PM
[Note:  This item comes from friend David Rosenthal. DH]
  [via Dave Farber, who commented: 'It's hard to be cynical enough ...']

digby's blog, 2 Nov 2014

http://digbysblog.blogspot.com/2014/11/all-governments-must-protect-ability-of.html

This is very special:

The White House, Office of the Press Secretary
For Immediate Release November 02, 2014
Statement by the President on the First-Annual International Day to End
Impunity for Crimes Against Journalists

History shows that a free press remains a critical foundation for
prosperous, open, and secure societies, allowing citizens to access
information and hold their governments accountable. Indeed, the Universal
Declaration of Human Rights reiterates the fundamental principle that every
person has the right “to seek, receive, and impart information and ideas
through any media and regardless of frontiers.''  Each and every day, brave
journalists make extraordinary risks to bring us stories we otherwise would
not hear - exposing corruption, asking tough questions, or bearing witness
to the dignity of innocent men, women and children suffering the horrors of
war. In this service to humanity, hundreds of journalists have been killed
in the past decade alone, while countless more have been harassed,
threatened, imprisoned, and tortured. In the overwhelming majority of these
cases, the perpetrators of these crimes against journalists go unpunished.

All governments must protect the ability of journalists to write and speak
freely. On this first-ever International Day to End Impunity for Crimes
against Journalists, the United States commends the priceless contributions
by journalists to the freedom and security of us all, shining light into
the darkness and giving voice to the voiceless. We honor the sacrifices so
many journalists have made in their quest for the truth, and demand
accountability for those who have committed crimes against journalists.

Well, some of the time anyway.

In a speech today in Washington, AP President and CEO Gary Pruitt [said]:

The actions of the DOJ against AP are already having an impact beyond the
specifics of this case. Some longtime trusted sources have become nervous
and anxious about talking with us—even on stories unrelated to national
security. In some cases, government employees we once checked in with
regularly will no longer speak to us by phone. Others are reluctant to meet
in person.

In one instance, our journalists could not get a law enforcement official
to confirm a detail that had been reported elsewhere.

Imagine: officials were so fearful of talking to AP they wouldn't even
confirm a fact that had already been reported by numerous other media.

And I can tell you that this chilling effect on news gathering is not just
limited to AP. Journalists from other news organizations have personally
told me that it has intimidated both official and nonofficial sources from
speaking to them as well.

Now, the government may love this. But beware a government that loves too
much secrecy. [...]


Virginia Police Have Been Secretively Stockpiling Private Phone Records (G.W. Schultz)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 23:04:47 -0500
G.W. Schulz, Center for Investigative Reporting, 20 Oct 2014

While revelations from Edward Snowden about the National Security Agency's
massive database of phone records have sparked a national debate about its
constitutionality, another secretive database has gone largely unnoticed and
without scrutiny.

The database, which affects unknown numbers of people, contains phone
records that at least five police agencies in southeast Virginia have been
collecting since 2012 and sharing with one another with little oversight.
Some of the data appears to have been obtained by police from telecoms using
only a subpoena, rather than a court order or probable-cause warrant. Other
information in the database comes from mobile phones seized from suspects
during an arrest. ...

http://www.wired.com/2014/10/virginia-police-secretively-stockpiling-private-phone-records/


Google ordered to pay a woman $2,250 for Street View image showing cleavage (Megan Geuss)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 21:50:23 -0500
Megan Geuss, Ars Technica, 30 Oct 2014
Although her face was blurred out, image had "part of her breast exposed."

Earlier this month, a Quebecois court in Montreal decided that Google owed a
woman $2,250 for picturing her with "part of her breast exposed" in a Street
View image. The woman was sitting in front of her house, and although her
face was blurred out, she was still identifiable by her coworkers,
especially as her car was parked in the driveway without the license plate
blurred out. ...

http://arstechnica.com/tech-policy/2014/10/google-ordered-to-pay-a-woman-2250-for-street-view-image-showing-cleavage/


Virginia judge: Police can demand a suspect unlock a phone with a fingerprint (Megan Geuss)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 21:53:10 -0500
Virginia judge: Police can demand a suspect unlock a phone with a fingerprint
But passcodes need not be divulged as per the Fifth Amendment, court says.

Megan Geuss, Ars Technica, 31 Oct 2014

A Virginia Circuit Court judge ruled on Thursday that a person does not need
to provide a passcode to unlock their phone for the police.  The court also
ruled that demanding a suspect to provide a fingerprint to unlock a phone
would be constitutional. ...

http://arstechnica.com/tech-policy/2014/10/virginia-judge-police-can-demand-a-suspect-unlock-a-phone-with-a-fingerprint/


Cop charged with stealing nude pics from women's phones (Cyrus Farivar)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 21:57:40 -0500
Cyrus Farivar, Ars Technica, 31 Oct 2014
California Highway Patrol officer suspect: image trading was a years-old game.

Prosecutors in Contra Costa County, directly across the bay from San
Francisco, have filed criminal felony charges against a former California
Highway Patrol (CHP) officer, Sean Harrington, who is accused of seizing and
distributing racy photos copied from arrestees' phones. ...

http://arstechnica.com/tech-policy/2014/10/cop-charged-with-stealing-nude-pics-from-womens-phones/


"The icky part of tech support: Porn and other NSFW surprises" (Tam Harbert)

Gene Wirchenko <genew@telus.net>
Wed, 05 Nov 2014 12:54:27 -0800
Tam Harbert, Computerworld, 30 Oct 2014
The help desk can be caught in the middle in more
ways than one when users put risque' material on their personal devices
http://www.infoworld.com/article/2841557/security/the-icky-part-of-tech-support-porn-and-other-nsfw-surprises.html

opening text:

As the recent scandal over leaked celebrity photographs reminded us all,
people use their electronic devices for very personal pursuits in the era of
smartphone ubiquity. Depending on the age and inclination of its owner, a
modern-day digital device might contain not just nude selfies like those
that were shared online, but images from dating sites like Tinder and
Grindr, creepshots, or other salacious or even illegal material downloaded
from the backwaters of "the dark Web" via anonymizers like Tor.

As blogger Kashmir Hill summed up as the selfie scandal was unfolding,
"Phones have become sex toys."


After massive Danish hack, Gottfrid Svartholm Warg sentenced to 3.5 years (Cyrus Farivar)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 21:59:08 -0500
Cyrus Farivar, Ars Technica, Oct 31 2014
His accomplice was sentenced to 6 months and was released for time served.

After being convicted of "hacking and gross damage," Gottfrid Svartholm
Warg, better known by his nom de hacker "anakata," was sentenced (Google
Translate) to 3.5 years in prison by a Danish court on Friday.

One day earlier, the Pirate Bay co-founder was found guilty of illegally
accessing the country's driver's license database (Google Translate), social
security database, and the shared IT system across the Schengen zone,
Europe's common passport regions. Using this access, he obtained the e-mail
accounts and passwords of 10,000 police officers and tax officials. All of
that data was managed by CSC, a large American IT contractor. ...

http://arstechnica.com/tech-policy/2014/10/after-massive-danish-hack-gottfrid-svartholm-warg-sentenced-to-3-5-years/


Which Messaging Technologies Are Truly Safe and Secure?

EFF Press <press@eff.org>
November 4, 2014 at 10:00:45 AM EST
Electronic Frontier Foundation Media Release

Peter Eckersley,  Technology Projects Director,  Electronic Frontier Foundation
  pde@eff.org,  +1 415 436-9333 x131
Rebecca Jeschke, Media Relations Director, Electronic Frontier Foundation,
  press@eff.org, +1 415 436-9333 x177

Which Messaging Technologies Are Truly Safe and Secure?

EFF's 'Secure Messaging Scorecard' Rates Digital Communication Tools

San Francisco - In the face of widespread Internet data collection and
surveillance, we need a secure and practical means of talking to each other
from our phones and computers.  Many companies offer "secure messaging"
products - but how can users know if these systems actually secure?  The
Electronic Frontier Foundation (EFF) released its Secure Messaging Scorecard
today, evaluating dozens of messaging technologies on a range of security
best practices.

"The revelations from Edward Snowden confirm that governments are spying on
our digital lives, devouring all communications that aren't protected by
encryption," said EFF Technology Projects Director Peter Eckersley.  "Many
new tools claim to protect you, but don't include critical features like
end-to-end encryption or secure deletion.  This scorecard gives you the
facts you need to choose the right technology to send your message."

The scorecard includes more than three dozen tools, including chat clients,
text messaging apps, email applications, and technologies for voice and
video calls.  EFF examined them on seven factors, like whether the message
is encrypted both in-transit and at the provider level, and if the code is
audited and open to independent review.  Six of these tools scored all seven
stars, including ChatSecure, CryptoCat, Signal/Redphone, Silent Phone,
Silent Text, and TextSecure.  Apple's iMessage and FaceTime products stood
out as the best of the mass-market options, although neither currently
provides complete protection against sophisticated, targeted forms of
surveillance.  Many options--including Google, Facebook, and Apple's email
products, Yahoo's web and mobile chat, Secret, and WhatsApp--lack the
end-to-end encryption that is necessary to protect against disclosure by the
service provider.  Several major messaging platforms, like QQ, Mxit, and the
desktop version of Yahoo Messenger, have no encryption at all.

"We're focused on improving the tools that everyday users need to
communicate with friends, family members, and colleagues," said EFF Staff
Attorney Nate Cardozo.  "We hope the Secure Messaging Scorecard will start a
race-to-the-top, spurring innovation in stronger and more usable
cryptography."

The Secure Messaging Scorecard is part of EFF's new Campaign for Secure and
Usable Cryptography, and was produced in collaboration with Julia Angwin at
ProPublica and Joseph Bonneau at the Princeton Center for Information
Technology Policy.

For the full Secure Messaging Scorecard:
https://www.eff.org/secure-messaging-scorecard

For this release:
https://www.eff.org/press/releases/which-messaging-technologies-are-truly-safe-and-secure

  [Of course, the correct answer to the titled question,
    Which Messaging Technologies Are Truly Safe and Secure?
  is generally NONE of them—under any realistic threat model that
  includes penetration of typically nonsecure operating systems and
  insider misuse.  RISKS readers should know that by now.  PGN]


Critics bash the EFF Secure Messaging Scorecard

Lauren Weinstein <lauren@vortex.com>
Wed, 5 Nov 2014 17:17:19 -0800
Daily Dot via NNSquad
http://www.dailydot.com/politics/eff-secure-messaging-scorecard-critics/

  "The EFF scorecard gives Skype two check marks for being encrypted in
  transit and encrypted so the provider can't read it.  That was a hard sell
  for many privacy advocates, who immediately pointed to reports from the
  Edward Snowden, leaks saying the National Security Agency (NSA) had
  tripled the amount of Skype video calls being collected through Prism."


FBI wants black hats for digital black bag ops (Ed Pilkington)

Henry Baker <hbaker1@pipeline.com>
Thu, 06 Nov 2014 12:27:04 -0800
FYI—The NSA TAO is old (black) hat; the FBI wants to implant malware into
your computer, too.  The FBI is so afraid of "going dark", that it wants to
"go black" (hat).

http://www.theguardian.com/us-news/2014/oct/29/fbi-powers-hacking-computers-surveillance

FBI demands new powers to hack into computers and carry out surveillance

Ed Pilkington, *The Guardian*, 29 Oct 2014
Agency requests rule change but civil liberties groups say “extremely
invasive'' technique amounts to unconstitutional power grab.

The FBI is attempting to persuade an obscure regulatory body in Washington
to change its rules of engagement in order to seize significant new powers
to hack into and carry out surveillance of computers throughout the US and
around the world.

Civil liberties groups warn that the proposed rule change amounts to a power
grab by the agency that would ride roughshod over strict limits to searches
and seizures laid out under the fourth amendment of the US constitution, as
well as violate first amendment privacy rights.  They have protested that
the FBI is seeking to transform its cyber capabilities with minimal public
debate and with no congressional oversight.

The regulatory body to which the Department of Justice has applied to make
the rule change, the advisory committee on criminal rules, will meet for the
first time on November 5 to discuss the issue.  The panel will be addressed
by a slew of technology experts and privacy advocates concerned about the
possible ramifications were the proposals allowed to go into effect next
year.  [... PRUNED FOR RISKS.  PGN]

https://s3.amazonaws.com/s3.documentcloud.org/documents/1348429/fbi-committee-hearing.pdf


$750k Fine for exporting crypto (Cryptography)

"Jeroen van der Ham" <jeroen@dckd.nl>
Nov 4, 2014 1:00 PM
It appears that the Bureau of Industry and Security is showing its teeth
with a $750k fine against Wind River Systems for unlawfully exporting
encryption software to countries on the BIS list.

http://www.goodwinprocter.com/Publications/Newsletters/Client-Alert/2014/1015_Software-Companies-Now-on-Notice-That-Encryption-Exports-May-Be-Treated-More-Seriously.aspx

We believe this to be the first penalty BIS has ever issued for the
unlicensed export of encryption software that did not also involve
comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan
or Syria). This suggests a fundamental change in BIS's treatment of
violations of the encryption regulations.

See also the discussion here: https://news.ycombinator.com/item?id=8551825


An Unprecedented Look at Stuxnet—the World's First Digital Weapon?

"Matthew Kruk" <mkrukg@gmail.com>
Wed, 5 Nov 2014 16:07:33 -0700
http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/


Skipping the Front Desk, and Checking In With a Click

Monty Solomon <monty@roscom.com>
Thu, 6 Nov 2014 06:37:00 -0500
In a bid to help harried travelers save time at check-in, a number of major
brands are experimenting with letting guests use their phones to unlock
their rooms.

http://www.nytimes.com/2014/11/04/business/hotels-test-turning-guests-smartphonoes-into-room-keys-.html


Fall of the Banner Ad: The Monster That Swallowed the Web

Monty Solomon <monty@roscom.com>
Wed, 5 Nov 2014 22:22:15 -0500
In the 20 years since their introduction, banner ads have ruined the
appearance and usability of the web, perverted content and diminished
privacy.

http://www.nytimes.com/2014/11/06/technology/personaltech/banner-ads-the-monsters-that-swallowed-the-web.html


Malicious Software Campaign Targets Apple Users in China

Monty Solomon <monty@roscom.com>
Thu, 6 Nov 2014 01:01:01 -0500
It would not be easy for the average Mac user to be hit by this malware, but
it points to new ways in which hackers are targeting Apple products.

http://bits.blogs.nytimes.com/2014/11/05/malicious-software-campaign-targets-apple-users-in-china/


Augmenting Your Password-Protected World

Monty Solomon <monty@roscom.com>
Thu, 6 Nov 2014 01:01:50 -0500
While passwords aren't likely to disappear soon, new technology that uses
eyes and fingerprints as identifiers can protect data more easily.

http://www.nytimes.com/2014/11/06/technology/personaltech/augmenting-your-password-protected-world.html


NSA Director Makes Another Visit to Silicon Valley

Monty Solomon <monty@roscom.com>
Thu, 6 Nov 2014 06:33:10 -0500
Relations between tech companies and the intelligence community has been
strained recently, but Adm. Michael S. Rogers played down government
concerns.

http://bits.blogs.nytimes.com/2014/11/03/n-s-a-director-makes-another-visit-to-silicon-valley/


Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?"

Amos Shapir <amos083@gmail.com>
Wed, 5 Nov 2014 11:24:59 +0200
Actually, it's not a matter of being lame.  I'm sure many people who work
long hours would love having a washing machine which can be tracked and
operated over the net, so that e.g. clothes can be put in before leaving for
work, and laundry timed to have them ready to dry by the time of arriving
back.

I know I would like a way to avoid waking out in the morning to find stale
clothes in the machine which were left there wet overnight (this had
happened quite a few times).  However, I don't think I'll be willing to pay
four times the price of a dumb machine for that.


Absentee ballot of deceased Boston mayor not counted

Wexelblat <wex@cs.uml.edu>
Tue, 4 Nov 2014 15:29:26 -0500
*The Boston Globe* on Mayor Menino (who died last week):
http://www.bostonglobe.com/metro/2014/10/31/menino-cast-absentee-ballot-upcoming-election/dF6CeR53bbXZUcErwoXegN/story.html

But under Massachusetts state law, the secretary of state's office said, the
ballot cannot be counted because of the mayor's death.

Wanna bet that every town clerk checks the obituaries for the names of every
absentee voter?  (351 cities and towns in Massachusetts.)

The big risk, of course is that some close election will be overturned after
a year or so because it is determined that several voters who were presumed
living on election day were ultimately discovered to have been dead.

The implications of determining that sitting legislators, even Senators,
were not actually elected ...

  [This is not the first time this particular issue has shown up in RISKS.
  PGN]


Re: Online voting rife with hazards

Amos Shapir <amos083@gmail.com>
Wed, 5 Nov 2014 11:32:44 +0200
“your are [sic] voluntarily waving [sic] your right to a secret ballot'' --

IANAL, but it seems to me that this statement borders on the
unconstitutional.  Can anyone legally waive such a basic constitutional
right?  I'd really like to know, maybe a real lawyer can comment on this.
(Coming to think of it, perhaps the spelling mistakes are intentional!)


Re: Risks of assuming votes are accurate (Long, RISKS-28.33)

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Tue, 4 Nov 2014 15:48:55 -0500
I'm sure John didn't intend for this to be a partisan matter.  In fact,
votes may be flipping the other way in North Carolina:

http://www.rawstory.com/rs/2014/11/north-carolina-voters-report-voting-machines-switching-their-votes-to-gop-candidate/

The article doesn't say, but this one also sounds like a touch screen
mis-registration problem, or outright hardware malfunction.

(By the time you are reading this, the election may well be over.  We can
only hope that any such problems haven't affected the outcome in critical
races.)


Re: Risks of assuming votes are accurate (Long, RISKS-28.33)

Rashid Motala <rashidm@identisoft.net>
Wed, 5 Nov 2014 12:05:22 +0000
> In addition, there seemed to have been a false assumption that allowing
> illegal immigrants to get drivers licenses would not have any deleterious
> effects. In fact, obtaining a driver's license allowed those individuals
> to also register to vote.

This is equivalent to saying "...there seemed to have been a false
assumption that allowing illegal immigrants to eat would not have any
deleterious effects (on voting)."

Please report problems with the web pages to the maintainer

Top