The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 36

Monday 17 November 2014

Contents

Crypto Wars II
Bruce Schneier
81% of Tor users can be de-anonymized by analyzing router information,
The Stack via NNSquad
The GCHQ boss's assault on privacy is promoting illegality on the Net
Eben Moglen via Brian Randell
More Federal Agencies Are Using Undercover Operations
NYT via Monty Solomon
State Department Targeted by Hackers in 4th Agency Computer Breach
NYT
Americans' Cellphones Targeted in Secret U.S. Spy Program
Devlin Barrett
Lost Key? Copies From the Cloud!
Monty Solomon
Internet Voting Hack Alters PDF Ballots In Transmission
Michael Mimoso via Jim Reisert
Bloomberg: Forex Investors May Face $1 Billion Loss as Trade Site Vanishes
Gabe Goldberg
FileVault 2: Mac users' unsaved files and screenshots are automatically uploaded
Gabe Goldberg
For Guccifer, Hacking Was Easy. Prison Is Hard
Monty Solomon
Americans Say They Want Privacy, but Act as if They Don't
NYT via Monty Solomon
Debts Canceled by Bankruptcy Still Mar Consumer Credit
NYT via Monty Solomon
Poor systems design may kill...
Jay Ashworth
"Vulnerability leaves iPhones and iPads open to fake app attack"
Martyn Williams via Gene Wirchenko
"Malware doesn't discriminate when it comes to Web ads"
Serdar Yegulalp via Gene Wirchenko
Only Half of USB Devices Have an Unpatchable Flaw But No One Knows Which Half
Andy Greenberg
`Masque Attack' Bug Threatens iOS Users
Stephanie Mlot
ISPs Removing Their Customers' Email Encryption
Jacob Hoffman-Andrews
Re: ISPs Removing Their Customers' Email Encryption
Suresh Ramasubramanian via Dave Farber
Scott Miller via Bob Gezelter
Re: Risks of assuming votes are accurate
Rashid Motala
John Levine
Re: $11M Tool That Could Help Computers Write Their Own Code
Joseph Barrett
Erling Kristiansen
Info on RISKS (comp.risks)

Crypto Wars II

Bruce Schneier <schneier@schneier.com>
Sat, 15 Nov 2014 02:22:20 -0600
            CRYPTO-GRAM
          November 15, 2014
          by Bruce Schneier
        CTO, Co3 Systems, Inc.
        schneier@schneier.com
       http://www.schneier.com
      [EXCERPTED FOR RISKS.  PGN]

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1411.html>. These same essays and news
items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent comment
section. An RSS feed is available.

Crypto Wars II

FBI Director James Comey again called for an end to secure encryption by
putting in a backdoor. Here's his speech:

There is a misconception that building a lawful intercept solution into a
system requires a so-called "back door," one that foreign adversaries and
hackers may try to exploit.

But that isn't true. We aren't seeking a back-door approach. We want to use
the front door, with clarity and transparency, and with clear guidance
provided by law. We are completely comfortable with court orders and legal
process—front doors that provide the evidence and information we need to
investigate crime and prevent terrorist attacks.

Cyber adversaries will exploit any vulnerability they find. But it makes
more sense to address any security risks by developing intercept solutions
during the design phase, rather than resorting to a patchwork solution when
law enforcement comes knocking after the fact. And with sophisticated
encryption, there might be no solution, leaving the government at a dead end
-- all in the name of privacy and network security.

I'm not sure why he believes he can have a technological means of access
that somehow only works for people of the correct morality with the proper
legal documents, but he seems to believe that's possible. As Jeffrey Vagle
and Matt Blaze point out, there's no technical difference between Comey's
"front door" and a "back door."

As in all of these sorts of speeches, Comey gave examples of crimes that
could have been solved had only the police been able to decrypt the
defendant's phone. Unfortunately, none of the three stories is true. The
Intercept tracked down each story, and none of them is actually a cas here
encryption foiled an investigation, arrest, or conviction:

In the most dramatic case that Comey invoked—the death of a 2-year-old
Los Angeles girl—not only was cellphone data a non-issue, but records
show the girl's death could actually have been avoided had government
agencies involved in overseeing her and her parents acted on the extensive
record they already had before them.

In another case, of a Louisiana sex offender who enticed and then killed a
12-year-old boy, the big break had nothing to do with a phone: The murderer
left behind his keys and a trail of muddy footprints, and was stopped nearby
after his car ran out of gas.

And in the case of a Sacramento hit-and-run that killed a man and his
girlfriend's four dogs, the driver was arrested in a traffic stop because
his car was smashed up, and immediately confessed to involvement in the
incident. [...]

Hadn't Comey found anything better since then? In a question-and-answer
session after his speech, Comey both denied trying to use scare stories to
make his point—and admitted that he had launched a nationwide search for
better ones, to no avail.

This is important. All the FBI talk about "going dark" and losing the
ability to solve crimes is absolute bullshit. There is absolutely no
evidence, either statistically or even anecdotally, that criminals are going
free because of encryption.

So why are we even discussing the possibility to forcing companies to
provide insecure encryption to their users and customers?

Sadly, I don't think this is going to go away anytime soon.

Comey:
http://www.nytimes.com/2014/10/17/us/politics/fbi-director-in-policy-speech-calls-dark-devices-hindrance-to-crime-solving.html
or http://tinyurl.com/nwqn846

Comey's speech:
http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course
or http://tinyurl.com/pq426z9

Vagle and Blaze:
http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/
or http://tinyurl.com/l5sxvpc

The Intercept:
https://firstlook.org/theintercept/2014/10/17/draft-two-cases-cited-fbi-dude-dumb-dumb/
or http://tinyurl.com/kj5mro5

The EFF points out that companies are protected by law from being
required to provide insecure security to make the FBI happy.
https://www.eff.org/deeplinks/2014/10/eff-response-fbi-director-comeys-speech-encryption
or http://tinyurl.com/lpvfbyz

My first post on these new Crypto Wars is here.
https://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html or
http://tinyurl.com/q5ost46

  [Bruce's latest issue of CRYPTOGRAM also includes a bunch of other
  RISKS-related items.  I recommend it for those of you who need to
  or want to worry about security!  Paranoia is not Paranoise. PGN]


81% of Tor users can be de-anonymized by analyzing router information, research indicates

Lauren Weinstein <lauren@vortex.com>
Fri, 14 Nov 2014 11:19:33 -0800
The Stack via NNSquad
http://thestack.com/chakravarty-tor-traffic-analysis-141114

  "Research undertaken between 2008 and 2014 suggests that more than 81% of
  Tor clients can be 'de-anonymized' - their originating IP addresses
  revealed - by exploiting the 'Netflow' technology that Cisco has built
  into its router protocols, and similar traffic analysis software running
  by default in the hardware of other manufacturers."

Not surprising at all.


The GCHQ boss's assault on privacy is promoting illegality on the Net (Eben Moglen)

Brian Randell <brian.randell@newcastle.ac.uk>
November 14, 2014 at 2:02:22 AM HST
Eben Moglen, *The Guardian*, 14 Nov 2014

The state's anti-privacy bandwagon uses the most misleading language to
blackmail technology companies into illegal surveillance.

As he will have wished and we might have predicted, the bandwagon created by
the GCHQ boss, Robert Hannigan, is gathering momentum. His demand that the
Internet companies abandon their stance on privacy now carries the weight of
the British government.

Addressing the Society of Editors conference on Tuesday, Sajid Javid, the
culture secretary, dismissed the right to privacy—in the form of the
right to be forgotten—as “little more than an excuse for well-paid
lawyers to hide the shady pasts of wealthy businessmen and the sexual
indiscretions of sporting celebrities.''  Last weekend the former home
secretary David Blunkett jumped on board, accusing technology companies that
offer encryption of “helping terrorists to co-ordinate genocide and foster
fear and instability around the world.''  Bernard Hogan Howe, the
Metropolitan police commissioner, said this month that space and technology
firms must do more to frustrate paedophiles, murderers and terrorists.

Hannigan's assault on privacy has found friends in the highest places. Prior
to the Edward Snowden revelations, the spymasters and generals directing the
NSA and GCHQ didn't write newspaper essays about their work. But times have
changed, highlighted by Hannigan's decision to use the Financial Times last
week to accuse Twitter and Facebook—“the largest US technology
companies''—of being routes for crime and terrorism.

Like pretty much everything else said by governments, and spy agencies in
particular, since Snowden pulled the behaviour of the US and UK listeners
into daylight, Hannigan's comments were intentionally disingenuous. But
also, like servants of various despotisms with whom he would be loth to
compare himself, Hannigan's frequent use of the word *democracy* is
accompanied by a stunning contempt for the rule of law. [...]

Full story (and lots of comments already) at
http://www.theguardian.com/commentisfree/2014/nov/13/gchq-assault-privacy-illegality-net-blackmail-surveillance


More Federal Agencies Are Using Undercover Operations

Monty Solomon <monty@roscom.com>
Sun, 16 Nov 2014 20:59:18 -0500
Once largely the domain of the F.B.I., undercover work has increased across
federal agencies as policies have changed, according to officials, former
agents and documents.

http://www.nytimes.com/2014/11/16/us/more-federal-agencies-are-using-undercover-operations.html


State Department Targeted by Hackers in 4th Agency Computer Breach

Monty Solomon <monty@roscom.com>
Sun, 16 Nov 2014 21:00:47 -0500
The agency was forced to temporarily shut down its unclassified email and
public websites after the attack on its computer systems.

http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.html


Americans' Cellphones Targeted in Secret U.S. Spy Program (Devlin Barrett)

Monty Solomon <monty@roscom.com>
Fri, 14 Nov 2014 06:41:46 -0500
Devlin Barrett, *Wall Street Journal*, 14 Nov 2014
Devices on Planes that Mimic Cellphone Towers Used to Target Criminals, but
Also Sift Through Thousands of Other Phones

The Justice Department is scooping up data from thousands of mobile phones
through devices deployed on airplanes that mimic cellphone towers, a
high-tech hunt for criminal suspects that is snagging a large number of
innocent Americans, according to people familiar with the operations.

http://online.wsj.com/articles/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533


Lost Key? Copies From the Cloud!

Monty Solomon <monty@roscom.com>
Sun, 16 Nov 2014 01:56:36 -0500
A company is placing kiosks in New York-area 7-Eleven stores that will allow
people to make car keys without having to go to a car dealer.

http://www.nytimes.com/2014/11/16/automobiles/lost-key-copies-from-the-cloud.html


Internet Voting Hack Alters PDF Ballots In Transmission (Michael Mimoso)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 13 Nov 2014 15:52:39 -0700
November 13, 2014 , 12:30 pm

Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper
called "Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering"
that explains an attack against common home routers that would allow a
hacker to intercept a PDF ballot and use another technique to modify a
ballot before sending it along to an election authority.

http://threatpost.com/internet-voting-hack-alters-pdf-ballots-in-transmission/109333


Bloomberg: Forex Investors May Face $1 Billion Loss as Trade Site Vanishes

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Nov 2014 15:36:22 -0500
The first time Rajibuddin Mandal, a family doctor in Birmingham, England,
tried his hand at trading currencies online, he lost 2,000 British
pounds. From that experience, he concluded that the foreign-exchange market
was too big, too complex and too hazardous for amateur investors like
himself. He decided he needed help from the professionals.

http://bloom.bg/1wVxpwW

1%/day gain, investment principal return assured. What could go wrong?


FileVault 2: Mac users' unsaved files and screenshots are automatically uploaded

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Nov 2014 10:43:56 -0500
Opening TextEdit in your MacBook to jot down some notes may feel like the
digital equivalent of scrawling on the back of an envelope.  Unfortunately,
those unsaved notes may not be as private as you think they are—and
likely haven't been for a while.

If you're like the majority of Mac users, you may think your in-progress
files—the ones you haven't explicitly saved—are being stored directly
on your hard drive. And with FileVault 2, a full-disk encryption feature
included with your OS, Apple has made it easy to encrypt the contents of
your entire drive, offering an additional layer of security if your laptop
is stolen—especially if you store your own recovery key.

But security researcher Jeffrey Paul recently noticed that Apple's default
autosave is storing in-progress files—the ones you haven't explicitly
saved yet—in the cloud, not on your hard drive. (Surprise!)  Unless you
decided to hit save before you start typing, or manually changed the default
settings, those meeting notes, passwords, and credit card numbers you jotted
down in "Untitled 17" are living in iCloud.

http://www.slate.com/blogs/future_tense/2014/11/03/filevault_2_mac_users_unsaved_files_and_screenshots_are_automatically_uploaded.html

What could go wrong?


For Guccifer, Hacking Was Easy. Prison Is Hard

Monty Solomon <monty@roscom.com>
Thu, 13 Nov 2014 00:21:21 -0500
http://www.nytimes.com/2014/11/11/world/europe/for-guccifer-hacking-was-easy-prison-is-hard-.html

Marcel-Lehel Lazar, whose pseudonym celebrated “the style of Gucci and the
light of Lucifer,'' rampaged through the email of rich Americans, showing
the ease of going rogue online.


Americans Say They Want Privacy, but Act as if They Don't

Monty Solomon <monty@roscom.com>
Thu, 13 Nov 2014 00:18:42 -0500
http://www.nytimes.com/2014/11/13/upshot/americans-say-they-want-privacy-but-act-as-if-they-dont.html

People are doubtful about the safety of their personal information online or
on cellphones. Yet it does not necessarily change their behavior, according
to a new poll.


Debts Canceled by Bankruptcy Still Mar Consumer Credit Scores

Monty Solomon <monty@roscom.com>
Thu, 13 Nov 2014 07:20:26 -0500
Officials suspect that big banks ignore bankruptcy court discharges, keeping
debts alive on credit reports and impairing borrowers' ability to
secure housing and jobs.

http://dealbook.nytimes.com/2014/11/12/debts-canceled-by-bankruptcy-still-mar-consumer-credit-scores/


Poor systems design may kill...

Jay Ashworth <jra@baylink.com>
Mon, 17 Nov 2014 12:40:29 -0500 (EST)
And no, that's not really a hyperbolic headline; anyone who knows that power
utilities have a hot list of addresses to restore first due to medical
device usage knows exactly what I mean.

  http://spectrum.ieee.org/aerospace/military/electromagnetic-warfare-is-here

As digital and Internet-connected control expands to cover more and more
disciplines that we've never used it on before, our exposure to bad guys
becomes larger and larger—as much because the barrier to entry becomes
lower and lower, and there are always 12-year-old boys as for any other
reason.

Risk analysis is the fundamental issue here—and the fact that even those
who ask for it don't always listen.

We Told You So isn't always even satisfying.

No matter; we *know* where the likely RISKS pinch points are in systems
designs; we've known it for years.

What hasn't happened is *getting the people who know into the design cycle,
everywhere*.  Will that require legislation?  We've mooted the topic many
times here on RISKS over the 3 decades I've read it.  I'm not sure the rate
at which the problem's getting better is outstripping the rate at which the
domain is getting larger.

Jay R. Ashworth, St Petersburg FL; Baylink http://www.bcp38.info
+1 727 647 1274  jra@baylink.com

  [MOOTED?  We've variously TOOTED work by Paul Kocher, Ross Anderson, Dan
  Boneh, and many others, LOOTED risks in ROOTED systems being BOOTED, risks
  in pacemakers, and more.  It's not moot, and of course it never was except
  in the eyes of folks who thought they could ignore the problems.  This
  seems to be another example of “in that we don't know what to do about
  it, we're going to ignore it.'' PGN]


"Vulnerability leaves iPhones and iPads open to fake app attack" (Martyn Williams)

Gene Wirchenko <genew@telus.net>
Fri, 14 Nov 2014 12:25:17 -0800
Martyn Williams, InfoWorld, 10 Nov 2014
Attackers can replace legitimate apps with fake ones that access and
steal personal information
http://www.infoworld.com/article/2846015/mobile-security/vulnerability-leaves-iphones-and-ipads-open-to-fake-app-attack.html


"Malware doesn't discriminate when it comes to Web ads" (Serdar Yegulalp)

Gene Wirchenko <genew@telus.net>
Wed, 12 Nov 2014 13:59:30 -0800
Serdar Yegulalp, InfoWorld,  12 Nov 2014
Racy or benign, your favorite sites have likely exposed you to malware-laden
  ads
http://www.infoworld.com/article/2846993/malware/malware-doesnt-discriminate-when-it-comes-to-web-ads.html


Only Half of USB Devices Have an Unpatchable Flaw But No One Knows Which Half (Andy Greenberg)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Nov 12, 2014 4:48 AM
Andy Greenberg, *WiReD*, 12 Nov 2014 (via Dave Farber)
<http://www.wired.com/2014/11/badusb-only-affects-half-of-usbs/>

First, the good news: that unpatchable security flaw in USB devices first
brought to light over the summer affects only about half of the things you
plug into your USB port. The bad news is it's nearly impossible to
sort out the secure gadgets from the insecure ones without ripping open
every last thumb drive.

At the PacSec security conference in Tokyo on Wednesday, hacker Karsten Nohl
presented an update to his research on the fundamental insecurity of USB
devices he's dubbed BadUSB. Nohl and his fellow researchers Jakob Lell and
Sascha Krissler have analyzed every USB controller chip sold by the
industry's eight biggest vendors to see if their hack would work against
each of those slices of silicon. The results: Roughly half of the chips were
immune to the attack. But predicting which chip a device uses is practically
impossible for the average consumer.

“It's not like you plug [a thumbdrive] into your computer and it tells you
this is a Cypress chip, and this one is a Phison chip,'' says Nohl, naming
two of the top USB chip manufacturers. “You really can't check other than
by opening the device and doing the analysis yourself. The scarier story is
that we can't give you a list of safe devices.''

Nohl's BadUSB attack, which he revealed at the Black Hat security conference
in August, takes advantage of the fact that a USB controller chip's firmware
can be reprogrammed. That means a thumb drive's controller chip itself,
rather than the Flash storage on that memory stick, can be infected with
malware that invisibly spreads to computers, corrupts files stored on the
drive, or quietly begins impersonating a USB keyboard to type commands on
the victim's machine.

“You'd Never Get Away With This in a Laptop''

Now Nohl's research team has tested that reprogrammability problem in USB
controller chips sold by the industry's biggest vendors: Phison, Alcor,
Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip. They checked
versions of each chip both by looking up its published specs and by plugging
a device using it into a computer and attempting to rewrite the chip's
firmware.

They found an unpredictable patchwork of results. All of the USB storage
controllers from Taiwanese firm Phison that Nohl tested, for instance, were
vulnerable to reprogramming. Chips from ASmedia weren't, Nohl's tests
found. Controller chips from fellow Taiwanese company Genesys that used the
USB 2 standard were immune, but ones that used the newer USB 3 standard were
susceptible. In other categories of device like USB hubs, keyboards, webcams
and mice, the results produced an even messier Excel spreadsheet of
“vulnerable,'' “secure,'' and “inconclusive.'' [...]


`Masque Attack' Bug Threatens iOS Users (Stephanie Mlot)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Nov 12, 2014 5:22 AM
[Note:  This item comes from friend Steve Goldstein.  DLH] (via Dave Farber)

Stephanie Mlot, *PC Mag*, 11 Nov 2014
The "Masque Attack" allows hackers to replace a legit app with a phony one
to track and collect private information.

<http://www.pcmag.com/article2/0,2817,2471947,00.asp>

Apple iOS users, beware: A bug discovered in Apple's mobile operating
system can leave iPhones and iPads vulnerable to attacks.

Uncovered in July by FireEye mobile security researchers, the "Masque
Attack" allows hackers to replace a legitimate app with a phony one, then
track and collect private information.

That data—cached emails, login tokens, etc.—can then be used by the
attacker to log into the victim's accounts.

Users should be on the lookout for pop-up messages that prompt them to
install something like an updated version of Flappy Bird or the latest
Angry Birds title.

As demonstrated in the video below, clicking on a malicious link could open
the door to attackers, who mimic an original app's login interface to steal
the victim's credentials. FireEye highlights the bug via the official Gmail
application, downloaded to an iPhone from the iTunes App Store.

"We have confirmed this attack with email apps where the malware can steal
local caches of important emails and upload them to [a] remote server," the
blog said.

Worst of all, the malware is almost indistinguishable to the victim, who is
unlikely to realize they have been duped.

"In this situation, we consider it urgent to let the public know," FireEye
said, "since there could be existing attacks that haven't been found by
security vendors."

The firm notified Apple about the vulnerability on July 26. Cupertino did
not respond to PCMag's request for comment.


ISPs Removing Their Customers' Email Encryption

"Dewayne Hendricks" <dewayne@warpspeed.com>
Nov 12, 2014 4:59 AM
Jacob Hoffman-Andrews, *EFF*, 11 Nov 2014
<https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks>

Recently, Verizon was caught tampering with its customer's web requests to
inject a tracking super-cookie. Another network-tampering threat to user
safety has come to light from other providers: email encryption downgrade
attacks. In recent months, researchers have reported ISPs in the US and
Thailand intercepting their customers' data to strip a security
flag”called STARTTLS”from email traffic. The STARTTLS flag is an
essential security and privacy protection used by an email server to request
encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from
successfully encrypting their conversation, and by default the servers will
proceed to send email unencrypted. Some firewalls, including Cisco's
PIX/ASA firewall do this in order to monitor for spam originating from
within their network and prevent it from being sent. Unfortunately, this
causes collateral damage: the sending server will proceed to transmit
plaintext email over the public Internet, where it is subject to
eavesdropping and interception.

This type of STARTTLS stripping attack has mostly gone unnoticed because it
tends to be applied to residential networks, where it is uncommon to run an
email server2. STARTTLS was also relatively uncommon until late 2013, when
EFF started rating companies on whether they used it. Since then, many of
the biggest email providers implemented STARTTLS to protect their
customers. We continue to strongly encourage all providers to implement
STARTTLS for both outbound and inbound email. Google's Safer email
transparency report and starttls.info are good resources for checking
whether a particular provider does.

Several Standards for Email Encryption

The SMTP protocol, the underpinning of email, was not originally designed
with security in mind. But people quickly started using it for everything
from shopping lists and love letters to medical advice and investigative
reporting, and soon realized their mail needed to be protected from prying
eyes. In 1991, Phil Zimmerman implemented PGP, an end-to-end email
encryption protocol that is still in use today. Adoption of PGP has been
slow because of its highly technical interface and difficult key
management. S/MIME, with similar properties as PGP, was developed in 1995.
And in 2002, STARTTLS for email was defined by RFC 3207.

While PGP and S/MIME are end-to-end encryption, STARTTLS is
server-to-server. That means that the body of an email protected with, e.g.
PGP, can only be read by its intended recipient, while email protected with
STARTTLS can be read by the owners of the sending server and the recipient
server, plus anyone else who hacks or subpoenas access to those servers.
However, STARTTLS has three big advantages: First, it protects important
metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do
not. Second, mail server operators can implement STARTTLS without requiring
users to change their behavior at all. And third, a well-configured email
server with STARTTLS can provide Forward Secrecy for emails. The two
technologies are entirely compatible and reinforce each other. The most
secure and private approach is to use PGP or S/MIME with a mail service
that uses STARTTLS for server-to-server communication. [...]


Re: [IP] ISPs Removing Their Customers' Email Encryption (via Dave Farber)

"Suresh Ramasubramanian" <suresh@hserus.net>
Nov 12, 2014 5:27 AM
Is this on port 25 outbound where you would possibly expect to see
something like a Cisco ASA or similar smtp proxy device deployed by an ISP
intent on filtering malware / spam traffic outbound from infected user
desktops or local spammers?

Is this filter on port 587 (the smtp submission port) as well?

Several ISPs in the USA and elsewhere outright block port 25 instead of
proxying it, but the awareness of port 587 being available for use isn't
uniform across all countries so that it is possible that a local ISP may
have elected to proxy rather than block outbound port 25 traffic.

Of course such an approach ideally whitelists port 25 traffic to known
outbound servers (say those belonging to large email providers) but
certainly won't be able to account for every mailserver running on  a VPS
or Linux box on a home dsl line for that matter.

And in all cases using port 587, which has been RFC standard, widely
supported and recommended as a best practice for several years, is ideal
for any outbound mail you might want to send.

EFF may want to take port 587 into account especially when they
recommend TLS and study incidents like this Thai one (TLS is a best
practice the security community entirely agrees with by the way)


Re: ISPs reportedly interfering with customer use of STARTTLS (Bob Gezelter, RISKS-28.35)

"Scott Miller" <SMiller@unimin.com>
Fri, 14 Nov 2014 08:54:10 -0500
How does this compare or relate to the "TLS False Start Using RSA" browser
flag? That flag allows the packets to begin to flow before TLS credentials
are validated. A Mozilla user can use Data Manager to change this from
"allow" to "block" for a given domain, however, recent versions of the
browser will refuse to honor that directive. Earlier versions honored it,
but it was deliberately deprecated. I have found debates about this issue in
Mozilla developer forums; the prevailing opinion appeared to be that
requiring strict pre-authentication did not offer sufficient incremental
security to justify the delay in page load time. I tend to be skeptical of
arguments that appear to be as self-serving as that one, and I fail to see
how it in any way justifies removing the option from the discretion of the
individual browser user. I did not do much research on IE or Chrome, but I
did see some hits that suggest similar policies.


Re: Risks of assuming votes are accurate (Motala, RISKS-28.34)

Rashid Motala <rashidm@identisoft.net>
Fri, 14 Nov 2014 14:31:16 +0000
The better solution to this would be not to equate having a drivers license
with citizenship. In many places, being able to drive is almost a basic
necessity, and denying illegal immigrants drivers licenses only results in
more illegal (unlicensed and untested) drivers on the road.


Re: Risks of assuming votes are accurate (Motala, RISKS-28.34)

"John Levine" <johnl@iecc.com>
16 Nov 2014 04:48:56 -0000
Legal immigrants aka green card holders have been eligible for
drivers' licenses since approximately forever.  It has never been the
case that possession of a driver's license means the holder is a
citizen.* I don't see any reason to believe that adding illegal
immigrants to the mix makes a significant difference.

* In some states there's a thing called an Enhanced Driver's License (EDL)
with more stringent documentation requirements that does mean that the
holder is a citizen, but they've been notably unpopular.


Re: $11M Tool That Could Help Computers Write Their Own Code (Finley, RISKS-28.35)

josephkk <joseph_barrett@sbcglobal.net>
Thu, 13 Nov 2014 23:00:02 -0800
And at a horrendous cost in code diversity.  Not my favorite idea.

A far better idea is to teach the difference between well written code and
sloppy code.  It is really easy, just put the two side by side and discuss
for many use cases.


Re: The $11M Tool That Could Help Computers Write Their Own Code

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 14 Nov 2014 21:25:37 +0100
The scary part, at least to me, is that the tool may suggest something that
is NOT what you intended, but is sufficiently similar that you do not spot
the difference.

In particular, if larger chunks of code are inserted, this is a real
risk. When you write code yourself, you know what you intend it to do. If a
tool inserts it, you may not take the trouble to fully understand what it
does because "the tool normally generates good code (whatever that means)".

Please report problems with the web pages to the maintainer

Top