The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 54

Monday 2 March 2015

Contents

Google and tech's elite are living in a parallel universe
John Naughton
What will happen when the Internet of things becomes artificially intelligent?
Stephen Balkam
Spy Research Agency Is Building Psychic Machines to Predict Hacks
Aliya Sternstein
US government and private sector developing 'precrime' system to anticipate cyber-attacks
The Stack
Belarus bans Tor and all anonymising Internet technologies
The Stack
U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says
The NYTimes
Uber Driver Database Breached by Someone Outside Company
The NYTimes
Police probe outage that cut Internet, phones in Arizona
Mike Stayton
White House Proposes Broad Consumer Data Privacy Bill
The NYTimes
Will we never learn? H&R Block software on Windows 8.1
Jeremy Epstein
The big money behind Iran's Internet censorship
Daily Dot
Internet of Obnoxious Things....
Mike O'Dell
When Driver Error Becomes Programming Error
Joel Shurkin
Thief Steals $15,000 Bike in Sausalito With Tap of Hand
Alyssa Goard
Blaming the Internet for Terrorism: So Wrong and So Dangerous
Lauren Weinstein
Phishing attacks target developers
Paul McIntire
"Hackers force death of Canadian Bitcoin exchange"
Howard Solomon
Crying "wolf" when reporting browser security flaws
Arthur
"Flaw in popular Web analytics plug-in exposes WordPress sites to hacking"
Lucian Constantin
Unblined e-mail from National Park Service, DEath VAlley
Leonard Finegold
Journal Accepts Paper Reading "Get Me Off Your F***ing Mailing List"
Stephen Luntz
Re: Hard disk firmware infection campaign detected
Geoff Kuenning
Re: Jeb Bush publishes e-mail personal info of Florida residents online
John Levine
R. G. Newbury
Re: "Regulating the Drone Economy"
Mike Spencer
Re: More "Right To Be Forgotten" nonsense from "The Guardian"
Amos Shapir
Re: ... use of GOTOs in code is *not* harmful ...
Richard A. O'Keefe
Re: Too-real simulation
Erling Kristiansen
"Lenovo shows us why we need to reinvent Web security"
Scott Dorsey
"Patent trolls are on the run, but not vanquished yet"
Bill Snyder
"Net neutrality triumphs as ISPs weep"
Paul Venezia
FCC votes for net neutrality, a ban on paid fast lanes, and Title II
Ars
Bruce Schneier's *Data and Goliath* excerpt
PGN
Info on RISKS (comp.risks)

Google and tech's elite are living in a parallel universe (John Naughton)

"Hendricks Dewayne" <dewayne@warpspeed.com>
Feb 22, 2015 9:51 AM
John Naughton, *The Guardian*, Feb 21 2015 (via Dave Farber)
The gap between the richly rewarded few of tech firms and banks and the
rest of us is growing wider. Blame the digital revolution
http://www.theguardian.com/commentisfree/2015/feb/22/google-tech-elite-living-in-a-parallel-universe-john-naughton

Someone once observed that the difference between Tony Blair and Margaret
Thatcher was that whereas Thatcher believed that she was always right, Blair
believed not only that he was right but also that he was good.  Visitors to
the big technology companies in California come away with the feeling that
they have been talking to tech-savvy analogues of Blair.  They are fired
with a zealous conviction that they are doing great stuff for the world, and
proud of the fact that they work insanely hard in the furtherance of that
goal.  The fact that they are richly rewarded for their dedication is, one
is given to believe, incidental.

The guys (and they are mostly guys) who manage these good folk are properly
respectful of their high-IQ charges. Chief among them is Eric Schmidt, the
executive chairman of Google, and a man who takes his responsibilities
seriously. So seriously, in fact, that he co-authored a book with his
colleague Jonathan Rosenberg on the care and maintenance of these precious
beings. Dr Schmidt objects to the demeaning term `knowledge workers' that
economists have devised for them. Google employees, he tells us, are much,
much more impressive than mere knowledge workers: they are `smart
creatives'.

In the opinion of their chairman, these Wunderkinder are very special
indeed.  They are “not averse to taking risks.''  Nor are they “punished
or held back when those risky initiatives fail, ... not hemmed in by role
definitions or organisational structures, ..  don't keep quiet when they
disagree with something.''  [...]


What will happen when the Internet of things becomes artificially intelligent? (Stephen Balkam)

"Hendricks Dewayne" <dewayne@warpspeed.com>
Feb 22, 2015 10:01 AM
Stephen Balkam, *The Guardian*, 20 Feb 2015
- From Stephen Hawking to Spike Jonze, the existential threat posed by the
onset of the `conscious web' is fueling much debate—but should we be
afraid?
http://www.theguardian.com/technology/2015/feb/20/internet-of-things-artificially-intelligent-stephen-hawking-spike-jonze

When Stephen Hawking, Bill Gates and Elon Musk all agree on something, it's
worth paying attention.

All three have warned of the potential dangers that artificial intelligence
or AI can bring. The world's foremost physicist, Hawking said that the full
development of artificial intelligence (AI) could `spell the end of the
human race'.  Musk, the tech entrepreneur who brought us PayPal, Tesla and
SpaceX described artificial intelligence as our “biggest existential
threat,'' and said that playing around with AI was like “summoning the
demon.''  Gates, who knows a thing or two about tech, puts himself in the
`concerned' camp when it comes to machines becoming too intelligent for us
humans to control.

What are these wise souls afraid of? AI is broadly described as the ability
of computer systems to ape or mimic human intelligent behavior. This could
be anything from recognizing speech, to visual perception, making decisions
and translating languages. Examples run from Deep Blue who beat chess
champion Garry Kasparov to supercomputer Watson who outguessed the world's
best Jeopardy player. Fictionally, we have Her, Spike Jonze's movie that
depicts the protagonist, played by Joaquin Phoenix, falling in love with his
operating system, seductively voiced by Scarlet Johansson. And coming soon,
Chappie stars a stolen police robot who is reprogrammed to make conscious
choices and to feel emotions.

An important component of AI, and a key element in the fears it engenders,
is the ability of machines to take action on their own without human
intervention. This could take the form of a computer reprogramming itself in
the face of an obstacle or restriction. In other words, to think for itself
and to take action accordingly.

Needless to say, there are those in the tech world who have a more sanguine
view of AI and what it could bring.  Kevin Kelly, the founding editor of
Wired magazine, does not see the future inhabited by HALs—the homicidal
computer on board the spaceship in 2001: A Space Odyssey. Kelly sees a more
prosaic world that looks more like Amazon Web Services: a cheap, smart,
utility which is also exceedingly boring simply because it will run in the
background of our lives. He says AI will enliven inert objects in the way
that electricity did over 100 years ago.  “Everything that we formerly
electrified, we will now cognitize.''  And he sees the business plans of the
next 10,000 startups as easy to predict:  “Take X and add AI.'' [...]


Spy Research Agency Is Building Psychic Machines to Predict Hacks (Aliya Sternstein)

"ACM TechNews" <technews@hq.acm.org>
Wed, 25 Feb 2015 12:08:08 -0500 (EST)
Aliya Sternstein, NextGov.com, 23 Feb 2015, via ACM TechNews

The U.S. Intelligence Advanced Research Projects Activity (IARPA) is working
on a new contest that will challenge government and private-sector entities
to create a system for analyzing numerous streams of data from social media
to black market malware storefronts to create predictions of what
cyberthreats a given network may face ahead of time.  The Cyber-Attack
Automated Unconventional Sensor Environment (CAUSE) project is envisioned as
a cybersecurity equivalent of systems that have been able to analyze various
data streams to successfully predict political uprisings and the spread of
diseases such as Ebola.  IARPA's Rob Rahmer, who is leading the CAUSE
project, says the competition is meant to help move the cybersecurity field
from a reactive to a proactive posture.  Such a system would not be perfect
and would make mistakes, but Rahmer says it would help agencies and
businesses spend their cybersecurity resources proactively.  CAUSE is
envisioned as a four-year race and IARPA currently is developing guidelines
and determining what the prize for the competition will be.  There already
is strong interest in the project; about 150 would-be participants from the
private sector and academia attended a recent informational workshop about
CAUSE.  One issue that needs addressing is what computing resources
competitors will need to use; CAUSE would likely require supercomputer-level
computing power.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d684x2c74fx065558&


U.S. government and private sector developing 'precrime' system to anticipate cyber-attacks

Lauren Weinstein <lauren@vortex.com>
Wed, 25 Feb 2015 16:07:47 -0800
The Stack via NNSquad
http://thestack.com/iarpa-cause-ibm-precrime-threat-prediction-240215

  "The USA's Office of the Director of National Intelligence (ODNI) is
  soliciting the involvement of the private and academic sectors in
  developing a new 'precrime' computer system capable of predicting
  cyber-incursions before they happen, based on the processing of 'massive
  data streams from diverse data sets'—including social media and
  possibly deanonymised Bitcoin transactions.  In January the Intelligence
  Advanced Research Projects Activity (IARPA), administrated by ODNI, held a
  Proposers' Day Conference for the Cyber-attack Automated Unconventional
  Sensor Environment (CAUSE) initiative, inviting interest from IBM and
  other cyber-security companies including Battelle, RepKnight, the Florida
  Center for Cybersecurity (FC2), Galois Inc., SoarTech, SRA International
  Inc. [PGN-NOTE: SRA, *not* SRI!], Vion ... and, of course, IBM, which
  produces technologies used and cited by some of the other vendors in their
  own proposals.  Dr. Peter Highnam presented the overview on January 21st,
  initially drawing attention to the interests in the project of no less
  than 16 major government departments, including the CIA, the Defense
  Intelligence Agency, the Department of State, the FBI, the Department of
  Homeland Security and all branches of the US military."

Looks like a giant trolling target. There will be folks who would like
nothing more than to trigger false alarms for such a system, just for
funsies.


Belarus bans Tor and all anonymising Internet technologies

Lauren Weinstein <lauren@vortex.com>
Wed, 25 Feb 2015 16:10:38 -0800
The Stack via NNSquad
http://thestack.com/belarus-bans-tor-250215

  "In the wake of Russia's announcement that it intends to ban Tor, VPNs and
  all other technologies that permit users to hide their identities on the
  Internet, the neighbouring Republic of Belarus has announced [Russian
  language] that it will enable legislation to bring these restrictions into
  effect.  The ban was announced in the official national portal of
  Belarus. The edict declares that any service which provides access to
  anonymising facilities such as Tor and Virtual Private Networks must be
  entered onto a national blacklist, and that Internet service providers
  will be obliged to check state inspectorate lists daily for new banned
  services and sites, and to implement blocks accordingly."


U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says

Monty Solomon <monty@roscom.com>
Wed, 25 Feb 2015 08:24:57 -0500
The digital security company said it believed attacks by the N.S.A. and its
British counterpart occurred over two years, starting in 2010.
http://www.nytimes.com/2015/02/26/business/international/gemalto-says-nsa-tried-to-take-sim-encryption-codes.html


Uber Driver Database Breached by Someone Outside Company

Monty Solomon <monty@roscom.com>
Fri, 27 Feb 2015 22:18:30 -0500
The breach may have revealed the names and identification numbers of up to
50,000 drivers, but so far there are no reports that stolen information has
been misused.
http://bits.blogs.nytimes.com/2015/02/27/uber-driver-database-breached-by-someone-outside-company/


Police probe outage that cut Internet, phones in Arizona

Mike Stayton <stayton@pobox.com>
Thu, 26 Feb 2015 10:21:58 -0500
Another single point of failure?

http://www.usatoday.com/story/news/nation/2015/02/26/poliice-probe-arizona-outage/24043367/

Mike Stayton, 106 Miss Georgia Court, Cary, NC 27511  919 460-0561


White House Proposes Broad Consumer Data Privacy Bill

Monty Solomon <monty@roscom.com>
Sun, 1 Mar 2015 13:39:27 -0500
Under the proposed legislation, called the Consumer Privacy Bill of Rights
Act, industries would draw up their own codes of conduct on handling
customer data, which regulators would enforce.
http://www.nytimes.com/2015/02/28/business/white-house-proposes-broad-consumer-data-privacy-bill.html


Will we never learn? H&R Block software on Windows 8.1

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sun, 1 Mar 2015 11:15:07 -0500
Celebrating the beginning of March by starting to work on my taxes, I bought
the CD from H&R Block. (I've used their software for at least 10 years -
while not perfect, it can do trust returns, unlike the consumer-grade
Quicken product.)

Anyway, I got an error when I tried to install on my Windows 8.1 system.
Some Googling reveals that this is a known problem:

  The software is fully compatible with Windows 8.1, however, as many users
  have discovered, the user's rights are somewhat restricted even on an
  Administrator account, since Windows Vista. It turns out that since then,
  Microsoft's operating systems have had a true administrator account that
  is hidden by default. You can search for the simple instructions to enable
  this account, however in support we have had success by simply creating a
  new account with Administrator rights and leave the Administrator account
  disabled.

One very simple trick that has worked for me personally is to right button
click the installer file, and choose "Run as Administrator". Sometimes that
is all that is needed!

 - - - -

So let's see, the software needs *something* that only a "true"
administrator account can do, and they never tested it on the latest version
of Microsoft's operating system before release???  Will we never learn,
either about security or testing?

http://community.hrblock.com/t5/DIY-Products/HR-BLOCK-PREMIUM-2014-TAX-CD-WILL-NOT-INSTALL/td-p/55443


The big money behind Iran's Internet censorship (Daily Dot)

Lauren Weinstein <lauren@vortex.com>
Sun, 22 Feb 2015 09:51:08 -0800
Daily Dot via NNSquad
http://www.dailydot.com/politics/iran-censorship-circumvention-tech/

  "While the Iranian government spends millions of dollars to build and
  maintain one of the strictest censorship regimes on the planet, its
  citizens spend their own millions on anti-censorship software that allows
  them to see the Internet more freely. Anti-censorship is so much money, in
  fact, that many of the same government authorities that do the censoring
  then turn around and allow the sale of censorship-beating software--in
  order to line their pockets, offer a false sense of security to Iranians,
  and even to make their surveillance jobs that much easier."


Internet of Obnoxious Things....

"Mike O'Dell" <mo@ccr.org>
Feb 22, 2015 11:35 AM
The PKDick excerpt cited about a shakedown by a door lock is, I fear, more
prescient than it first appears.

I very much doubt that any "Internet of Things" will become Artificially
Impudent because long before that happens, all the devices will be co-opted
by The Bad Guys who will proceed to pursue shakedowns, extortion, and
"protection" rackets on a coherent global scale.

Whether it is even possible to "secure" such a collection of devices
empowered with such direct control over physical reality is a profound and,
I believe, completely open theoretical question. (We don't even have a
strong definition of what that would mean.)

Even if it is theoretically possible, it has been demonstrated in the most
compelling possible terms that it will not be done for a host of
reasons. The most benign fall under the rubric of "Never ascribe to malice
what is adequately explained by stupidity" while others will be aggressively
malicious. First and foremost, however, is the attitude that "security" can
be added-on in a piecemeal fashion to a fundamentally insecure system in
retrospect. This is patently false and has been known to be the case for
many decades.

A close second, however, is a definition of "security" that reads,
approximately, "Do what I should have meant." Eg, the rate of technology
churn cannot be reduced just because we haven't figured out what we need it
to do (or not do) - we'll just "iterate" every time Something Bad(tm)
happens.

An even deeper concern, however, is that the entire concept of "security" as
naively held may be fundamentally unachievable, that phrases like "This must
not happen again" are simply irrational because the underlying theoretical
foundations cannot produce it.

The problem with pursuing such a goal is that it has led us down a path of
"brittle failure" where things work right up until they fail, and then they
fail catastrophically. The outcome is forced to be binary.

In most of Computer Science, there have been only relatively modest efforts
directed at building systems which fail gracefully, or
partially. Certainly some sub-specialties have spent a lot of effort
on this notion, but it is not the norm in the education of a journeyman
system builder.

If it is the case that we are unlikely to build any large system which is
fail-proof, and that certainly seems to be the situation, we need to focus
on building systems which can tolerate, isolate, and survive local
failures. As it has been so ably demonstrated, it is now possible to steal
from a million people with the same effort as one person (approximately).
That is a great example of a "brittle failure" and could well be a great
place to start rethinking protocols and algorithms so that a big failure may
produce a million opportunities to steal, but that executing any one theft
produces no advantage to executing the next.

This is not a panacea, but is a useful direction to pursue if we are to be
overrun with Artificially Impudent light switches, toasters, and toilet
seats. I *really* don't want someone playing games with the temperature of
my shower, to pick one at random.


When Driver Error Becomes Programming Error (Joel Shurkin)

"ACM TechNews" <technews@hq.acm.org>
Mon, 2 Mar 2015 12:01:54 -0500 (EST)
*Inside Science* (02/26/15) Joel N. Shurkin via ACM TechNews, 2 Mar 2015

If automated automobiles become practical and widely adopted, then car
accidents will be the result of programming errors instead of driver errors,
which makes the assignment of responsibility in litigation a challenge.  At
a recent meeting of the American Association for the Advancement of Science,
Stanford University researchers announced the production of an automated
vehicle that can compete with champion amateur drivers on a racetrack.  The
car uses global-positioning systems, computer-driven controls, and
programmed rules to drive and navigate.  Stanford professor Chris Gerdes
says its computerized thinking process raises important concerns.  For
example, because such a car is programmed to obey all traffic rules and not
violate laws, there may be limitations to its usefulness.  One example is a
programmed vehicle's inability to cross double lines to get around an
illegally parked car, because such a maneuver would technically break the
rules.  University of South Carolina in Columbia professor Bryant Walker
Smith thinks with the advent of automated cars, the onus of liability will
shift more to manufacturers than consumers, with the costs ultimately passed
on to consumers.  He also notes if the cars improve safety, it is likely the
number of accident-related lawsuits will decline.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d6b9x2c76cx057431&


Thief Steals $15,000 Bike in Sausalito With Tap of Hand (Alyssa Goard)

Paul Saffo <paul@saffo.com>
Sat, 28 Feb 2015 18:34:22 -0800
Alyssa Goard, NBC Bay Area, 27 Feb 2015
Thief Steals $15,000 Bike in Sausalito With Tap of Hand: Police
http://www.nbcbayarea.com/news/local/Thief-Steals-15000-Bike-in-Sausalito-With-Tap-of-Hand-294430531.html

A thief in Sausalito stole a bike valued at $15,000 from an Audi on
Thursday, all with a tap of his hand.  The man made off with the Cervelo P5
bicycle and other valuables on Central Avenue in Sausalito during the
afternoon on Feb. 19, much of which was captured on surveillance video.

As police described it, the man was on Central Avenue driving a black
vehicle, possibly a a 2011-2014 Volkswagen Golf TDI Diesel, when he drove
past the Audi. It was then when police say he reached out, tapping the Audi
with his hand as he passed by. He parked his Volkswagen close to the Audi,
walked up to it and touched the vehicle's door handles.

After he did that, somehow the doors unlocked. Police believe the thief
unlocked the Audi using an electronic device or remote.

Sausalito police warn residents that even advanced, high tech locks and
security systems can be outsmarted.  Police say the suspect in this crime
appears to be about 25 to 35 years old and was wearing black clothing.

Anyone with information on the suspect or this crime should contact Detective Ryan McMahon at 415-289-4118.

  [Fascinating.  an Audi master key, used by dealers and locksmiths
  presumably?  Good reminder that having trapdoors, backdoors, and
  frontdoors is NOT A GOOD IDEA.  PGN]


Blaming the Internet for Terrorism: So Wrong and So Dangerous

Lauren Weinstein <lauren@vortex.com>
Sun, 22 Feb 2015 17:29:34 -0800
         http://lauren.vortex.com/archive/001087.html

You can almost physically hear the drumbeat getting louder. It's almost
impossible to read a news site or watch cable news without seeing some
political, religious, or "whomever we could get on the air just now"
spokesperson bemoaning and/or expressing anger about free speech on the
Internet.

Their claims are quite explicit. "Almost a hundred thousand social media
messages sent by ISIL a day!" "Internet is the most powerful tool of
extremists." On and on.

Now, most of these proponents of "controlling" free speech aren't
dummies. They don't usually come right out and say they want censorship. In
fact, they frequently claim to be big supporters of free speech on the Net
-- they only want to shut down "extremist" speech, you see. And don't worry,
they all seem to claim they're up to the task of defining which speech would
be so classified as verboten.  "Trust us," they plead with big puppy dog
eyes.

But blaming the Net for terrorism—which is the underlying story behind
their arguments—actually has all the logical and scientific rigor of
blaming elemental uranium for atomic bombs.

Speaking of which, I'd personally be much more concerned about terrorist
groups getting hold of loose fissile material than Facebook accounts. And
I'm pretty curious about how that 100K a day social media messages stat is
derived. Hell, if you multiply the number of social media messages I
typically send per day times the number of ostensible followers I have, it
would total in the millions—every day. And you know what? That plus one
dollar will buy you a cup of crummy coffee.

Proponents of controls on Internet speech are often pretty expert at
conflating and confusing different aspects of speech, with a definite
emphasis on expanding the already controversial meanings of "hate speech"
and similar terms.

They also note—accurately in this respect—that social media firms
aren't required to make publicly available all materials that are submitted
to them. Yep, this is certainly true, and an important consideration. But
what speech control advocates seem to conveniently downplay is that the
major social media firms already have significant staffs devoted to removing
materials from their sites that violate their associated Terms of Service
related to hate speech and other content, and what's more this is an
incredibly difficult and emotionally challenging task, calling on the Wisdom
of Solomon as but one prerequisite.

The complexities in this area are many. The technology of the Net makes true
elimination of any given material essentially impossible.  Attempts to
remove "terrorist-related" items from public view often draw more attention
to them via the notorious "Streisand Effect"—and/or push them into
underground, so-called "darknets" where they are still available but harder
to monitor towards public safety tracking of their activities.

"Out of sight, out of mind" might work for a cartoon ostrich with its head
stuck into the ground, but it's a recipe for disaster in the real world of
the Internet.

There are of course differences between "public" and "publicized."
Sometimes it seems like cable news has become the paid publicity partner of
ISIL and other terrorist groups, merrily spending hours promoting the latest
videotaped missive from every wannabe terrorist criminal wearing a hood and
standing in front of an ISIL flag fresh from their $50 inkjet printer.

But that sort of publicity in the name of ratings is very far indeed from
attempting to control the dissemination of information on the Net, where
information once disseminated can receive almost limitless signal boosts
from every attempt made to remove it.

This is not to say that social media firms shouldn't enforce their own
standards. But the subtext of information control proponents—and their
attempts to blame the Internet for terrorism—is the implicit or explicit
implication that ultimately governments will need to step in and enforce
their own censorship regimes.

We're well down that path already in some ways, of course.
Government-mandated ISP block lists replete with errors blocking innocent
sites, yet still rapidly expanding beyond their sometimes relatively narrow
original mandates.

And whether we're talking about massive, pervasive censorship systems like
in China or Iran, or the immense censorship pressures applied in countries
like Russia, or even the theoretically optional systems like in the U.K, the
underlying mindsets are very much the same, and very much to the liking of
political leaders who would censor the Internet not just on the basis of
"stopping terrorism," but for their own political, financial, religious or
other essentially power hungry reasons as well.

In this respect, it's almost as if terrorists were partnering with these
political leaders, so convenient are the excuses for trying to crush free
speech, to control that "damned Internet"—provided to the latter by the
former.

Which brings us to perhaps the ultimate irony in this spectacle, the sad
truth that by trying to restrict information on the Internet in the name of
limiting the dissemination of "terrorist" materials on the Net, even the
honest advocates of this stance—those devoid of ulterior motives for
broader information control—are actually advancing the cause of terrorism
by drawing more attention to those very items they'd declare "forbidden,"
even while it will be technologically impossible to actually remove those
materials from public view.

It's very much a lose-lose situation of the highest order, with potentially
devastating consequences far beyond the realm of battling terrorists.

For if these proponents of Internet information control—ultimately of
Internet censorship—are successful in their quest, they will have handed
terrorists, totalitarian governments, and other evil forces a propaganda and
operational prize more valuable to the cause of repression than all the ISIL
social media postings and videos made to date or yet to be posted.

And then, dear friends, as the saying goes, the terrorists really would have
won, after all.

Be seeing you.


Phishing attacks target developers

Paul McIntire <paul.mcintire@sfunix.net>
Tue, 24 Feb 2015 21:31:59 -0800
We recently fell victim to a clever phishing attack targeted directly at our
mobile application.  The email received looked exactly like a correspondence
from Google App Store and contained a deep link obfuscated in an HTML email
pointing to a 3rd party malicious site in guise of the Developer Console.
The subject was "3-Day Notification of Google Play Developer Term Violation"
which certainly got our attention.  One of our harried developers clicked on
the link and logged into a site http://accounts.gooogle.com.de/ providing
hackers with our credentials.

The takeaway here is obvious.  Enforce multi-factor authentication on all
email accounts linked to app store logins.  I don't understand how this is
even optional anymore.

https://guardianproject.info/2015/02/24/phishing-for-developers/


"Hackers force death of Canadian Bitcoin exchange" (Howard Solomon)

Gene Wirchenko <genew@telus.net>
Mon, 23 Feb 2015 11:34:58 -0800
Howard Solomon, *IT Business*, 20 Feb 2015
http://www.itbusiness.ca/news/hackers-force-death-of-canadian-bitcoin-exchange/53891

Digital currencies hold appeal to some enterprises, but the security of
exchanges is a weak point. The latest to fall is Canadian exchange CaVirtex
over what it says is a possible breach. [..]


Crying "wolf" when reporting browser security flaws

Arthur <Risks201502.6.atsjbt@xoxy.net>
Thu, 26 Feb 2015 15:06:32 -0500
I, like many careful people, run either with active scripting fully disabled
or with the Noscript plugin of Firefox set to disallow scripts from any site
I don't exempt. "Noscript" is one of the most popular Firefox plugins for a
good reason. As Ron put it a while back, "I always thought of JavaScript as
the browser's malware injection facility."

The problem is that almost all reports of browser exploits follow the same
template: First they name the exploit. Then they explain, in gory detail,
the horrible nasty things the exploit can do. Finally they say that, until a
fix can be written and applied, your best method of safety is to disable
scripts or to run with Noscript. Sometimes they leave that last bit off even
though the exploit requires active scripting.

The risk is that people who browse safely, without scripting, may ignore
browser exploit reports. If or when one such comes along which does not rely
on scripting, those people will be vulnerable longer. (By the way, does
anyone have statistics on browser exploits broken down by scripting required
for the vulnerability versus everything else?)

It would be nice if the reporting template were instead more along these
lines: Name the exploit; state who is and isn't vulnerable; detail the
exploit type (evil script, buffer overrun, SQL injection, etc.); tell the
extent of the exploit; and explain how who those who are vulnerable can fix
or mitigate the problem.


"Flaw in popular Web analytics plug-in exposes WordPress sites to hacking" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 26 Feb 2015 13:33:12 -0800
Lucian Constantin, InfoWorld, 25 Feb 2015
Attackers can easily crack cryptographic keys used by the WP-Slimstat
plug-in and use them to read information from a site's database
http://www.infoworld.com/article/2888878/security/flaw-in-popular-web-analytics-plugin-exposes-wordpress-sites-to-hacking.html


Unblinded e-mail from National Park Service, DEath VAlley

Leonard Finegold <L@drexel.edu>
Mon, 2 Mar 2015 13:36:51 -0500
Minor fun, from National Park Service, DEath VAlley, one of my favorite
places.  This was sent to about 256 people; presumably (like me) they had
once contacted NPS.  Nice to note that NPS doesn't worry about keeping
E-addresses confidential.  Note "there" for their.

Begin forwarded message:

> Date: March 2, 2015 12:25:08 PM EST
> From: "DEVA Information, NPS" <deva_information@nps.gov>
> To:  [MONSTER LIST OF E-MAIL ADDRESSES DELETED BY PGN FOR RISKS]
> Subject: Morning Report 03/02/2015

> Good Luck, to all those who are making plans for there [sic] summer
> season and moving on. May you find your way back soon!

The subsequent e-mail after that provided a correction, but again included
the entire list of addresses.

> Subject: Error while sending Morning Report 03/02/2015

> Please disregard last message morning report is meant for selected contact
> stations in error it was sent to all contacts. Please do not respond just
> delete message. Document resent to stations, and thank you for your
> understanding.

  [If you were French, you might ask PARK-WHA? (pourqua?)... PGN]


Journal Accepts Paper Reading "Get Me Off Your F***ing Mailing List" (Stephen Luntz)

Gene Wirchenko <genew@telus.net>
Wed, 25 Feb 2015 11:39:20 -0800
Stephen Luntz, IFL Science, 23 Nov 2014
http://www.iflscience.com/technology/journal-accepts-paper-reading-get-me-your-fucking-mailing-list

A paper that largely consists of the words "Get me off your f***ing mailing
list" repeated 863 times has been accepted by a journal that claims to be
peer reviewed. The move might appear to offer hope to scientists struggling
to get marginal work published, but really just exposes the extent of scam
publications pretending to be contributing to science. [...]


Re: Hard disk firmware infection campaign detected (Houppermans)

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, 01 Mar 2015 02:09:34 -0800
A few days after the news of the NSA's hard-disk infections came out, I
spoke to a high-level manager at Seagate about the attack.  He told me a
couple of interesting things:

1. Although all drives have a "download new firmware" command, the firmware
   has to be signed.  Ten years ago that wasn't true.  So although the NSA
   might have previously succeeded with this attack, today they would have
   to beg, borrow, or steal the signing key.  That's not to say they haven't
   (after all, sneakiness is their stock in trade), but it makes things more
   difficult.

2. An unrelated but interesting point is that at least at Seagate (and
   presumably elsewhere) all on-drive information is *always* encrypted
   using a random key (and the drive itself is a superb source of
   randomness).  There's an "erase drive" command that simply forgets the
   key.  No, I don't know how to issue it; it doesn't seem to be in hdparm's
   list of options.

    Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/

Paymasters come in only two sizes: one sort shows you where the book
says that you can't have what you've got coming to you; the second
sort digs through the book until he finds a paragraph that lets you
have what you need even if you don't rate it.  Doughty was the second
sort.  Robert A. Heinlein, "The Door Into Summer"


Re: Jeb Bush publishes e-mail personal info of Florida residents online (RISKS-28.51)

"John Levine" <johnl@iecc.com>
24 Feb 2015 02:12:40 -0000
Copyright law is more complicated than that.  The U.S. law has broad
rules for a fair use defense to claims of copyright infringement,
based on:

  The purpose and character of the use, including whether such use is of
  commercial nature or is for nonprofit educational purposes

  The nature of the copyrighted work

  The amount and substantiality of the portion used in relation to the
  copyrighted work as a whole

  The effect of the use upon the potential market for, or value of,
  the copyrighted work

Since the use was non-commercial, the public has a clear interest in Bush's
correspondence since he was a government official at the time and a likely
candidate for US President, and the commercial market of the e-mail is
negligible, the argument for fair use in this case is very small.

In Europe or Canada, privacy laws would likely forbid publication of
people's personal details, but other than a few narrow cases that don't
apply here, the US has no privacy laws.


Re: Jeb Bush publishes e-mail personal info of Florida residents online (RISKS-28.53)

"R. G. Newbury" <newbury@mandamus.org>
Tue, 24 Feb 2015 10:10:56 -0500
NOT! As a first order WAG, I would assume that the TOS involved in emailing
the governor *in his official capacity as an elected public figure, cover
that. And the FOIA would cover the publication.

R. Geoffrey Newbury, Barrister and Solicitor, newbury@mandamus.org
Mississauga, Ontario, L5H 3R2    905-271-9600


Re: "Regulating the Drone Economy"

Mike Spencer
Tue, 24 Feb 2015 03:07:28 -0400
No one seems to have remarked on what happens if you shoot one of these
drones down when it's buzzing around you back yard.  Have you committed
multiple serious felonies related to aircraft?  Or have you wrecked
somebody's expensive toy that was intruding on your privacy?


Re: More "Right To Be Forgotten" nonsense from "The Guardian"

Amos Shapir <amos083@gmail.com>
Fri, 27 Feb 2015 12:17:46 +0200
The Guardian's article demonstrates yet again the "Barbra Streisand effect";
as John Oliver had said about the Spaniard who had started this round "the
only fact I know about him is the very fact he wanted to be forgotten"....


Re: ... use of GOTOs in code is *not* harmful ... (R-28.51)

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Thu, 26 Feb 2015 12:03:26 +1300
RISKS-28.51 pointed us to an article that concluded the use of GOTOs is not
harmful in practice.  A quick glance through the paper looks good, but it
may seriously mislead readers who aren't aware of Dijkstra's context.  He
did not "fear" that the use of gotos "would" obscure the code but observed
that it *did*.  For example, when he wrote, Fortran was one of the dominant
languages.  It had no "while" or "switch"/"case" statements and even no "if"
statement as we currently understand it.  COBOL 61 was not much better.  IBM
had introduced PL/I, but it still no "switch"/"case" statement.

If developers are now using gotos responsibly, Dijkstra deserves a lot of
the credit, because before he wrote, a lot of programmers didn't.  The
people who designed programming languages where you *could* write serious
code with few if any gotos also deserve a lot of credit.  Fortran 90 (and
later) and COBOL 85 (and later) support precisely the kind of structured
programming that Dijkstra and others were advocating.

The difficulty of trying to understand how a program got to where it is has
other guises these days.  JavaScript has no 'goto' statement; that does not
make understanding Node.js code easy!


Re: Too-real simulation (RISKS-28.53)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Sat, 28 Feb 2015 21:26:14 +0100
Back in the late 1970's, I was involved in the launch of the first European
meteorological satellite METEOSAT-1.

A couple of days before the launch date, the launcher, sitting on the launch
pad, received a telecommand to self-destruct.  Fortunately, the execution of
this command was disabled while on the ground, so nothing happened. But the
launch was delayed by about 2 weeks to find the source of the telecommand.

It turned out that a tracking station had been doing simulations of
contingency operations, and had accidentally transmitted the command to the
antenna rather than to the "dummy load" that is supposed to be used for
training and tests. (To make the training as realistic as possible,
everything in the Earth station is typically fully configured, except that
the final output signal is routed to a load resistor rather than to the
transmit antenna).


"Lenovo shows us why we need to reinvent Web security" (Venezia)

Scott Dorsey <kludge@panix.com>
Tue, 24 Feb 2015 11:30:30 -0500
If you cannot trust your operating system, you cannot trust anything, and no
encryption, no certificate, no algorithm is going to allow you to trust
anything.  The problem is not SSL security, the problem is not being able to
trust your OS.  --scott  [Of course, PGN agrees—having maintained that
position throughout the history of RISKS and long before.]


"Patent trolls are on the run, but not vanquished yet" (Bill Snyder)

Gene Wirchenko <genew@telus.net>
Thu, 26 Feb 2015 11:02:50 -0800
      Here's hoping!  Part 1

Bill Snyder, InfoWorld, 26 Feb 2015
Strong legislation that will weaken the ability of the trolls to
shake down innovators is likely to pass Congress, but more should be done
Tech's Bottom Line
http://www.infoworld.com/article/2889194/patents/patent-trolls-are-on-the-run-but-not-vanquished-yet.html

selected text:

There's finally light at the end of the dark, troll-invested tunnel, and it
isn't an oncoming train. Congress is likely to pass a bill that will take
money out of the pockets of innovation-sucking patent trolls (aka
"nonpracticing entities") despite opposition from lawyers, the
pharmaceutical industry, and a few tech companies that hold large numbers of
patents.

That study, titled "Does Patent Licensing Promote Innovation?," ...

"We find that very few patent licenses from assertion result in any
innovation, whether we measure that directly by looking for new products and
features, or indirectly by looking for proxies such as the transfer of
technology, sharing of personnel, or the development of joint ventures,"
they wrote. Patent licensing, they say, "seems to be an activity almost
entirely divorced from innovation."


"Net neutrality triumphs as ISPs weep" (Paul Venezia)

Gene Wirchenko <genew@telus.net>
Thu, 26 Feb 2015 11:11:36 -0800
   Here's hoping, Part 2.

Paul Venezia, InfoWorld, 26 Feb 2015
The public interest has prevailed and the FCC has voted to reclassify
ISPs as common carriers. At last we have the means to control our
Internet future
http://www.infoworld.com/article/2888962/net-neutrality/net-neutrality-triumphs-as-isps-weep.html


FCC votes for net neutrality, a ban on paid fast lanes, and Title II

Lauren Weinstein <lauren@vortex.com>
Thu, 26 Feb 2015 10:13:40 -0800
Ars via NNSquad
http://arstechnica.com/business/2015/02/fcc-votes-for-net-neutrality-a-ban-on-paid-fast-lanes-and-title-ii/

  "The Federal Communications Commission today voted to enforce net
  neutrality rules that prevent Internet providers--including cellular
  carriers--from blocking or throttling traffic or giving priority to Web
  services in exchange for payment.  The most controversial part of the
  FCC's decision reclassifies fixed and mobile broadband as a
  telecommunications service, with providers to be regulated as common
  carriers under Title II of the Communications Act. This brings Internet
  service under the same type of regulatory regime faced by wireline
  telephone service and mobile voice, though the FCC is forbearing from
  stricter utility-style rules that it could also apply under Title II."

BOOM! As the moderator of the Network Neutrality Squad now reaching back for
so many years, I must say I am quite pleased overall with this
decision. There will be lawsuits, and threats from Congress relating to this
vote, and the risk of reversals with new Commissioners later always will
exist, but today is a really good day for the Internet.


Bruce Schneier's *Data and Goliath* excerpt

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 2 Mar 2015 10:40:40 PST
Bruce Schneier, How to Mess With Surveillance:
Why you should search for random people on Facebook, and other tips.

This essay is excerpted from Data and Goliath: The Hidden Battles to Collect
Your Data and Control Your World by Bruce Schneier, published by
W. W. Norton & Co. Inc., 2015.

Surveillance is both a technological and a legal problem. Technological
solutions are often things we can do ourselves. We can use various privacy
and anonymity technologies to protect our data and identities.  These are
effective but can be thwarted by secret government orders. We need to fight
the political battle as well.

Political solutions require group effort but are generally limited to
specific countries. Technological solutions have the potential to be
global. If Microsoft designs its Windows operating system with ubiquitous
file encryption, or if the Internet Engineering Task Force decides that all
Internet traffic will be encrypted by default, then those changes will
affect everyone in the world who uses those products and protocols.

The point is that politics can undermine technology, and also that
technology can undermine politics. Neither trumps the other. If we are going
to fix things, we need to fight on both the technological and political
fronts. And it's not just up to governments and corporations. We the people
have a lot of work to do here. [... Long item PGN-truncated for RISKS]

Excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and
Control Your World by Bruce Schneier. Copyright 2015 by Bruce Schneier. With
permission of the publisher, W. W. Norton & Co. Inc. All= rights reserved.

Please report problems with the web pages to the maintainer

Top