The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 68

Thursday 11 June 2015

Contents

All U.S. United Flights Grounded Over Mysterious Problem
PGN
Airbus transport crash caused by "wipe" of critical engine control data
Ars Technica
Man dies in Corvette after battery cable becomes loose
Khou via Mark Thorson
Traffic Hacking: Caution Light Is On
Nicole Perlroth
OpenSesame: 10-sec universal garage door opener
Dennis Fisher
Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
NYTimes
After Silences and Setbacks, the LightSail Spacecraft Is Revived
NYT
Evidence of Healthcare Breaches Lurks On Infected Medical Devices
Werner U
New exploit leaves most Macs vulnerable to permanent backdooring
Dan Goodin
Breach in a Federal Computer System Exposes Personnel Data
NYTimes
Chinese Hackers Behind Breach at Insurers Are Also Responsible for Government Attack
NYTimes
Single Test for All Virus Exposure Opens Doors for Researchers
NYT
Kaspersky Lab cybersecurity firm is hacked
BBC
Consumers Dislike Data-Mining but Feel Helpless to Stop It
NYT
Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
Reuters
"Governments of the World Agree: Encryption Must Die!"
Lauren Weinstein
Japanese pension organization phished, 1.25M people's data leaked
chiaki ishikawa
Twitter Advertisers Can Now Target You Based on the Other Phone Apps
recode
Re: "NOBUS can shoot ourselves in the foot like this"
Chris Drewe
Re: Volvo has an accident, but not the one you thought
Peter Ladkin
Re: EU wants to kill open Wi-Fi
Peter Ladkin
Re: You Can Be Prosecuted for Clearing Your Browser History
Henry Baker
Re: House of Discards: Wikipedia pre-election edits
Henry Baker
REVIEW - "The Florentine Deception", Carey Nachenberg
Rob Slade
Info on RISKS (comp.risks)

All U.S. United Flights Grounded Over Mysterious Problem

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 11 Jun 2015 11:03:52 PDT
All United Airlines flights in the US were grounded this morning for nearly
an hour, over `dispatching information'.  Various tweets from passengers
suggest different possible explanations: hacked network? fake flight plans?
disgorging random plans? dropped flight plans?  Considerable confusion?
The problem was then resolved.
http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/


Report: Airbus transport crash caused by "wipe" of critical engine control data

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Jun 2015 08:44:33 -0700
http://arstechnica.com/information-technology/2015/06/report-airbus-transport-crash-caused-by-wipe-of-critical-engine-control-data/


Man dies in Corvette after battery cable becomes loose

Mark Thorson <eee@sonic.net>
Wed, 10 Jun 2015 13:18:17 -0700
The doors don't open without battery power.  There is a mechanical release,
but it's hidden and many Corvette owners don't know about it.  This man may
have died while reading his owner's manual, which adds a new dimension to
the term RTFM.

http://www.khou.com/story/news/local/texas/2015/06/10/texas-man-dog-die-after-being-trapped-in-corvette/70999112/


Traffic Hacking: Caution Light Is On (Nicole Perlroth)

"Bob Frankston" <bob19-0501@bobf.frankston.com>
11 Jun 2015 09:49:32 -0400
Today's NYTimes.com
http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0

  [The article might be interpreted as implying that so-called `smart'
  anythings could all be vulnerable.  No surprise to RISKS readers.  PGN]


OpenSesame: 10-sec universal garage door opener

Henry Baker <hbaker1@pipeline.com>
Fri, 05 Jun 2015 14:24:25 -0700
FYI—It usually takes me longer than 10 seconds to find the right button
to push...

Dennis Fisher, 4 Jun 2015
Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds
https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146


Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find

Monty Solomon <monty@roscom.com>
Wed, 10 Jun 2015 09:46:51 -0400
http://www.nytimes.com/2015/06/11/us/amtrak-crash-engineer-brandon-bostian-not-on-cellphone-ntsb-says.html


After Silences and Setbacks, the LightSail Spacecraft Is Revived

Monty Solomon <monty@roscom.com>
Tue, 9 Jun 2015 03:10:31 -0400
http://www.nytimes.com/2015/06/08/science/space/lightsail-setbacks-spacecraft-prepares-unfurl-sail.html

LightSail was successfully deployed and worked for two days before its
computer crashed because of a software flaw.

Eight days of silence followed until, as engineers expected, a high-speed
charged particle zipping through space fortuitously scrambled part of the
computer's memory and caused the computer to restart ... and deploy its
solar sail.


Evidence of Healthcare Breaches Lurks On Infected Medical Devices

Werner U <werneru@gmail.com>
Tue, 9 Jun 2015 05:15:48 +0200
[ regarding 8 June 2015 article on The Security Ledger website ]

chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT
http://it.slashdot.org/story/15/06/08/166207/report-evidence-of-healthcare-breaches-lurks-on-infected-medical-devices

*Evidence that serious and widespread breaches of hospital- and healthcare
networks is likely to be hiding on compromised and infect medical devices in
clinical settings
<https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/>,
including medical imaging machines, blood gas analyzers and more, according
to a report by the firm TrapX. In the report, which will be released this
week, the company details incidents of medical devices and management
stations infected with malicious software at three, separate customer
engagements. According to the report, medical devices—in particular
so-called picture archive and communications systems (PACS) radiologic
imaging systems—are all but invisible to security monitoring systems
and provide a ready platform for malware infections to lurk on hospital
networks, and for malicious actors to launch attacks on other, high value IT
assets. Malware at a TrapX customer site spread from a unmonitored PACS
system to a key nurse's workstation. The result: confidential hospital data
was secreted off the network to a server hosted in Guiyang, China.
Communications went out encrypted using port 443 (SSL), resulting in the
leak of an unknown number of patient records. "The medical devices
themselves create far broader exposure to the healthcare institutions than
standard information technology assets," the report concludes. One
contributing factor to the breaches: Windows 2000 is the OS of choice for
"many medical devices." The version that TrapX obtained "did not seem to
have been updated or patched in a long time," the company writes.*


New exploit leaves most Macs vulnerable to permanent backdooring (Dan Goodin)

Monty Solomon <monty@roscom.com>
Sun, 7 Jun 2015 23:33:08 -0400
Hack allows firmware to be rewritten right after older Macs awake from sleep.
Dan Goodin, *Ars Technica*. 1 Jun 2015

Macs older than a year are vulnerable to exploits that remotely overwrite
the firmware that boots up the machine, a feat that allows attackers to
control vulnerable devices from the very first instruction.

http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/


Breach in a Federal Computer System Exposes Personnel Data

Monty Solomon <monty@roscom.com>
Fri, 5 Jun 2015 01:50:53 -0400
http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html

The intrusion, which appears to have involved information on about four
million current and former government workers, was the third such breach in
the last year.


Chinese Hackers Behind Breach at Insurers Are Also Responsible for Government Attack

Monty Solomon <monty@roscom.com>
Fri, 5 Jun 2015 01:51:46 -0400
Researchers say it suggests spies are no longer just stealing American
corporate and military trade secrets, but personal information for some
later purpose.
http://www.nytimes.com/2015/06/05/technology/chinese-hackers-behind-breach-at-insurers-are-also-responsible-for-government-attack-researchers-say.html

  [See also
http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html
  PGN]


Single Test for All Virus Exposure Opens Doors for Researchers

Monty Solomon <monty@roscom.com>
Thu, 4 Jun 2015 20:12:26 -0400
http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html

It's like one-stop shopping for scientists: a blood test can now show every
virus that has a crossed a person's path, lending insight into disease.


Kaspersky Lab cybersecurity firm is hacked (BBC)

<PGN>
Wed, 10 Jun 2015 18:46:49 +0000
BBC, 10 Jun 2015
http://www.bbc.com/news/technology-33083050

"Kaspersky Lab said it believed the attack was designed to spy on its newest
technologies. It said the intrusion involved up to three previously unknown
techniques."


Consumers Dislike Data-Mining but Feel Helpless to Stop It

Monty Solomon <monty@roscom.com>
Fri, 5 Jun 2015 14:36:32 -0400
Many Americans do not think the trade-off of their data for personalized
services, giveaways or discounts is a fair deal, a University of
Pennsylvania study found.
http://www.nytimes.com/2015/06/05/technology/consumers-conflicted-over-data-mining-policies-report-finds.html


Exclusive: In 'year of Apple Pay', many top retailers remain skeptical

Monty Solomon <monty@roscom.com>
Sun, 7 Jun 2015 23:28:26 -0400
http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605


Lauren's Blog: "Governments of the World Agree: Encryption Must Die!"

Lauren Weinstein <lauren@vortex.com>
Thu, 4 Jun 2015 14:18:52 -0700
            Governments of the World Agree: Encryption Must Die!
                 http://lauren.vortex.com/archive/001104.html

Finally! There's something that apparently virtually all governments around
the world can actually agree upon. Unfortunately, it's on par conceptually
with handing out hydrogen bombs as lottery prizes.

If the drumbeat isn't actually coordinated, it might as well be.  Around the
world, in testimony before national legislatures and in countless interviews
with media, government officials and their surrogates are proclaiming the
immediate need to "do something" about encryption that law enforcement and
other government agencies can't read on demand.

Here in the U.S., it's a nearly constant harangue over on FOX News
(nightmarishly, where most Americans apparently get their "news" these
days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN
must share space with primetime reruns of a globetrotting celebrity chef and
crime "reality" shows).

It's much the same if you survey media around the world. The names and
officials vary, but the message is the same—it's not just terrorism
that's the enemy, it's encryption itself.

That argument is a direct corollary to governments' decidedly mixed feelings
about social media on the Internet. On one hand, they're ecstatic over the
ability to monitor the public postings of criminal organizations like ISIL
(or ISIS, or Islamic State, or Daesh—just different labels for the same
fanatical lunatics) that sprung forth from the disastrously misguided
policies of Bush 1 and Bush 2 era right-wing neocons—who not only set the
stage for the resurrection of long-suppressed religious rivalries, but
ultimately provided them with billions of dollars worth of U.S. weaponry as
well. Great job there, guys.

Since it's also the typical role of governments to conflate and confuse
issues whenever possible for political advantage, when we dig deeper into
their views on social media and encryption we really go down the rabbit
hole.

While governments love their theoretical ability to track pretty much every
looney who posts publicly on Twitter or Facebook or Google+, governments
simultaneously bemoan the fact that it's possible for uncontrolled
communications—especially international communications—to take place
at all in these contexts.

In particular, it's the ability of radical nutcases overseas to recruit
ignorant (especially so-called "lone wolf") nutcases in other countries that
is said to be of especial concern, notably when these communications
suddenly "go dark" off the public threads and into private, securely
encrypted channels.

"Go dark"—by the way—is now the government code phrase for crypto they
can't read on demand. Dark threads, dark sites, dark links. You get the
idea.

One would be remiss to not admit that these radical recruiting efforts are
of significant concern.

But where governments' analysis breaks down massively is with the direction
of their proposed solutions, which aren't aimed at addressing the root
causes of fanatical religious terrorism, but rather appear almost entirely
based on preventing secure communications—for anybody!—in the first
place.

Naturally they don't phrase this goal in quite those words. Rather, they
continue to push (to blankly nodding politicians, journalists, and cable
anchors) the tired and utterly discredited concept of "key escrow"
cryptography, where governments would have "backdoor" keys to unlock
encrypted communications, supposedly only when absolutely necessary and with
due legal process.

Rewind 20 years or so and it's like "Groundhog Day" all over again, back in
the early to mid 90s when NSA was pushing their "Clipper Chip" hardware
concept for key escrowed encryption, an idea that was mercilessly buried in
relatively short order.

But like a vampire entombed without appropriate rituals, the old key escrow
concepts have returned to the land of the living, all the uglier and more
dangerous after their decades festering in the backrooms of governments.

The hardware Clipper concept dates to a time well before the founding of
Twitter or Facebook, and a few years before Google's arrival. Apple existed
back then, but centralized social media as we know it today wasn't yet even
really a glimmer in anyone's eye.

While governments generally seem to realize that stopping all crypto that
they can't access on demand is not practical, they also realize that the big
social media platforms (of which I've named only a few)—where most users
do most of their social communicating—are the obvious targets for
legislative, political, and other pressures.

And this is why we see governments subtly (and often, not so subtly)
demonizing these firms as being uncooperative or somehow uncaring about
fighting evil, about fighting crime, about fighting terrorism.  How dare
they—authorities repeat as a mantra—implement encryption systems that
governments cannot access at the click of a mouse, or sometimes access at
all under any conditions.

Well, welcome to the 21st century, because the encryption genie isn't going
back into his bottle, no matter how hard you push.

Strong crypto is critical to our communications, to our infrastructures, to
our economies, and increasingly to many other aspects of our lives.

Strong crypto is simply not possible—let's say that once more with
feeling—not possible, given key escrow or other government backdoors
designed into these systems. There is no practical or even theoretically
accepted means for including such mechanisms without fatally weakening the
entire associated encryption ecosystem, and opening it up to all manner of
unauthorized access via hacking and various subversions of the key escrow
process.

But governments just don't seem willing to accept the science and reality of
this, and keep pushing the key escrow meme. It's like the old joke about the
would-be astronaut who wanted to travel to the sun, and when reminded that
he'd burn up, replied that it wasn't a problem, because he'd go at
night. Right.

Notably, just as we had governments who ignored realistic advice and
unleashed the monsters of religious fanatical terrorism, we now have many of
the same governments on the cusp of trying to hobble, undermine, and
decimate the strong encryption systems that are so very vital.

There's every reason to believe that we'd experience a similarly disastrous
outcome in the encryption context as well, especially if social media firms
were required to deploy only weak crypto—putting the vast populations of
innocent users at risk—while driving the bad guys even further
underground and out of view.

If we don't vigorously fight back against government efforts to weaken
encryption, we're all going to be badly burned.


Japanese pension organization phished, 1.25M people's data leaked

chiaki ishikawa <ishikawa@yk.rim.or.jp>
Fri, 05 Jun 2015 13:29:31 +0900
Reading the discussion about "Re: Only 3% of people aced Intel's phishing
quiz", I have to wonder how much we should educate the general public AND
the SYSTEM INTEGRATORS who hire new graduates without much experience in
security matters.

The recent news brought home this issue:
Japanese Pension Service (run by the government)  was attacked by phishing,
and as a result, data for 1.25 million people got leaked according to
news articles in the past few days.

What irked me most, as someone who is in ICT industry and has interest in
security matters, is the comment uttered by a senior official according to
some news articles in different publications. (So I assume it was on a live
interview or something and *is* FOR REAL, to my utter dismay.):

My translation:

"The organization will take more security measures including that the PCs
that handle individual's data cannot access outside Internet, ..."

A PC/terminal that handles the privacy information at Pension Service can
talk to directly to the outside WAN?
I WAS INCREDULOUS INITIALLY.

And this seems to be the case, indeed, and that is how a large amount (maybe
not total) of the leak seems to have occurred. Sigh.

In the aftermath of the revealed incidence, some high government officials
blamed the pension fund for its handling of private data and that a clerk
should not open an attachment to e-mail from outside sources.

But to err is human.

I think such an organization ought to

1. - Use a customized mail client so that the clerk on a PC that handles the
sensitive data can never open an attachment at all: Yes, what I mean is even
if a clerk can click on an attachment or an URL within the main text by
mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's
mailer is open source, and there are other source mail clients. Customizing
to disable certain operations won't be difficult.  (If a clueless
correspondent sends an attachment, it can be opened in a very very carefully
quarantined a computer running a virtual PC environment, after forwarding to
it)

AND OF COURSE

2. - such PC with sensitive data should not be capable of talking to the
outside Internet directly.

Regarding the second point, the sophistication of the worms means that they
may be able to install a communication proxy on an Internet-capable intranet
PC that relays the communication from the Internet-blocked PC to the
outside world, but a proper filtering at the local PCs or switches ought to
prevent such issues: I looked at Norton Internet security on my PC and I
think it can restrict communication only to a selected few and it can
disable all the inbound communication. So it can thwart the use of proxy,
etc. (And actually, this has been a pain in the neck when I try to use a
Privoxy proxy running on a PC from a linux image running on a different PC).
So it is doable easily today. Of course, we need constant and independent
check of the firewall setting of such locally installed security tool.

Anyway, I really would like to know who DESIGNED the intranet at the Pension
Service so that
we can learn from the mistakes...

I found some English articles about this.

[1]
https://www.itgovernance.co.uk/blog/1-25-million-japanese-pension-records-leaked-following-phishing-attack/
[2]
http://www.tripwire.com/state-of-security/latest-security-news/hackers-steal-over-a-million-japanese-citizens-personal-data-in-targeted-attack/

But these leave some key issues missing and a little misinformed to the
degree of the serious nature of the attack.

Today's Asahi Shimbun newspaper article (online) [in Japanese.]
gives a very detailed good report of what has happened.
http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01

Usually details remain obscured for this type of incidents, but given the
sloppy work of system integrator(s) at key government services in the past,
I think someone high up in the command of government security matters must
have decided that the detailed explanation would be good to educate the ICT
community to rise up from this shoddy level of awareness.

At least the next time something like this happens, government can sue system
integrators for gross negligence by citing this incident and publicized
method of the attack.

NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make
sure proper security measures is in place.

I suspect this is the only stick that sinks in security lessons.

From the above link of Asahi Shimbun, I have learned the following:

A certaian "Takemura" sent an e-mail using some jargons in the pension
business and explained that he sent some suggestions to the procedure at the
organization and this made the recipient to believe that the sender is well
versed in pension matters.

Now, according to the article, the clerk clicked on the URL at the end of
the e-mail (ok, so no attachment is involved this time around, but a mere
URL clicking.)  [At least my suggestion above would block this operation.]
This caused a download of malware with 0-day attack !  It collected ID of
the user on the PC, etc.  Also, this malware subsequently downloaded a bot
software.

There was a trace that this malware created clones so that even if one is
eradicated, the others would remain, and it seems that tried to connect to
other PCs on the LAN.

Within less than 5 hours of the contamination, the Pension Service was
notified of strange network activity of the PC by NISC (National Information
Security Center), and pulled the plug.

This was on May 8th.

10 days later, in two-minute intervals, about 100 phishing e-mails arrived
at addresses within the organization, including some which were never
publicized outside before, with virus attachment and now the "From:" address
shown was that of an INTERNAL address (!). But the originating IP address
was the same of the initial attack. [Obviously some clever attack is being
waged.]  I have no idea whether the e-mail from the originating IP address
was blocked or not.

Anyway, on May 21, two PCs in the same office were found to be communicating
with external IP addresses. Surprise. One is the "replacement PC" of the
clerk whose PC was pulled off the network (!?)  On May 23, 9 more PCs in a
different office (now in Tokyo) were found to be doing the same.

The rest is history.

At least the newspaper article stated the forensics has only determined how
the initial PC and the two PCs found on May 21 were attacked and hijacked.
It is not known how others got infected.

Current Japanese administration is trying to introduce a single numeric ID
for each citizen in Japan for efficient administrative process ala SS number
in USA.

In the face of this breach, it is hard to sell such a policy now.  Too easy
target for ID theft, etc. unless proper security measures and the preventive
measures for limiting the damage of ID theft are in place.

At least, I hope that there will be more scrutiny on the security design of
the computer systems.

P.S. I suspect this phishing is a part of well orchestrated attacks by an
organized crime or something.  News articles report the police seems to have
found a part of the leaked data on a data servers used by previous phishing
attacks (which I assume they have been monitoring for illegal activities).


Twitter Advertisers Can Now Target You Based on the Other Phone Apps

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Jun 2015 22:27:53 -0700
http://recode.net/2015/06/10/twitter-advertisers-can-now-target-you-based-on-the-other-apps-on-your-phone/

  For the past six months, Twitter has been collecting data on which
  smartphone apps its users download. Now, the company is using that data to
  make some money. Twitter announced on Wednesday that its advertisers can
  use that app information to target users with ads.  Marketers will be able
  to target you based on the different categories of apps you have
  downloaded onto your phone as well as how recently you downloaded them.

I'm incredibly disappointed in the direction Twitter has been taking.  I
understand why they've felt they need to go in this direction, but that's
not an excuse. They're spamming like mad, and now this.  Unacceptable, and
why I hardly use Twitter any more.


Re: "NOBUS can shoot ourselves in the foot like this" (RISKS-28.67)

Chris Drewe <e767pmk@yahoo.co.uk>
Wed, 10 Jun 2015 15:10:17 +0100
As it happens, there's a review in this weekend's newspaper of a book 'The
New Spymasters' by Stephen Grey (Viking) which makes a similar point.
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html

In summary it says:

  Langley was far too reliant on technology (or SIGINT), preferring to amass
  vast amounts of data on suspected terrorists with few credible human
  sources to corroborate it.  As Grey observes: “All this scientific
  espionage was bewitching. Cool gadgets and smart techniques inspired awe
  and a confidence that was comparable to religious zeal.'' ...  What was
  missing from the American approach, in the author's view, was good,
  old-fashioned HUMINT. “Human spies can be terribly frail and unreliable,
  but without any element of understanding and verification through human
  intelligence, and without basic common sense, terrible errors are bound to
  follow.''

There's some debate here in the UK right now (following the recent election)
on what surveillance powers the authorities should have; as usual, there's a
hard sell for the idea that if they can't "collect it all" then we'll all be
blown up by terrorists, but personally I'm more afraid of the country
becoming like 1970s East Germany.

  Charles Cumming, What's the point of spies?

  A new book about spying argues that modern digital surveillance is no
  substitute for old-fashioned espionage
  http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
     [Long item truncated for RISKS.  PGN]


Re: Volvo has an accident, but not the one you thought (Reisert)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 05 Jun 2015
Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone
experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the
real context in Risks 28.67.

I searched for articles on the incident. There are a few, but many are
derivative. I summarised what I found in
http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and
commented.

There has to be some lesson in someone trying out a protective function, on
live people, with which the car was not equipped. There has to be some
lesson in trying out any protective function on live people. There has to be
some lesson in conducting the trial in such a way that the protective
function would have been suppressed. And there has to be some lesson in
conducting this trial without informing oneself about the capabilities of
the vehicle or taking elementary safety precautions in case things go wrong.

This last, BTW, is also a problem for professionals. There are incidents of
professional pilots conducting return-to-service tests on commercial
aircraft ... and of auguring in because they were assuming the tests would
succeed and they didn't! The main lesson is to remember that functional
tests can always have at least two outcomes: pass and fail.

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com


Re: EU wants to kill open Wi-Fi (Weinstein, Risks 28.67)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 05 Jun 2015 13:01:02 +0200
Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in
RISKS-28.67.

He says "...the Court of Justice of the European Union ..... is asked
whether an enforcement practice requiring open wireless networks to be
locked is an acceptable one. Germany's Federal Supreme Court in 2010 held
that the private operator of a wireless network is obliged to use password
protection in order to prevent abuse by third parties....."

Let me set the record straight.

There is no such requirement and no such obligation in Germany (or anywhere
else I know).

The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether
operators of unsecured Wi-Fi networks can be held liable for copyright
infringement conducted using their networks.

http://www.out-law.com/en/articles/2014/november/cjeu-asked-to-rule-on-copyright-liability-of-operators-of-free-and-open-wi-fi-networks-/

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com


Re: You Can Be Prosecuted for Clearing Your Browser History (R-28.67)

Henry Baker <hbaker1@pipeline.com>
Thu, 04 Jun 2015 21:39:43 -0700
FYI—Hmmm...  Not a single Wall Street banker has faced jail time due to
their part in almost bankrupting the country (and the world), yet we're
using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing
enacted by Congress in the wake of the Enron scandal, to prosecute
non-financial crimes?

Remind me again which Constitution is supposed to be in effect in the U.S. ?


Re: House of Discards: Wikipedia pre-election edits (Ladkin)

Henry Baker <hbaker1@pipeline.com>
Fri, 05 Jun 2015 10:25:17 -0700
> It's only one sentence; he doesn't justify the connection he makes and I
> don't see one.

Two words: "Dennis Hastert".

Dennis Hastert was 3rd in line to be President, and presided over a lot of
legislation regarding sexual harassment (and worse).

Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now
be electing their own Dennis Hasterts.

Those who are ready to forget the past shouldn't be surprised when the past
repeats itself.

Once again, "right-to-be-forgotten" is incompatible with democratic
representative government.  Yes, remembering past mistakes is painful, but
the alternative (totalitarian govt) is far, far worse.


REVIEW - "The Florentine Deception", Carey Nachenberg

Rob Slade <rmslade@shaw.ca>
Wed, 10 Jun 2015 09:06:33 -0800
BKFLODEC.RVW   20150609

"The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9,
U$13.49/C$18.91
%A   Carey Nachenberg http://florentinedeception.com
%C   345 Hudson Street, New York, NY   10014
%D   2015
%G   978-1-5040-0924-9 150400924X
%I   Open Road Distribution
%O   U$13.49/C$18.91 www.openroadmedia.com
%O  http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20
%O   Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   321 p.
%T   "The Florentine Deception"

It gets depressing, after a while.  When you review a bunch of books on the
basis of the quality of the technical information, books of fiction are
disappointing.  No author seems interested in making sure that the
technology is in any way realistic.  For every John Camp, who pays attention
to the facts, there are a dozen Dan Browns who just make it up as they go
along.  For every Toni Dwiggins, who knows what she is talking about, there
are a hundred who don't.

So, when someone like Carey Nachenberg, who actually works in malware
research, decides to write a story using malicious software as a major plot
device, you have to be interested.  (And besides, both Mikko Hypponen and
Eugene Spafford, who know what they are talking about, say it is technically
accurate.)

I will definitely grant that the overall "attack" is technically sound.  The
forensics and anti-forensics makes sense.  I can even see young geeks with
more dollars than sense continuing to play "Nancy Drew" in the face of
mounting odds and attackers.  That a vulnerability can continue to go
undetected for more than a decade would ordinarily raise a red flag, but
Nachenberg's premise is realistic (especially since I know of a
vulnerability at that very company that went unfixed for seven years after
they had been warned about it).  That a geek goes rock-climbing with a
supermodel we can put down to poetic license (although it may increase the
license rates).  I can't find any flaws in the denouement.

But.  I *cannot* believe that, in this day and age, *anyone* with a
background in malware research would knowingly stick a thumb/jump/flash/USB
drive labeled "Florentine Controller" into his, her, or its computer.  (This
really isn't an objection: it would only take a couple of pages to have
someone run up a test to make sure the thing was safe, but ...)

Other than that, it's a joy to read.  It's a decent thriller, with some
breaks to make it relaxing rather than exhausting (too much "one damn thing
after another" gets tiring), good dialog, and sympathetic characters.  The
fact that you can trust the technology aids in the "willing suspension of
disbelief."

While it doesn't make any difference to the quality of the book, I should
mention that Carey is donating all author profits from sales of the book to
charity: http://florentinedeception.weebly.com/charities.html

copyright, Robert M. Slade   2015   BKFLODEC.RVW   20150609
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links

Please report problems with the web pages to the maintainer

Top