The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 76

Wednesday 8 July 2015

Contents

Modal design leads to death of Marine
Steve Golson
Man killed by a factory robot in Germany; human error blamed
Ars via Richard I Cook
TransAsia flight: Shutdown Wrong Engine!
PGN
NYSE troubles predicted
Alister Wm Macintyre
"Technical issues" @ NYSE, UA, other places
Alister Wm Macintyre
United grounded
PGN
Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes
WiReD
Why back doors are a bad idea
PGN
More on Keys Under Doormats
PGN
Senate Judiciary "Going Dark" site is untrusted!
Henry Baker
FBI, Justice Dept. Take Encryption Concerns to Congress
Privacy
Hackers take over German missile battery in Turkey
Mark Thorson
Screen Addiction Is Taking a Toll on Children
NYTimes
Senior Tech: A Tablet for Aging Hands Falls Short
NYTimes
Facing a Selfie Election, Presidential Hopefuls Grin and Bear It
NYTimes
Days of Our Digital Lives
NYTimes
Chicago's 'cloud tax' makes Netflix and other streaming services more expensive
The Verge
Cyber "Deterrence" considered harmful & mad
Henry Baker
NZ Harmful Digital Communications Bill
Richard A. O'Keefe
Some heads-up to consider for RISKS
found at Slashdot
Early adopters of Apple Music find playlists, album art, and metadata corrupted
mike
"OpenSSL tells users to prepare for a high severity flaw"
Lucian Constantin
Senate advances secret plan forcing Internet services to report terror activity
Ars
Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting
Kyle Newport
Re: Windows 10 will share your Wi-Fi key with your friends' friends
Bob Frankston
Leap Second Causes Sporadic Outages Across the Internet
Cade Metz
Re: "Leap Second Problem" and "Growing opposition to the Leap Second"
David E. Ross
Re: DVD drive in PC fire hazard
Henry Baker
Re: Overcoming Information Overload
Mark E. Smith
Info on RISKS (comp.risks)

Modal design leads to death of Marine

Steve Golson <sgolson@trilobyte.com>
Thu, 02 Jul 2015 10:56:39 -0400
Marine Corps MV-22 Osprey tilt-rotor attempted to take off while in
maintenance mode, which reduces power by 20%. One crew member was lost at
sea.
http://www.sandiegouniontribune.com/news/2015/jun/30/osprey-crash-at-sea-command-investigation/

  The aircraft controls didn't warn them they were about to take off in
  maintenance mode, nor did their flight manuals explain the dangers.

  After starting the engines, the pilots thought it odd that both hung up
  for about 15 seconds before spooling normally. They also discussed the
  fact that the exhaust deflector was set to ON instead of AUTO as
  usual. But the aircraft seemed fine otherwise, so they assumed a harmless
  software update was to blame.

RISK 1: not knowing what mode your system is in

RISK 2: assuming something unusual is due to "a harmless software update"


Man killed by a factory robot in Germany; human error blamed

Richard I Cook MD <ricookmd@gmail.com>
Thu, 2 Jul 2015 08:45:49 +0200
http://arstechnica.com/business/2015/07/man-killed-by-a-factory-robot-in-germany/

On Wednesday, Volkswagen said that a 22-year-old external contractor for the
company had been killed by a robot at a production factory in Baunatal,
Germany. Heiko Hillwig, a VW spokesperson speaking to the AP about the
incident, said that the robot grabbed the worker and crushed him against a
metal plate. The worker died later at a nearby hospital due to complications
from his injuries.
<http://hosted.ap.org/dynamic/stories/E/EU_GERMANY_ROBOT_KILLING?SITE=TXWIC&SECTION=HOME&TEMPLATEŮFAULT>

Hillwig told the AP, “initial conclusions indicate that human error was to
blame.'' He added that the contractor was helping set up the robot and was
inside the metal safety cage that usually separates personnel from the
metal-manipulating robots. Another worker was present when the incident
occurred, but because he was behind the barrier, he was unharmed. Ars has
reached out to Volkswagen but has not yet received a response.

According to the Financial Times “A Volkswagen spokesman stressed that the
robot was not one of the new generation of lightweight collaborative robots
that work side-by-side with workers on the production line and forgo safety
cages.''
http://www.ft.com/intl/fastft/353721/worker-killed-volkswagen-robot-accident

German newspaper HNA reported that the robot in question is used to build
electric engines for Volkswagen, and the FT noted rather bleakly that the
robot suffered no damage in the accident.

No further details were given by Volkswagen because prosecutors have
launched an investigation into the incident.

The story gained some morbid attention earlier today when a Financial Times
employment reporter named Sarah O'Connor tweeted the story, not realizing
the connection between her name and character who has a similar name (Sarah
Connor) in the Terminator series. Her tweet was retweeted more than 3,500
times <https://twitter.com/sarahoconnor_/status/616282747200479232> and she
received an influx of messages making jokes about the news. “Feeling really
uncomfortable about this inadvertent Twitter thing I seem to have kicked
off,'' she tweeted later today. "Somebody died. Let's not forget.''


TransAsia flight: Shutdown Wrong Engine!

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 2 Jul 2015 22:11:08 PDT
Interim report on the ATR Crash in Taipei in Feb 2015 finally published: On
4 Feb 2015, TransAsia Airways flight GE 235, an ATR72-600, registration
B-22816, took off from Taipei Songshan Airport for Kinmen, Taiwan.
http://www.asc.gov.tw/main_en/docaccident.aspx?uid43&pid)6&acd_no1

Evidently one of the two engines failed, the Captain accidentally shut down
the working one. He was heard to say on the CVR: “Wow, pulled back the wrong
side throttle.''

That failure mode should be familiar to long-time RISKS readers!


NYSE troubles predicted

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 8 Jul 2015 17:40:54 -0500
NYSE suspended trading for approx 4 hours Wed July-8 starting 11.30 am due
to a "technical issue" not yet explained.  DHS says there is no evidence of
cyber mischief, but then we remember when there was that in the past, it
took them 2 years to figure out what happened.  Anonymous sent a note late
Tues nite about anticipating a problem at NYSE for Wednesday. How often are
there notes like this.? A coincidence?

http://www.msn.com/en-us/news/itinsider/anonymous-issued-cryptic-tweet-on-ev
e-of-nyse-suspension/ar-AAcIPjz?ocid=iehpo


"Technical issues" @ NYSE, UA, other places

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 8 Jul 2015 18:09:41 -0500
11.32 am Wed July-8 NYSE went down for "technical issues", officially not
believed related to cyber mischief.

WSJ went down at about same time, I not yet seen an explanation.

United Airlines got grounded a few hours earlier because of a "network
connectivity issue."

By 1.30 pm, WSJ was back in business.
3.10 pm NYSE was back in operation.

http://www.msn.com/en-us/news/us/nyse-resumes-trading/ar-AAcIGgj?ocid=iehp

Before the facts come out about any incident, "Technical Issues" is what the
general  public is usually told.

When the SONY Breach chaos began, Nov-24, the official line was an "IT
problem."

Top executives at SONY had been told on Nov-21 by the perpetrators that this
was coming, if they did not comply with the perpetrator demands, so Nov-24
may have been a shock to SONY management, but not really a surprise.
Several people has warned the CEO, months in advance, that The Interview
would lead to North Korea hacking them, but their reaction to this news was
merely to edit the trailer to be less offensive to NK, until the movie
actually came out.

For lots of gory details on SONY behind the scenes, see the cover story of
July-1 Fortune magazine.


United grounded

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 8 Jul 2015 11:45:29 PDT
http://www.komonews.com/news/national/FAA-All-US-United-Continental-flights-grounded-312486921.html

http://www.washingtonpost.com/business/economy/nyse-trading-has-been-halted/2015/07/08/46b51974-2588-11e5-b72c-2b7d516e1e0e_story.html

CNN has officially called it a set of unrelated `whacky technical problems'.

http://www.theguardian.com/business/live/2015/jul/08/new-york-stock-exchange-wall-street


Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes (WiReD)

"Dave Farber" <dave@farber.net>
Thu, 9 Jul 2015 11:03:59 +1200
http://www.wired.com/2015/07/cyberarmageddon-upon-us-3-glitches-today-saying-yes/?mbid=nl_7815


Why back doors are a bad idea

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 7 Jul 2015 22:26:07 PDT
http://takingnote.blogs.nytimes.com/2015/07/07/why-a-back-door-to-the-internet-is-a-bad-idea/


More on Keys Under Doormats

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 7 Jul 2015 22:31:43 PDT
    [There were a few errors in the MIT archival URL.  A Corrected copy is at
       www.crypto.com/papers/Keys_Under_Doormats_FINAL.pdf
    thanks to Matt Blaze.  PGN]

http://www.theguardian.com/world/2015/jul/07/uk-and-us-demands-to-access-encrypted-data-are-unprincipled-and-unworkable

Nicole Perlroth in the Wednesday print edition:
http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html

http://www.wsj.com/articles/technology-experts-hit-back-at-fbi-on-encryption-1436316464


Senate Judiciary "Going Dark" site is untrusted!

Henry Baker <hbaker1@pipeline.com>
Wed, 08 Jul 2015 08:15:46 -0700
The Senate Judiciary Committee is holding "Going Dark" hearings today, but
their own HTTPS web site is "Untrusted" by Firefox!

Isn't this the very definition of "delicious irony"?

"This Connection is Untrusted"

"You have asked Firefox to connect securely to www.judiciary.senate.gov, but
we can't confirm that your connection is secure."

"Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place.  However,
this site's identity can't be verified."

"What Should I Do?"
"If you usually connect to this site without problems, this error could mean
that someone is trying to impersonate the site, and you shouldn't continue."

Cody M. Poplin, 8 Jul 2015
http://www.lawfareblog.com/live-senate-hearings-going-dark
Live: Senate Hearings on "Going Dark"


FBI, Justice Dept. Take Encryption Concerns to Congress

PRIVACY Forum mailing list <privacy@vortex.com>
Wed, 8 Jul 2015 09:35:15 -0700
http://www.nytimes.com/aponline/2015/07/08/us/politics/ap-us-fbi-encryption.html

  Vermont Sen. Patrick Leahy, the panel's senior Democrat, expressed
  wariness about facilitating law enforcement's access to encrypted
  material, saying he wasn't sure how much that would help.  "Strong
  encryption would still be available from foreign providers," Leahy said.
  "Some say that any competent Internet user would be able to download
  strong encryption technology, or install an app allowing encrypted
  communications—regardless of restrictions on American businesses."


Hackers take over German missile battery in Turkey

Mark Thorson <eee@sonic.net>
Wed, 8 Jul 2015 12:49:36 -0700
Ridiculous that this should even be possible.
The missile battery is not on the Internet, is it?

http://www.thelocal.de/20150707/german-missiles-taken-over-by-hackers


Screen Addiction Is Taking a Toll on Children (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 7 Jul 2015 08:38:56 -0400
American youths are plugged in and tuned out of the real world for many more
hours of the day than experts consider healthy for normal development.
http://well.blogs.nytimes.com/2015/07/06/screen-addiction-is-taking-a-toll-on-children/


Senior Tech: A Tablet for Aging Hands Falls Short

Monty Solomon <monty@roscom.com>
Sun, 5 Jul 2015 10:44:26 -0400
http://well.blogs.nytimes.com/2015/06/30/senior-tech-a-tablet-for-aging-hands-fall-short/

The AARP RealPad promises “no confusion and no frustration'' for older
adults. Starting with the on button, it delivers the opposite.


Facing a Selfie Election, Presidential Hopefuls Grin and Bear It

Monty Solomon <monty@roscom.com>
Sat, 4 Jul 2015 19:44:04 -0400
http://www.nytimes.com/2015/07/05/us/politics/facing-a-selfie-election-presidential-hopefuls-grin-and-bear-it.html

The Selfie Election
http://nyti.ms/1NE67AX


Days of Our Digital Lives (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 4 Jul 2015 22:34:46 -0400
http://www.nytimes.com/2015/07/05/opinion/sunday/seth-stephens-davidowitz-days-of-our-digital-lives.html

Minute by minute, just what are we searching for?


Chicago's 'cloud tax' makes Netflix and other streaming services more expensive (The Verge)

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Jul 2015 23:01:29 -0700
*The Verge* via NNSquad
http://www.theverge.com/2015/7/1/8876817/chicago-cloud-tax-online-streaming-sales-netflix-spotify

  Today, a new "cloud tax" takes effect in the city of Chicago, targeting
  online databases and streaming entertainment services. It's a puzzling
  tax, cutting against many of the basic assumptions of the web, but the
  broader implications could be even more unsettling. Cloud services are
  built to be universal: Netflix works the same anywhere in the US, and
  except for rights constraints, you could extend that to the entire
  world. But many taxes are local—and as streaming services swallow up
  more and more of the world's entertainment, that could be a serious
  problem.


Cyber "Deterrence" considered harmful & mad

Henry Baker <hbaker1@pipeline.com>
Tue, 07 Jul 2015 09:14:01 -0700
The U.S. seems intent on doubling down on the inappropriate application of
nuclear deterrence theory to "cyber deterrence".

The concept of nuclear deterrence depends upon the concept of "mutually
assured destruction" (MAD).  No destruction, no assured, no mutual, no
deterrence.  *Cyber deterrence is a contradiction in terms; there is no
deterrence in cyberspace.*

The U.S. has done its part in guaranteeing the "mutual" part; the U.S. has
left itself wide open to "cyber" attack, because it has no defenses.  As
Adm. Winnefeld admits, the U.S.--with the largest collection of
sophisticated networks--has far more to lose than anyone else.

Deterrence is a feedback system; the signaling has to go both ways.  But if
the signaling is ignored, the feedback is useless.  It is the equivalent of
adjusting a thermostat that isn't connected to the air conditioning system.

As has been stated many times before, appropriate destruction requires
proper attribution, but in the "cyber" case, attribution remains highly
dubious.  Hitting back at the wrong target will simply create more enemies.

The time has come for computer scientists to speak up against the whole
concept of "cyber deterrence", because it is ineffective and dangerous.
Because it is ineffective, no one is going to be deterred, and therefore any
reliance on "deterrence" instead of defense will encourage rather than
discourage such an attack.

WWI started as a result of inappropriate signaling among the Great Powers
in 1914.  Let's not repeat this mistake in the 21st Century.

https://en.wikipedia.org/wiki/Deterrence_theory
https://en.wikipedia.org/wiki/World_War_I

37-minute talk by Adm. James Winnefeld regarding, among other things, "cyber
deterrence".

https://www.youtube.com/watch?v=j9cFHYHMQcY

ADM James A. Winnefeld, Vice Chairman of the Joint Chiefs of Staff at the
Army Cyber Institute May 14, 2015.


NZ Harmful Digital Communications Bill

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Thu, 2 Jul 2015 18:41:25 +1200
We've all experienced or heard stories about cyberbullying
and the like.  My own daughter has had nastygrams and death
threats through electronic media.  There are risks of doing
nothing, and risks of over-reacting.  I heard today that
New Zealand's "Harmful Digital Communications Bill" passed
at the end of last month.

http://parliamenttoday.co.nz/2015/06/harmful-digital-communications-bill-passes/

Metadata:

http://www.parliament.nz/en-nz/pb/legislation/bills/00DBHOH_BILL12843_1/harmful-digital-communications-bill
Text:
http://legislation.govt.nz/bill/government/2013/0168/latest/whole.html

This has been in the works for several years.
It has been officially reviewed for consistency with our Bill
of Rights Act (BORA), and found acceptable.

(http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/bill-of-rights/harmful-digital-communications-bill)

However, it's still controversial, although the hooraw about
changing the flag has distracted attention from it.
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid473451

There must be some people reading comp.risks who could comment on this
more competently than I, but here are some things I notice.

"digital communication
 (a) means any form of electronic communication; and
 (b) includes any text message, writing, photograph, picture, recording,
or other matter that is communicated electronically."

So anything said over a landline phone, CB radio, amateur, or
marine radio counts as "digital communication" even if it is all
analogue.  Wouldn't "electronic communication" have done?

"The purpose of this Act is to
 (a)  deter, prevent, and mitigate harm caused to individuals by digital
communications; and
 (b)  provide victims of harmful digital communications with a quick and
efficient means of redress."

However, "harm means serious emotional distress" and
"posts a digital communication [means]
 (a) means transfers, sends, posts, publishes, disseminates, or
     otherwise communicates by means of a digital communication
   (i) any information, whether truthful or untruthful, about the
       victim; or
   (ii) an intimate visual recording of another individual; and
 (b) includes an attempt to do anything referred to in paragraph (a)
so it would seem that a mobile phone service that transfers a message
from one person to another might be covered by "transfer".  Deciding
what to do about "hosts" and trying to get it right apparently caused
a lot of trouble in drafting.  They clearly didn't *intend* ISPs or
phone companies to be affected, provided there's a straightforward
complaints process.

Truthfulness is not an issue?  If Miss A says to Miss B, "stay away from Mr
C, he put his last girlfriend in the hospital", and Mr C says this hurt his
feelings, Miss A could be facing up to NZD 50,000 in fines or 2 years in
prison, *even it is true*.

Thinking from a computing perspective, we already have laws about
defamation, and we can't expect what seems like haphazard patching to
produce anything but buggy consequences.  Several other acts are amended by
this one, and again, programming has me wondering about the ability of the
"Legislation IDE" to find *all* the legislation that needs patching.

There are 10 principles.

1. A digital communication should not disclose sensitive
   personal facts about an individual.
2. A digital communication should not be threatening,
   intimidating, or menacing.
3. A digital communication should not be grossly offensive
   to a reasonable person in the position of the affected
   individual.
4. A digital communication should not be indecent or obscene.
5. A digital communication should not be used to harass an
   individual.
6. A digital communication should not make a false allegation.
7. A digital communication should not contain a matter that is
   published in breach of confidence.
8. A digital communication should not incite or encourage
   anyone to send a message to an individual for the purpose
   of causing harm to the individual.
9. A digital communication should not incite or encourage
   an individual to commit suicide.
10. A digital communication should not denigrate an
   individual by reason of his or her colour, race, ethnic
   or national origin, religion, gender, sexual orientation,
   or disability.

So *if* I were to tell you that my dog is so smart she has a degree from
MIT, principle 6 would get me.

It just occurred to me that I'm on the SUmOfUs.org mailing list, and have
signed a lot of their petitions.  If a board member of [name your favourite
predatory company] should claim to have suffered "serious emotional
distress" as a result of receiving one of these petitions, principle 5 might
or might not get me, but principle 8 would certainly get SumOfUs.org, should
they ever be subject to NZ law.

There are oddball features, like someone is to be appointed to be or run an
Approved Agency for dealing with complaints under the Act, but "is not to be
regarded as being employed in the service of the Crown..."

Much of the Act is administrative, but a District Court (which typically
deals with things like minor assault, unpaid fines, &c) may be orders
(paraphrased):
 - to take down or disable material
 - to tell people to stop doing whatever they've been doing
 - to order a correction to be published
 - to give a right of reply to the affected individual
 - to demand an apology.

It also creates an offence basically, deliberately posting material that
does harm someone and could have been expected to.

An order to take material down because it upsets someone comes, or could
come, quite close to the right to be forgotten.


Some heads-up to consider for RISKS (found at Slashdot)

Werner U <werneru@gmail.com>
Sat, 4 Jul 2015 00:04:09 +0200
 *Windows 10 Shares Your Wi-Fi Password With Contacts*
tech.slashdot.org/story/15/07/01/2121252/windows-10-shares-your-wi-fi-password-with-contacts?sbsrc=md

(July 1, Slashdot)  *The Register reports that Windows 10 will include,
defaulted on, "Wi-Fi Sense
<http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/>" which
shares wifi passwords with Outlook.com contacts, Skype contacts and, with
an opt-in, Facebook friends. This involves Microsoft storing the wifi
passwords entered into your laptop which can then be used by any other
person suitably connected to you. If you don't want someone's Windows 10
passing on your password, Microsoft has two solutions; only share passwords
using their Wi-Fi Sense service, or by adding "_optout" to your SSID.*

 *Senator Demands Answers on FBI's Use of Zero Days, Phishing*
threatpost.com/senator-demands-answers-on-fbis-use-of-zero-days-phishing/113593

(July 2,Threatpost) Sen. Charles Grassley (R-Iowa) , chairman of the
powerful Senate Judiciary Committee, has sent a letter to FBI Director James
Comey asking some pointed questions about the bureau's use of zero-day
vulnerabilities, phishing attacks, spyware, and other controversial tools (a
list of highly specific questions about the way the FBI uses remote
exploitation capabilities and spyware tools). The letter
<https://www.grassley.senate.gov/sites/default/files/judiciary/upload/FBI%2C%2006-12-15%2C%20use%20of%20spyware%20letter.pdf>
is related to a current effort by the Department of Justice to get more
leeway in the way that its agencies use spyware tools in criminal
investigations.

 *Government Illegally Spied On Amnesty International*
yro.slashdot.org/story/15/07/02/2053222/uk-government-illegally-spied-on-amnesty-international

(July 2, Slashdot)
*A court has revealed that the UK intelligence agency, GCHQ, illegally
spied on human rights organization Amnesty International
<http://amnesty.org.uk/press-releases/surveillance-uk-government-spied-on-amnesty-international#.VZRD7VrIjak.twitter>.
It is an allegation that the agency had previously denied, but an email
from the Investigatory Powers Tribunal backtracked on a judgment made in
June which said no such spying had taken place.   The email was sent to
Amnesty International yesterday, and while it conceded that the
organization was indeed the subject of surveillance
<http://betanews.com/2015/07/02/uk-government-illegally-spied-on-amnesty-international/>,
no explanation has been offered. It is now clear that, for some reason,
communications by Amnesty International were illegally intercepted, stored,
and examined. What is not clear is when the spying happened, what data was
collected and, more importantly, why it happened.*

 *Samsung Faces Lawsuit In China Over Smartphone Bloatware*
tech.slashdot.org/story/15/07/03/1424207/samsung-faces-lawsuit-in-china-over-smartphone-bloatware

*(July 3, Slashdot)  Samsung is being sued in China for installing too many
apps onto its smartphones
<http://www.shanghaidaily.com/metro/society/Samsung-Oppo-facing-landmark-lawsuits-over-preinstalled-apps/shdaily.shtml>.
The Shanghai Consumer Rights Protection Commission is also suing Chinese
vendor Oppo, demanding that the industry do more to rein in bloatware
<http://thestack.com/samsung-oppo-lawsuit-smartphone-bloatware-030715>. The
group said complaints are on the rise from smartphone users who are
frustrated that these apps take up too much storage and download data
without the user being aware. Out of a study of 20 smartphones, Samsung and
Oppo were found to be the worst culprits. A model of Samsung's Galaxy Note
3 contained 44 pre-installed apps that could not be removed from the
device, while Oppo's X9007 phone had 71. Firefox 39 Released, Bringing
Security Improvements and Social Sharing* (
news.slashdot.org/story/15/07/03/1426226/firefox-39-released-bringing-security-improvements-and-social-sharing
)
*(July 3, Slashdot)  **Today Mozilla announced the release of Firefox 39.0
<https://blog.mozilla.org/blog/2015/07/02/new-sharing-features-in-firefox/>
,
which brings an number of minor improvements to the open source browser.
(Full release notes
<https://www.mozilla.org/en-US/firefox/39.0/releasenotes/>.) They've
integrated Firefox Share with Firefox Hello, which means that users will be
able to open video calls through links sent over social media. Internally,
the browser dropped support for the insecure SSLv3
<http://it.slashdot.org/story/14/10/15/000239/google-finds-vulnerability-in-ssl-30-web-encryption>
and disabled use of RC4
<http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher>
except where explicitly whitelisted. The SafeBrowsing malware detection now
works for downloads on OS X and Linux. (Full list of security changes,)
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39
The Mac OS X version of Firefox is now running Project Silk
<https://hacks.mozilla.org/2015/01/project-silk/>, which makes animations
and scrolling noticeably smoother. Developers now have access to the
powerful Fetch API
<https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which should
provide a better interface for grabbing things over a network.*


Early adopters of Apple Music find playlists, album art, and metadata corrupted

mike <mike1234z@hotmail.com>
Tue, 7 Jul 2015 10:47:18 -0600
One risk of jumping onto a new product release is the possibility of side
effects that damage or destroy your data—as some Apple Music enrollees
are discovering.  On the Apple discussion forum and elsewhere users are
complaining that thru some unexplained mechanism their existing playlists
and album art are being corrupted by Apple Music.  Playlists that have taken
hours to compile become useless.  Also there are reports that user meta-data
describing the song (genre, artist, notes, etc.) is replaced by meta-data
from Apple music.  See https://discussions.apple.com/thread/7104745


"OpenSSL tells users to prepare for a high severity flaw" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 07 Jul 2015 12:56:36 -0700
Lucian Constantin. InfoWorld,  7 Jul 2015
Patches will be released on July 9 for a high severity vulnerability
in OpenSSL's widely used cryptographic library
http://www.infoworld.com/article/2944802/security/openssl-tells-users-to-prepare-for-a-high-severity-flaw.html


Senate advances secret plan forcing Internet services to report terror activity (Ars)

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Jul 2015 16:35:28 -0700
Ars Technica via NNSquad
http://arstechnica.com/tech-policy/2015/07/senate-advances-secret-plan-forcing-internet-services-to-report-terror-activity/

  Senator Dianne Feinstein (D-CA), who sponsored the Internet services
  provision, did not return a call seeking comment.  The legislation is
  modeled after a 2008 law, the Protect Our Children Act. That measure
  requires Internet companies to report images of child porn, and
  information identifying who trades it, to the National Center for Missing
  and Exploited Children. That quasi-government agency then alerts either
  the FBI or local law enforcement about the identities of online child
  pornographers.  The bill, which does not demand that online companies
  remove content, requires Internet firms that obtain actual knowledge of
  any terrorist activity to "provide to the appropriate authorities the
  facts or circumstances of the alleged terrorist activity," wrote The
  Washington Post, which was able to obtain a few lines of the bill
  text. The terrorist activity could be a tweet, a YouTube video, an
  account, or a communication.

Actual child porn is fairly obvious. Terror activity is a much more nebulous
concept, and I suspect a significant percentage of the blowhard statements
from idiot trolls in posting comments could be theoretically swept into this
category. I suspect what's actually going on here is that this is a
preliminary to trying to push through legislation banning strong encryption
by these services, trying to turn Internet services into monitoring agents
for the government.


Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 8 Jul 2015 13:48:35 -0600
Bleacher Report—Kyle Newport—Jul 6, 2015
http://bleacherreport.com/articles/2516427-matt-bonner-blames-new-iphone-6-for-injury-poor-shooting

Matt is quoted in the article:

“I hate to make excuses, I was raised to never make excuses, but I went
through a two-and-a-half month stretch where I had really bad tennis elbow,
and during that stretch it made it so painful for me to shoot I'd almost be
cringing before I even caught the ball like, this is going to kill.'' [...]

Everybody is going to find this hilarious, but here's my theory on how I got
it. When the new iPhone came out it was way bigger than the last one, and I
think because I got that new phone it was a strain to use it, you have to
stretch further to hit the buttons, and I honestly think that's how I ended
up developing it."


Re: Windows 10 will share your Wi-Fi key with your friends' friends (RISKS-28.75)

"Bob Frankston" <bob2-53@bob.ma>
8 Jul 2015 17:11:51 -0400
═˛─▄ď┐│Î (http://www.lianwifi.com/) provides app
used by hundreds of millions of Chinese to share Wi-Fi keys. I haven't used
it because it's an APK not vetted in the Android store but I understand the
value and the need for a tool to avoid wasting time negotiating past all
those Wi-Fi agree screens other annoyances present even if there is no
charge.

At some point we need to face up to the fact that this whole idea of Wi-Fi
security is a debacle as well as a security risk. Microsoft's approach may
be problematic because it seems to had more complexity but it does address a
real need for "just works" connectivity.


Leap Second Causes Sporadic Outages Across the Internet (Cade Metz)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 1 Jul 2015 23:24:42 -0600
Cade Metz—WiReD—07.01.15—1:08 pm

Yesterday's leap second caused sporadic outages in more than 2,000 networks
that link machines across the Internet, according to a company that tracks
the performance of online services.

Doug Madory, the director of Internet analysis at the New Hampshire-based
Dyn Inc., says the outages occurred just after midnight Coordinated
Universal Time, when the leap second was added.  Because no single Internet
service provider was responsible for the outage, Madory says, the leap
second was almost certainly the culprit.

http://www.wired.com/2015/07/leap-second-causes-sporadic-outages-across-internet/


Re: "Leap Second Problem" and "Growing opposition to the Leap Second" (RISKS-28.74)

"David E. Ross" <david@rossde.com>
Wed, 1 Jul 2015 09:42:18 -0700
Back in 1969, I was a software tester for a system that handled leap-seconds
seamlessly, a system that remained in use until the early 1990s (more than
20 years).  We had no problems with leap-seconds.  Internally, all time-tags
were in TAI (atomic time), which does not have leap-seconds.  This, of
course, simplified the accurate computation of intervals between two events.
All inputs and displays used a small software routine that converted UTC to
TAI and vice-versa with the insertion or removal of appropriate
leap-seconds.

The problem today is that a seven years went by (1999-2006) with no
leap-seconds.  Then, only one leap second occurred between 2006 and 2012, on
1 January 2009 (one in a six-year interval).  That is, there were only two
leap-seconds in a 13-year period.  Programmers, testers, and others involved
in computer systems became complacent, lazy, and possibly ignorant of
fundamental physical processes that are causing the earth's rotation to
slow.

No, the leap-second is not a problem.  The problem lies in systems that were
designed without regard for a phenomenon that occurred 22 times from 1972 to
1999, 27 years during which no serious opposition was expressed against
leap-seconds.


Re: DVD drive in PC fire hazard (mctaylor, RISKS-28.75)

Henry Baker <hbaker1@pipeline.com>
Tue, 07 Jul 2015 07:17:36 -0700
My 17" HP Windows laptop fries its own hard drive, because it's located
right next to a very hot GPU.  However, it has a completely empty bay on the
other side that is about 20-25 degrees C cooler.  I got a short SATA
extender cable & relocated the hard drive to this cooler bay.  I then
started running Ubuntu, because it runs 10-15 degrees C cooler than Windows.

As best I can tell, once-mighty HP has lost all of its lustre, and all
of its excellent engineers have left for greener pastures.


Re: Overcoming Information Overload

"Mark E. Smith" <mymark@gmail.com>
Wed, 8 Jul 2015 02:53:28 +0800
Over time I've developed my own methods of overcoming information overload.

1. I have no interface with mainstream or commercial media. I don't own a
TV, don't listen to my hand-cranked radio except for a single jazz station,
and don't read newspapers or magazines. I have no cell phone, my landline is
used only for my dial-up Internet connection, and I'm no longer a registered
voter. Therefore my only contact with stories planted by the CIA,
corporations, or political operatives, is if they are exposed and/or
commented on by somebody in my personal network.

2. For topics that interest me I keep abreast by subscribing to list-serves
dedicated to those specific topics and following people who have
demonstrated an ability to keep themselves informed and to inform others
about these topics on Twitter. For example, I subscribe to two list-serves
about Fukushima and follow several people on Twitter who are knowledgeable
about and only or primarily Tweet about Fukushima.

3. I subscribe through RSS feeds or by email notification to websites that
specialize in topics of interest to me, such as natural health cures,
pollution, technology risks, countries under attack by NATO, indigenous
struggles, sexism, racism, etc., and follow people with similar interests,
experience, and expertise on Twitter. So I get daily or frequent updates
from or about Iraq, Syria, Afghanistan, Pakistan, Libya, Somalia, Yemen,
Palestine, Sudan, Venezuela, Mexico, Ecuador, Russia, etc., and news about
government or paramilitary attacks on indigenous peoples, people of color,
and on women and children everywhere, plus news of the latest pharmaceutical
and health industry scandals and natural health breakthroughs.

4. To save time, I filter emails that don't interest me, and I block more
than 90% of the people who try to follow me on Twitter, after checking their
profiles to make sure they have nothing to say that I consider of
informational value.

5. I don't use social media other than Twitter, which ensures that
everything I read is concise and succinct, due to the character limit on
Tweets.

While Dan Gillmor's notice of the MediaLit MOOC is certain to be of value to
many who have not already worked out a system of their own, as soon as I saw
that it included voices from the mainstream media, I knew it would not be of
sufficient value to me to give it any more time than this response, which I
hope might save others some time.

Please report problems with the web pages to the maintainer

Top