The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 77

Saturday 11 July 2015

Contents

Outages continue: USDA; Amazon
Alister Wm Macintyre
When Computers Go Down, It's Not Always a Hack
takingnote
An Offline NYSE. Makes Barely a Ripple in a Day's Trading
NYTimes
Moxie Marlinspike
WSJ
The Massive OPM Hack Actually Hit 25 Million People
WiReD
OpenSSL Patches Critical Certificate Forgery Bug
SlashDot
Hackdoors & Crypto Wars
Eric Geller via Henry Baker
Senator: OPM Hack Gave China a Spy Recruiting Database
Ben Sasse via Henry Baker
Privacy risks in healthcare
PGN
EFF report on the Going Dark Senate hearing
PGN
Cyber criminals adopt recently patched zero-day exploit in a flash
Lucian Constantin
Map of Cyber Attacks
Norsecorp via Alister Wm Macintyre
India's Supreme Court May Ban Porn Viewing, Even in Private Homes
HuFfpost
Facing a Selfie Election, Presidential Hopefuls Grin
NYTimes
Your next selfie could be your last, Russia warns
Amar Toor
Re: NZ Harmful Digital Communications Bill
Macintyre
O'Keefe
Leap Second Causes Sporadic Outages Across the Internet
Brian Inglis
Bob Frankston
Re: Samsung is being sued in China
Wols
Ada Lovelace and Babbage
PGN
Info on RISKS (comp.risks)

Outages continue: USDA; Amazon

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 9 Jul 2015 14:31:53 -0500
  [More on `business as usual', as noted in RISKS-28.76.  PGN]

The US Dept of Agriculture (USDA) had an outage, for about an hour.
http://www.marketwatch.com/story/usda-website-back-online-after-outage-2015-07-09-11103195

There is speculation that WSJ went down 8 Jul because it was overloaded when
people found out about NYSE down, then went there for more info.

When we see something in the news, like some kind of disaster, and we go
looking for more info or updates, it can seem like there is an epidemic of
that kind of story.

But many of them might not be at well known places.

There were 4 Internet outages in progress, as I type this e-mail, impacting
360 websites.  One of the more well known places is Amazon.  Its outage
started 9 Jul.  2 of the outages in North-Central Asia.  There were over
2,000 web sites with outages in the past 24 hours.
http://www.outageanalyzer.com/

Outages can hit just about anyone.
http://blogs.wsj.com/digits/tag/outage/

Breaches continue at a high rate, and GAO has a report on a lack of
cybersecurity within the U.S. banking industry, and by bank regulators.
http://www.bankinfosecurity.com/gao-bank-risk-analysis-comes-up-short-a-8376

The FBI announces that it prevented multiple ISIL terrorist attacks from
occurring on July-4.
http://www.msn.com/en-us/news/us/fbi-says-thwarted-islamic-state-inspired-attacks-on-july-4/ar-AAcLwOv?ocid=iehp


When Computers Go Down, It's Not Always a Hack (takingnote)

Monty Solomon <monty@roscom.com>
Thu, 9 Jul 2015 09:29:59 -0400
http://takingnote.blogs.nytimes.com/2015/07/08/when-computers-go-down-its-not-always-a-hack/

We're too quick to blame hackers for failures like the one that disrupted
trading on the New York Stock Exchange.


An Offline NYSE. Makes Barely a Ripple in a Day's Trading (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 9 Jul 2015 08:00:27 -0400
As the stoppage on Wednesday showed, the modern world of stock trading is
much quicker, more complex and reliant on sophisticated computers—and in
many cases able to adapt.
http://www.nytimes.com/2015/07/09/business/dealbook/an-offline-nyse-makes-barely-a-ripple-in-a-days-trading.html


Moxie Marlinspike

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 10 Jul 2015 13:02:50 PDT
Dreadlocked programmer has spooked the FBI by creating a tool the police
cannot crack.  (Matt Green's students at Johns Hopkins could not break it.)
http://www.wsj.com/articles/moxie-marlinspike-the-coder-who-encrypted-your-texts-1436486274?mod=LS1


The Massive OPM Hack Actually Hit 25 Million People

Peter G. Neumann" <neumann@csl.sri.com>
Thu, 9 Jul 2015 14:46:33 PDT
http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/

  "The team has now concluded with high confidence that sensitive
  information, including the Social Security Numbers (SSNs) of 21.5 million
  individuals, was stolen from the background investigation databases," OPM
  wrote in the statement.  "This includes 19.7 million individuals that
  applied for a background investigation, and 1.8 million non-applicants,
  predominantly spouses or co-habitants of applicants."  The stolen
  information includes about 1.1 million fingerprints as well as findings
  that investigators obtained from interviews conducted with neighbors,
  friends and family members for background checks.  Such information can be
  highly sensitive since it can include knowledge about the drug and
  criminal history of someone undergoing a background check as well as their
  sexual orientation and relationships.

Lauren Weinstein added:
  And the FBI says "trust us with your encrypted communications." Uh huh.


OpenSSL Patches Critical Certificate Forgery Bug (SlashDot)

Werner U <werneru@gmail.com>
Fri, 10 Jul 2015 03:43:06 +0200
<http://it.slashdot.org/story/15/07/09/152257/openssl-patches-critical-certificate-forgery-bug>

msm1267 <http://it.slashdot.org/%7Emsm1267> writes: *The mystery OpenSSL
<http://openssl.org/> patch released today addresses a critical certificate
validation issue where anyone with an untrusted TLS certificate can become
a Certificate Authority
<https://threatpost.com/openssl-patches-critical-certificate-validation-vulnerability/113703>.
While serious, the good news according to the OpenSSL Project is that few
downstream organizations have deployed the June update where the bug was
introduced.* From the linked piece: *The vulnerability allows an attacker
with an untrusted TLS certificate to be treated as a certificate authority
and spoof another website. Attackers can use this scenario to redirect
traffic, set up man-in-the-middle attacks, phishing schemes and anything
else that compromises supposedly encrypted traffic. [Rich Salz, one of the
developers] said there are no reports of public exploits.*


Hackdoors & Crypto Wars (Eric Geller)

Henry Baker <hbaker1@pipeline.com>
Fri, 10 Jul 2015 13:59:18 -0700
FYI—Outstanding (but long) article on the whole encryption debate.
Probably the best single article to read to understand the history & current
state of the debate.  HB
  [It is extraordinarily well written, concise, and comprehensive.
  But I had to dramatically prune it for RISKS.  PGN]

A question that comes to mind: "Why is Comey & the FBI & the Obama
Administration pushing so hard on this?  The FBI & the White House certainly
have access to computer scientists who have told them it isn't a workable
idea, so it is odd that Comey would go so far out on this particular limb."

My only answer is that Google/Apple/Facebook are extremely rich potential
sources of campaign contributions, and sometimes it takes fear to open up
those pocketbooks—look how Dodd-Frank opened up the wallets of the banks!
Once the right candidates have been safely elected, President Obama is then
free to add to his legacy by vetoing this "hackdoor" nonsense.

Follow the link to follow the links in the original article.

https://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/
The rise of the new Crypto War
By Eric Geller
Jul 10, 2015, 7:00am CT | Last updated Jul 10, 2015, 2:41pm CT

James B. Comey, Jr., the seventh director of the Federal Bureau of
Investigation, is afraid of the dark.

“The law hasn't kept pace with technology, and this disconnect has created
a significant public safety problem,'' Comey said in an Oct. 16, 2014,
speech at the Brookings Institution, an influential Washington, D.C., think
tank.  He called the problem `going dark'.

As more and more criminals presumably go dark by encrypting their phones and
email accounts, federal agents are finding it increasingly difficult to
intercept their communications.  The spread of easy-to-use encryption
software and the eagerness with which tech companies promote it have deeply
troubled the FBI.  But on that unusually warm October day, Comey also wanted
to vent about another frustration: He felt that the bureau's proposed
solution was being distorted.

“There is a misconception that building a lawful intercept solution into a
system requires a so-called backdoor, one that foreign adversaries and
hackers may try to exploit.  But that isn't true.  We aren't seeking a
backdoor approach.  We want to use the front door, with clarity and
transparency, and with clear guidance provided by law.''

He only used the word twice, but by strenuously denying that he wanted one,
Comey had set off a fierce debate about the secret law-enforcement
data-access portals known as backdoors.  In the months that followed, Comey,
his deputies at the FBI, and his counterparts at other agencies would face
relentless questioning and criticism from skeptical members of Congress,
exasperated security researchers, and outraged privacy groups.  Despite
Comey's protestations, many feared that the agency once known for its
disturbing reach and systemic abuses of power in the era of J. Edgar Hoover
was seeking a return to that fearsome omniscience in the digital age.

The debate over backdoors has pitted Comey and other national-security
officials against America's biggest tech companies, which have fired off
letter after letter warning the government not to undermine encryption and
the increasingly powerful security tools built into their products.  It has
strained relations between an obscure but important government technical
body and the security industry that used to consider it a trusted partner.
And it has infuriated the cryptography experts and civil-liberties activists
who have spent decades beating back government efforts to weaken the
encryption that is now vital to all aspects of online life. [...]

Crypto Wars ...
Backdoors ...
CALEA ...
The return of the Crypto Wars ...
Universally derided  ... letter to President Obama ...
Keys Under Doormats report ...
Divided government ...
Eroding trust ...
Heartbleed as a harbinger ...
Private-sector pressure ...
The murky way forward ...

As CALEA-era arguments rear their heads again—the same words coming out
of new mouths—Cindy Cohn sounded like a veteran military commander
reluctantly gearing up once more.  “We think the government was wrong then,
and they're wrong now.  But we may have to spend a lot of energy to fight a
war that we already won.''


Senator: OPM Hack Gave China a Spy Recruiting Database?

Henry Baker <hbaker1@pipeline.com>
Fri, 10 Jul 2015 12:40:47 -0700
"most of the people responsible for safeguarding this information had
essentially no background in IT" OK.  Hire the best Beltway Bandit security
firms that revolving door lobbyists can suggest.  Check!

"government needs to stop the bleeding ... every sensitive database ... must
be immediately secured" OK.  Strong encryption with Perfect Forward Secrecy.
Load "every sensitive database in every government agency" into Apple iOS 8.
Check!

"Our government must completely reevaluate its cyber doctrine" OK.
Immediately fire all those "cyber warriors" who thought that "deterrence"
would work.  Check!

"playing defense is a losing game" Since deterrence obviously isn't working
(and will never work), wouldn't "stopping the bleeding" include "playing
defense" ?  If you're not sure who to shoot at, perhaps your best strategy
is to immediately put up better defenses ?  The last time the U.S. started
cyber shooting, the stray cyberbullets landed back in the U.S. as STUXNET
mutant malware.

"we need to send a clear message" OK.  To whom should we send this message,
and what should it say?  I humbly suggest: "Pretty please, Mr. Lone Wolf (or
whoever you are), we in the U.S. live in a glass house, so we can't throw
stones at you, but we really, really dislike what you've been doing, and
wish that you would stop—at least long enough for us to install some
stronger glass."

"We have to deter attacks from ever happening" Obviously, these spies were
neither shaken nor deterred.

Author: Senator Ben Sasse, 9 Jul 2015.
https://www.wired.com/2015/07/senator-sasse-washington-still-isnt-taking-opm-breach-seriously/
The OPM Hack May Have Given China a Spy Recruiting Database
As a newly elected Senator, I am here to tell you a hard truth: Washington
does not take cybersecurity seriously. ...
China may now have the largest spy-recruiting database in history.

Bottom line: If you have any family or friends who work for the government
and put your name down on an SF-86, a foreign government might well know a
lot more about you and your kids than you'd like.

  [Excellent item...  Read it in full, and hope that Senator Sasse gets
  listened to in the Senate!  PGN]


Privacy risks in healthcare

Peter G. Neumann" <neumann@csl.sri.com>
Fri, 10 Jul 2015 17:12:11 PDT
This week, GAO Director of Information Security Gregory Wilshusen said at a
House Science, Space, and Technology Subcommittee hearing that he isn't
aware of any actions being taken to address the privacy risks (security
flaws) of healthcare.gov data warehouse system, which includes SSNs,
financial account information, and other personal information.

http://science.house.gov/hearing/subcommittee-research-and-technology-and-subcommittee-oversight-hearing-opm-data-breach-tip

 Recent Healthcare Information and Management Systems Society Cybersecurity
 Survey says that 67% of the respondents reported a significant security
 incident. http://www.himss.org/2015-cybersecurity-survey


EFF report on the Going Dark Senate hearing

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 10 Jul 2015 16:17:57 PDT
https://www.eff.org/deeplinks/2015/07/top-five-takeaways-todays-hearings-encryption


"Cyber criminals adopt recently patched zero-day exploit in a flash" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 09 Jul 2015 10:27:14 -0700
Lucian Constantin, InfoWorld, 29 Jun 2015
It only took four days for a recently patched vulnerability in Flash
Player to start being used in large-scale attacks
http://www.infoworld.com/article/2940445/security/cyber-criminals-adopt-recently-patched-zero-day-exploit-in-a-flash.html


Map of Cyber Attacks

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 9 Jul 2015 16:44:07 -0500
Places where most cyber attacks were made today Jul 9:

* USA
* Mil/Gov
* France
* Russia
* Ecuador
* Liechtenstein
* Singapore
* Cyprus

Places from which most cyber attacks originated today July-9:

* China
* USA
* Russia
* Bulgaria
* Singapore
* Mil/Gov
* Netherlands
* Canada

See the map for more details.
(Above listed from most attacks to smaller #s.)
http://map.norsecorp.com/


India's Supreme Court May Ban Porn Viewing, Even in Private Homes

Lauren Weinstein <lauren@vortex.com>
Fri, 10 Jul 2015 11:51:32 -0700
HuffPost via NNSquad
http://www.huffingtonpost.com/van-winkles/indias-supreme-court-may_b_7772084.html

  The land that gave us the Kama Sutra is having trouble with pornography.
  As the Times of India reported, India's Supreme Court is unhappy with the
  federal government's inaction in combating widespread Internet porn.
  Taking matters into its own hands, the Court is considering a blanket ban
  on all porn.

Good luck with that, guys.


Facing a Selfie Election, Presidential Hopefuls Grin

Gabe Goldberg <gabe@gabegold.com>
Thu, 09 Jul 2015 16:28:10 -0400
"For security teams on the campaigns, all this close contact between
candidates and strangers can be a challenge, but in some ways it is easier
to monitor than a traditional rope line. That is because selfies keep
people's hands up where they can be seen."

http://www.nytimes.com/2015/07/05/us/politics/facing-a-selfie-election-presidential-hopefuls-grin-and-bear-it.html

...and of course, nobody requesting a selfie, holding an electronic
gadget up to a candidate's head could have an explosive inside it. IED,
indeed.

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Your next selfie could be your last, Russia warns (Amar Toor)

Monty Solomon <monty@roscom.com>
Thu, 9 Jul 2015 10:01:15 -0400
Amar Toor, *The Verge*, 8 Jul 2015
Interior ministry launches public safety campaign after at least 100 have
been injured in the name of selfies
http://www.theverge.com/2015/7/8/8911197/russia-selfie-safety-campaign


Re: NZ Harmful Digital Communications Bill (Re: O'Keefe)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 9 Jul 2015 13:35:08 -0500
In trying to solve some problems, legislators often have the (unintended ?)
consequences of creating new ones.

Is my understanding now correct, that this law may have exempted some hosts
of the digital data (phone company, computer owners, TV News) but not the
people making the statements that cause offense, annoyance, hurt feelings
etc., where there are no exceptions, based on type of person making the
unwanted statements, such as politicians, civil servants, people in other
nations?

The US Supreme Court has declared that corporations are real people, so
press releases, advertising, billing practices etc., by corporations, might
be offensive to some people.  If companies are not real people under NZ law,
then maybe their feelings are not covered by this law.

I wear a hearing aid.  Does that mean that any communications I hear,
arrived digitally?

Stories in newspapers and magazines typically come from computer word
processing, and modern electronic printing systems.  Does that make them
digital?

Is info via a photo copy machine, fax machine, digital communications?

If all of the above is yes, then New Zealand can now impose heavy fines &
jail time, for many former legal activities:

* Just about anything reported on police radio, or in police & DA records is
  offensive to the accused suspects, and offending anyone is now a crime.
  So police may need to return to systems they used before there was police
  radio.

* Judges will need to be careful not to allow the introduction of evidence
  which went thru modern technology, like phone logs, because any suspect is
  offended by all evidence against them, but only non-digital now is legal
  to use against them.

* Any courts, which in the past, used microphone for anyone testifying, so
  that there is a digital record, will need to stop doing that, because it
  is a digital communication of something which may offend the accused.
  Court rooms may need to be rearranged to help any hard of hearing on the
  jury.

* Anyone who reports a crime or suspected crime (hurting terrorist's
  feelings is now a crime).  Be careful when using 911 or 999.

* Doctor inform a patient about a medical condition, which upsets the
  patient.  No matter that they need to know the truth so that they can get
  proper treatment. (Hurting anyone feelings is now a crime, if the info
  involves digital communications.)

* Conduct normal business communications of the kind of data used to
  identify your customer, such as their credit cards. (it is now a crime to
  communicate that data if anything digital is involved).  Nowadays that
  info is almost always communicated electronically from retailer into
  banking system.

* Fire an employee?  That can upset the fired person.  You better not have
  anything about this on the company's computers.  Limit the info to pen and
  paper and verbal.  If the fired person appeals to NZ equivalent of
  unemployment compensation or improper firing bureau, and it asks for info,
  the reply will need to be by snail mail.  Avoid photocopy machine or fax
  machine, because that's digital communications.

* Bill collectors will be a thing of the past.  I don't think they can
  function without computer records, robo calls.

* If Donald Trump ever visits NZ, he will be jailed for his remarks about
  Mexico (offensive to Mexicans, and others).  His defense that his remarks
  are true, is irrelevant.  The law does not say it is illegal or legal to
  say things which can be proven to be true or false, it says that if you
  make ANY remarks which are offensive to ANYONE, over any communication
  channel which by any interpretation can be called digital, even analog
  signals, that is illegal.

* Any politician who opens his or her mouth, especially in an election, or
  debating the nation's business, probably offends someone.  Did NZ
  politicians think to exempt themselves, as is common in USA?

* In the USA, apartment leases frequently refer to laws about tenant rights,
  then insist that as a condition of getting this apartment, the tenant
  waives all those legal rights.  Thus the landlord has an unfettered right
  to harass, annoy, offend any tenant.  Does NZ have a similar system, where
  business contracts can absolve people of their legal rights?

Many things posted anywhere on the Internet, lists like RISKS, no doubt
offends someone.  Lists may need to scrub NZ subscribers from their
membership.


Re: NZ Harmful Digital Communications Bill

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Fri, 10 Jul 2015 17:20:42 +1200
I did provide a link to the text of the act, but basically, yes.
"an online content host"
 - must make it easy for people to complain about specific content
   If you don't do that, you're not protected.
 - must respond to a complaint within 48 hours
 - must communicate with "the author of the specific content"
   "as soon as practicable" (but within the 48 hours)
 - if the author doesn't respond with 48 hours, the content must
   be removed.

> The US Supreme Court has declared that corporations are real people ...

Under British law, companies (and ships) have been legal persons
for centuries.  NZ law is a branch of Common Law.  However, this
Act specifically defines "individual means a natural person".
So yes, companies are not covered by this law.
But the owners, officers, and employees of a company ARE.

I AM NOT A LAWYER.  So when I say that
4 "defendant ... means a person against whom an order is sought or made"
does not say "natural person" or "individual", so it looks to *me* as
if the defendant *can* be a juridical person, why, that opinion's
worth every penny you paid for it.

> I wear a hearing aid.  Does that mean that any communications ...

I think that would have to be tested in court.
"Digital communication—(a) means any form of electronic
communication"; whether a hearing aid is a form of electronic
communication, especially if the other person is unaware of it,
is an interesting question.

This law has been in development for *years*; it's about 18 months
since it left first draft status and entered Parliament for debate.

As for stories in newspapers and magazines, a magazine I used to buy
regularly has just this month ceased print distribution and now exists
only on line, and the daily newspaper I read is also on line, every
story.  So it hardly matters how the print version would be classified;
there is definitely a version which is communicated electronically to
the general public.

> If all of the above is yes, then New Zealand can now impose heavy fines &
jail time, for many former legal activities.

In principle, yes.  Part of the Act is in force now, and the rest will
commence when they get around to it but no later than 2 years; they've got
to set up a new "Approved Agency" to receive complaints.

Harassment (Harassment Act, 1997, see
http://www.legislation.govt.nz/act/public/1997/0092/latest/DLM417078.html
and defamation were already illegal.  In particular, 4(1)(d) making contact
with [the victim] (whether by telephone, correspondence, or in any other
way);

4(1)(e) giving offensive material to [the victim], or leaving it where it
will be found by, given to, or brought to the attention of, that person:

4(1)(f) acting in any other way (i) that causes [the victim] to fear for his
or her safety; and (ii) that would cause a reasonable person in [the
victim]'s particular circumstances to fear for his or her safety.

would seem to cover a lot of it, except that just as the Harmful Digital
Communications Act is too broad, the Harassment Act is too narrow:
harassment has to be "a pattern of behaviour".  Apparently one of the
triggers for the development of the new Act was a case in which some clearly
nasty behaviour was held not to be harassment because it only happened once.
So the new act amends the Harassment Act to say that "doing any specified
act to the other person that is *one continuing act* [such as placing
offensive material about someone online] carried out over any period" also
counts as harassment, and 4(1)(e) also now includes putting material on
line.

But I would still have thought that cyberbullying should have been covered
as "a pattern of behaviour" under the original Harassment Act.

> Just about anything reported on police radio, or in police & DA records is
offensive to the accused suspects, and offending anyone is now a crime. ...

Section 13 "Threshold for proceedings" does put some extremely vague
limits on the seriousness of the alleged offence, and section
19 "Orders that may be made by court" says that
19 (5) In decided whether or not to make an order, and the form of an
order, the court MUST take into account ...
(b) the purpose of the communicator ...
...
(g) whether the communication is in the public interest ..."

The response to an initial complaint is either to dismiss the case
or to order that the offensive behaviour stop; the criminal offence
is to disobey such an order.

> Judges will need to be careful not to allow the introduction of evidence
which went thru modern technology, like phone logs, because any suspect is
offended by all evidence against them, but only non-digital now is legal to
use against them.

I suspect that 19 (5) (b and g) come into play here again.  But once again,
I am not a lawyer, and my interpretation is not to be relied on.

> Doctor inform a patient about a medical condition, which upsets the
patient.

I thought of that one too.

> If Donald Trump ever visits NZ, he will be jailed for his remarks ...

it says that if you make ANY remarks which are offensive to ANYONE, over any
communication channel which by any interpretation can be called digital,
even analog signals, that is illegal.

If he kept on making such remarks after a court order to stop, yes.

As it happens, such remarks have probably been illegal for years.
Human Rights Act 1993, section 63, Racial harassment.
(1) It shall be unlawful for any person to use language (whether
written or spoken), or visual material, or physical behaviour,
that --
(a) expresses hostility against, or brings into contempt or
ridicule, any other person on the ground of the colour, race, or
ethnic or natural originals of that person; and
(b) is hurtful or offensive to that other person (whether or not
that is conveyed to the first-mentioned person) and
(c) is either repeated, or of such a significant nature, that it
has a detrimental effect on that other person in respect of any
of the areas into which this subsection is applied by subsection (2).
I'll spare you subsection (2), but since Trump wants to keep Mexicans
out of the country ("access to places") or at least out of jobs
("employment, which term includes unpaid work"), I think it's pretty
clear that what he said was definitely illegal however disseminated.

The Human Rights Act replaced the Race Relations Act 1971, which
I believe said something similar.

> Any politician who opens his or her mouth, especially in an election,...
  Did NZ politicians think to exempt themselves, as is common in USA?

Perhaps the "public interest" provision?  We may have to wait for
a case to decide that...


I repeat that I am not a lawyer.  I have heard an expert say with
respect to *consumer protection* laws that you can't sign away your
rights.  Ah.  Residential Tenancies Act 1986, section 11(3):
	Any purported waiver by a tenant of any right or power
	conferred upon tenants by this Act shall be of no effect.
Other business contracts are governed by other acts, but at least
in the case of getting an apartment, such a waiver might scare the
tenant but is "of no effect" if it goes to law.  Indeed, the title
of section 11 is "Act generally to apply despite contrary provisions".
However, the landlord can waive *his* rights and powers.

> Many things posted anywhere on the Internet, lists like RISKS, no doubt
offends someone.  Lists may need to scrub NZ subscribers from their
membership.

> New Zealand law does not bind people outside New Zealand.

We don't have the numbers, the wealth, or the military power to lean on
other countries the way, for example, the USA has leaned on the NZ legal
system.  So the RISKS Digest has nothing to fear.


Leap Second Causes Sporadic Outages Across the Internet (R-28.76)

Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
Thu, 9 Jul 2015 07:21:03 -0600
Outages of Amazon AWS US EC2, Experian, HipChat, Instagram, Jobvite, Match,
Netflix, Pinterest, Reddit, Tinder, Yelp, and Zions Bank were initially
blamed on the leap second by Amazon, who later corrected their diagnosis:
The root cause of this issue was an external Internet service provider
incorrectly accepting a set of routes for some AWS addresses from a
third-party who inadvertently advertised these routes.

https://blog.thousandeyes.com/route-leak-causes-amazon-and-aws-outage analysis:

“the root cause of this was not related to the fiber cuts, but in fact a
route leak from Axcelx (AS33083), a data center provider in Boston. All of
Amazon's prefixes originating in AS14618 were affected to some degree."

Axcelx admits:
"Our sincere apologies to everyone who experienced a route leak via AS33083
of AWS. We have a new prefix-list facing Hibernia."

A large chunk of AWS US EC2 node traffic appears to have been misrouted via
Hibernia Networks to Axcelx black hole.  This failure highlighting the lack
of BGP routing security could provide fodder for wider future DoS attacks or
diversions for competitive or malicious reasons.  See
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
(part 2 of 3)


Re: [risks 28.76] Re: "Leap Second Problem" and "Growing opposition to the Leap Second" (RISKS-28.74)

"Bob Frankston" <bob2-53@bob.ma>
9 Jul 2015 09:23:58 -0400
"Complacent, lazy"—there is a real risk in using a moral framing and
short-circuiting critical thinking. Closely related is using ones implicit
context and use cases and proof by example.

In this case we have an intrinsic problem in representation that makes
TimeSpan(1 minute) undefined. A source of the problem is the implicit
assumption that there is a single kind of "time". I don't want to belabor
the issue on this list beyond pointing out that we can have a stable base
representation and, as with time zones, we can have explicit variations that
have an adjust for the Earth's wobble. Other uses of "time" require
different approaches.

I encounter the problem of moral framing in connectivity policy which I see
as a structural problem but that's another topic ...


Re: Samsung is being sued in China (Werner U in RISKS-28.76)

Wols Lists <antlists@youngman.org.uk>
Thu, 09 Jul 2015 15:11:51 +0100
> Out of a study of 20 smartphones, Samsung and Oppo were found to be the
> worst culprits. A model of Samsung's Galaxy Note 3 contained 44
> pre-installed apps that could not be removed from the device, while Oppo's
> X9007 phone had 71.

I have/had a Samsung Galaxy Ace. I've renewed my contract and got a new
phone in the last month or so. Why? Because, with only a few apps of my
own choice installed, the phone is now so overloaded with bloatware that
updates fail with "insufficient space on device". And that's with pretty
much everything that CAN be moved, moved onto the 16Gb SD card.


Ada Lovelace and Babbage

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 11 Jul 2015 11:01:39 PDT
This morning, my wife and I went into the Chilmark Library to see the art
works of a childhood friend.  On the New Books shelf, I stumbled onto a
very new book—just published this month (July 2015):

   The Thrilling Adventures of LOVELACE and BABBAGE
   The (Mostly) True Story of the First Computer
                by Sydney Padua

The third of three title pages looks something like this, with old fonts and
many font sizes that I cannot begin to reproduce in ASCII:

          !!!! Triumphant Debut of !!!!
                      ADA
              Countess of Lovelace,
               the Secret Origin!
WITH the Celebrated and Ingenious Mechanician, Professor
                CHARLES BABBAGE
                   and his
           Wonderful Calculating Machine
The Tragical Conlusion Marvelously Averted by the Formation of
               A POCKET UNIVERSE
  to Be the Scene of Diverse Amusing & Thrilling Adventures
   With Humourous CUTS and Other PICTORIAL Embellishments!

Sydney Padua has drawn on documents from Ada and Babbage, done some
extraordinarily good research, augmented an amazingly clever presentation
with extensive footnotes and some diagrams never previously published.  For
those of you not familiar with the early history of computing, this might be
a good place to start.  The first thirty pages are straight historical
stuff, apparently very true to historical records—up to a brief
relatively unhappy ending.  However, from there on Padua has provided a
delightful alternative (his)story.

We have observed many times in The Risks Forum that some things don't change
very rapidly.  Many elements of hardware were present in Babbage's notion of
the Difference Engine in the mid-1800s, and many elements of programming
were present in Ada Lovelace's then-contemporary would-be software
constructions.

Cheers!  Peter

Please report problems with the web pages to the maintainer

Top