The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 79

Monday 20 July 2015

Contents

The Golden Age of Surveillance
Peter Swire via Henry Baker
The history of backdoors and exceptional access
Matt Green
Nice little biz you got there, Apple. Hate for any laws to mess it up.
Benjamin Wittes
Code first, see how it looks later...
GovWatch via Gabe Goldberg
U.S. vs. Hackers: Still Lopsided...
Shear and Perlroth
Cameron --> Cameroff
PGN
Flaw in British school Internet monitoring software
The Guardian
Twitter privacy fail exposes private phone numbers
Lauren Weinstein
You Need to Speak Up For Internet Security. Right Now.
Katie Moussouris
Controversial new law on 'right to be forgotten' stirs debate in Russia
RBTH
FireEye ex-intern arrested for Darkode malware
Darren Pauli via Henry Baker
Oracle fixes zero-day Java flaw and over 190 other vulnerabilities
Lucian Constantin
Dog Bites Man; Surveillance Software Hacked
Thomas Fox-Brewster
Hairless Head in a Clueless Photo Booth
The NY Times
Trying to Win the Public's Trust With Autonomous Cars, at 120 MPH
NYT
California Firefighters impeded by drones
Gizmodo
Gun-Firing Drone Raises Some Eyebrows
PGN
Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware
Slashdot
Boeing: "P0wn drops keep falling on my head"
Cora Currier
Swindlers Target Older Women on Dating Websites
NYT
PayPal Notice of policy update
Gabe Goldberg
How a Simple Browser Add-On is Changing the Way Visually Impaired People Use the Web
good
Win10 updates to be mandatory for Home users
Peter Bright
New York Stock Exchange System Failure Draws Attention to Staff Cuts
NYT
Hacking Team hacked, attackers claim 400GB in dumped data
Steve Ragan
Why the Islamic State leaves tech companies torn between free speech and security
WashPost
Heartbleed and beyond: Marine Corps 'cyber range' trains to fight off hackers
WashPost
NSA Summer Camp: More Hacking Than Hiking
NYT
U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push
NYT
Civil Liability for End2End Encryption?
Conor Friedersdorf via Henry Baker
Re: Securing networks is harder than it was two years ago
Bob Frankston
Info on RISKS (comp.risks)

The Golden Age of Surveillance (Peter Swire)

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 15:50:26 -0700
Peter Swire, *Slate*, 15 Jul 2015
The government doesn't need to weaken encryption—it already has the tools
it needs to catch criminals.
http://www.slate.com/articles/technology/future_tense/2015/07/encryption_back_doors_aren_t_necessary_we_re_already_in_a_golden_age_of.html

   [Excerpt:]

... the Review Group on Intelligence and Communications Technology report,
released in December 2013, unanimously and clearly recommended that the
U.S. government vigorously encourage the use of strong encryption, stating:

  We recommend that, regarding encryption, the US Government should:

  (1) fully support and not undermine efforts to create encryption standards;

  (2) not in any way subvert, undermine, weaken, or make vulnerable
      generally available commercial software; and

  (3) increase the use of encryption and urge US companies to do so, in
      order to better protect data in transit, at rest, in the cloud, and in
      other storage.

  With full awareness of the `going dark' concerns, we sharply criticized
  any attempt to introduce vulnerabilities into commercially available
  products and services, and found that even temporary vulnerabilities
  should be authorized only after administration-wide scrutiny.  Based on
  the top-secret briefings and our experience, we found these policies would
  best fight cybercrime, improve cybersecurity, build trust in the global
  communications infrastructure, and promote national security.

  At heart, providing access exceptions for U.S. law enforcement and
  intelligence agencies will be harmful, rather than helpful, to national
  security.  The inability to directly access the content of a small
  fraction of these communications does not warrant the subsequent damage
  that would result to privacy and to U.S. economic, diplomatic, and
  security interests.

Peter Swire is the Huang professor of law and ethics at the Georgia
Institute of Technology, senior counsel with Alston & Bird LLP, and a
cyber-fellow with New America.


The history of backdoors and exceptional access (Matt Green)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 20 Jul 2015 12:59:42 PDT
Matt Green (JHU) has an outstanding and well-written blog post on
exceptional access and related subjects—and their historical context.
http://blog.cryptographyengineering.com/2015/07/a-history-of-backdoors.html


Nice little biz you got there, Apple. Hate for any laws to mess it up. (Benjamin Wittes)

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 10:25:35 -0700
Benjamin Wittes, LawFareBlog, 12 Jul 2015
Thoughts on Encryption and Going Dark, Part II: The Debate on the Merits
http://www.lawfareblog.com/thoughts-encryption-and-going-dark-part-ii-debate-merits


Code first, see how it looks later...

Gabe Goldberg <gabe@gabegold.com>
Wed, 15 Jul 2015 23:23:41 -0400
...what could go wrong? From Government Technology magazine, June 2015
http://www.govtech.com/magazines/gt/Government-Technology-June-2015.html

Designing in Reverse

Utah unveiled the latest iteration of its portal in April, with a new
mobile-first design that uses analytics to provide citizens an online
experience that's localized, personalized and individualized.  “We are
trying to make Utah.gov something that will stand out for people, keep them
coming back and help them navigate as easily as possible,'' said Utah CTO
Dave Fletcher.  The state also worked to make the redesigned site truly
device agnostic, so it adjusts dynamically and automatically based on the
user. To accomplish this, the portal was designed in reverse. Rather than
creating a wireframe of the site's look and then coding to match that look,
they started with the coding and didn't get to see how the site looked until
later.


U.S. vs. Hackers: Still Lopsided...

Werner U <werneru@gmail.com>
Sun, 19 Jul 2015 15:15:49 +0200
(19 Jul 2015, SlashDot, based on NYT)

Despite Triage, US Federal Cybersecurity Still Lags Behind
<http://yro.slashdot.org/story/15/07/19/0359200/despite-triage-us-federal-cybersecurity-still-lags-behind>
U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push
<http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html?ref=technology>

*According to *The New York Times*, U.S. government officials will soon
announce all the improvements their IT security teams have made to federal
systems in response to the OPM breach. Unfortunately, says the Times, these
updates only just scratch the surface, and are more to show that the
government is "doing something" than to fix the long-standing problems with
how it handles security. "After neglect that has been documented in dozens
of audits for nearly two decades, the federal government is still far behind
its adversaries. And it is still struggling to procure the latest
technological defenses or attract the kind of digital security expertise
necessary to secure its networks."  It seems each agency has to be hit by a
cyberattack, causing it to go into panic-mode independently, before learning
to properly safeguard its systems. Officials say far too much money is
wasted on figuring out who and what to blame, rather than on ameliorating
the problem. "At the Internal Revenue Service, auditors identified 69
vulnerabilities in the agency's networks last year, but when officials there
told Government Accountability Office auditors this year that they had fixed
24 of those problems, investigators found only 14 had been resolved."*

U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push
<http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html>By

Michael D. Shear and Nicole Perlroth, *TheNYTimes*, 18 Jul 2015

In the month since a devastating computer systems breach at the Office of
Personnel Management, digital SWAT teams have been racing to plug the most
glaring security holes in government computer networks and prevent another
embarrassing theft of personal information, financial data and national
security secrets.


Cameron --> Cameroff

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 15 Jul 2015 3:54:19 PDT
Cameron (who previously wanted to ban *all cryptography*) subsequently
reversed hiself.
http://uk.businessinsider.com/uk-government-not-going-to-ban-encryption-2015-7


Flaw in British school Internet monitoring software

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 14 Jul 2015 15:38:44 PDT
http://www.theguardian.com/technology/2015/jul/14/security-flaw-found-in-school-internet-monitoring-software
  [Thanks to Ross Anderson]


Twitter privacy fail exposes private phone numbers

Lauren Weinstein <lauren@vortex.com>
Wed, 15 Jul 2015 17:28:55 -0700
Thanks a bunch, Twitter. If I had been at a public terminal or somewhere else
with other people around, you would have just proudly revealed my private
phone number to everyone. Jeez.  [NNSquad]

[Image]: https://plus.google.com/u/0/+LaurenWeinstein/posts/3MnyvtyTqfX


You Need to Speak Up For Internet Security. Right Now.

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 09:32:37 -0700
Katie Moussouris.  Security, 16 Jul 2015
Vendors receiving vulnerability reports will have to apply for `deemed
export licenses'.  Vulnerability disclosure itself is threatened by the new
rules.  Some researchers' work will be commandeered by their own government
for use in surveillance if they turn it over to request an export license.
https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19
https://www.wired.com/2015/07/moussouris-wassenaar-open-comment-period/


Controversial new law on 'right to be forgotten' stirs debate in Russia

Lauren Weinstein <lauren@vortex.com>
Sun, 19 Jul 2015 09:07:21 -0700
(Russia Beyond the Headlines):
http://rbth.com/politics/2015/07/14/controversial_new_law_on_right_to_be_forgotten_stirs_debate_in_russi_47745.html

  Russia has adopted a law on the so-called "right to be forgotten," which
  will require internet search engines to remove links to personal
  information at the request of citizens.  Although State Duma deputies
  claim the legislation mirrors that of the European Union, industry players
  strongly oppose the law, predicting a series of lawsuits, while lawyers
  say that such a right is unconstitutional and express concern that the law
  will be used by prominent individuals to selectively edit their past.


FireEye ex-intern arrested for Darkode malware (Darren Pauli)

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 06:04:17 -0700
  [Making privateers also means making pirates; there's lots more tears and
  gibbeting to come.  It's time for a little mutiny against 'bug bounties'.]

Darren Pauli, *The Register*, 16 Jul 2015
FireEye intern nailed in Darkode downfall was VXer, say the Feds: 'Helped
improve detection capabilities' while allegedly selling badass trojan toolkit
http://www.theregister.co.uk/2015/07/16/fireeye_intern_morgan_culbertson_allegedly_darkode_vxer_dendroid/

Background:
https://en.wikipedia.org/wiki/List_of_pirates
https://en.wikipedia.org/wiki/Gibbet


"Oracle fixes zero-day Java flaw and over 190 other vulnerabilities" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 17 Jul 2015 09:49:54 -0700
Lucian Constantin, InfoWorld
Users should update Java as soon as possible because attackers are
already taking advantage of at least one vulnerability
http://www.infoworld.com/article/2948208/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vulnerabilities.html


Dog Bites Man; Surveillance Software Hacked (Thomas Fox-Brewster)

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 14:43:21 -0700
  [FYI—Another day, another "shocked, shocked" story of hacked
  surveillance software.  This would be boring, except that the FBI really,
  really wants to be invited to this party, too.]

Thomas Fox-Brewster, *Forbes*, 14 Jul 2015
This 'Anti-Radicalisation' Tech Teachers Use To Monitor Kids Has A Shocking Security Hole
http://www.forbes.com/sites/thomasbrewster/2015/07/14/child-surveillance-vulnerability/


Hairless Head in a Clueless Photo Booth

Monty Solomon <monty@roscom.com>
Mon, 20 Jul 2015 09:12:46 -0400
A simple errand to get a passport photo exposes the blinkered logic lurking
in the rule-bound technologies that pervade our lives.
http://www.nytimes.com/2015/07/19/your-money/hairless-head-in-a-clueless-photo-booth.html

  [Same article noted by George Mannes:
  Algorithm of passport photo booth crops off head of bald subject
  PGN]


Trying to Win the Public's Trust With Autonomous Cars, at 120 MPH

Monty Solomon <monty@roscom.com>
Sun, 19 Jul 2015 09:18:31 -0400
Engineering a self-driving car is difficult enough. Now the public has to be
  convinced that the technology works.
http://www.nytimes.com/2015/07/17/automobiles/trying-to-win-the-publics-trust-with-autonomous-cars-at-120-mph.html

  [Works?  Maybe.  But is it safe, secure, nonsubvertible, private, etc.  PGN]


California Firefighters impeded by drones

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 17 Jul 2015 22:37:47 PDT
http://gizmodo.com/firefighters-cant-save-people-burning-in-cars-because-o-1718675039
  Monty Solomon also noted:
    http://www.pbs.org/newshour/rundown/drones-california-fire/


Gun-Firing Drone Raises Some Eyebrows

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 17 Jul 2015 4:39:28 PDT
A video posted on YouTube showing a drone firing a gun in a wooded area has
caused some controversy today.  The short video shows a four-rotored custom
drone with a special rig containing a handgun. The handgun proceeds to fire
four shots, handling the recoil better than might be expected. The user who
posted the video also submitted it to Reddit, where a commenter noted that
the apparent use of a solenoid trigger would class the device as an
automatic weapon under ATF rules.

http://tech.slashdot.org/story/15/07/16/1455223/gun-firing-drone-raises-some-eyebrows>
<https://www.youtube.com/watch?v=xqHrTtvFFIs>
<http://www.theguardian.com/technology/2015/jul/16/drone-firing-handgun-video-youtube>
<http://thestack.com/drone-firing-gun-160715>
<https://www.reddit.com/r/guns/comments/3cyd67/>


Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 20 Jul 2015 10:46:09 PDT
Advocatus Diaboli writes: Email conversations posted on WikiLeaks reveal
that Boeing and Hacking Team want drones to carry devices that inject
spyware into target computers through WiFi networks
<http://it.slashdot.org/story/15/07/19/2322240/hacking-team-and-boeing-subsidiary-envisioned-drones-deploying-spyware>
<http://it.slashdot.org/%7EAdvocatus+Diaboli>
<https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/>.

The Intercept reports: "The plan is described in internal emails from the
Italian company Hacking Team, which makes off-the-shelf software that can
remotely infect a suspect's computer or smartphone, accessing files and
recording calls, chats, emails and more. A hacker attacked the Milan-based
firm earlier this month and released hundreds of gigabytes of company
information online. Among the emails is a recap of a meeting in June of this
year, which gives a "roadmap" of projects that Hacking Team's engineers have
underway. On the list: Develop a way to infect computers via drone. One
engineer is assigned the task of developing a "mini" infection device, which
could be "ruggedized" and "transportable by drone (!)" the write-up notes
enthusiastically in Italian. The request appears to have originated with a
query from the Washington-based Insitu, which makes a range of unmanned
systems, including the small ScanEagle surveillance drone, which has long
been used by the militaries of the U.S. and other countries. Insitu also
markets its drones for law enforcement."


Boeing: "P0wn drops keep falling on my head"

Henry Baker <hbaker1@pipeline.com>
Sat, 18 Jul 2015 15:31:06 -0700
Boeing In Deep Sh*tu: Are you smarter than a fifth grader?
"Insitu also markets its drones for law enforcement"
Another "NOBUS" conceit: NObody But US" could possibly do something this
clever.
https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/

Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware
Cora Currier  2015, 18 July 2015

There are lots of ways that government spies can attack your computer, but a
U.S. drone company is scheming to offer them one more. Boeing subsidiary
Insitu would like to be able to deliver spyware via drone.


Swindlers Target Older Women on Dating Websites

Monty Solomon <monty@roscom.com>
Sun, 19 Jul 2015 08:21:52 -0400
Older people are ideal targets because they often have ample savings, own
their homes and may be lonely and susceptible to being deceived.
http://www.nytimes.com/2015/07/18/your-money/swindlers-target-older-women-on-dating-websites.html


PayPal Notice of policy update

Gabe Goldberg <gabe@gabegold.com>
Wed, 15 Jul 2015 18:25:07 -0400
Good: apology, clarification, and only opt-in autodialed or recorded calls,
or texts. And only two paragraphs of legalese to read. But, sigh—must
CALL customer support to revoke opt-in.

  "Notice of policy update"

  We value our relationship with you and work hard to communicate clearly.
  Recently, however, we did not live up to our own standards.

  Earlier this year, we sent you an email about updates that we planned to
  make to our User Agreement on July 1, 2015. The User Agreement is a
  document we share to help you understand your relationship with PayPal and
  the obligations we both have.

  Unfortunately, some of the language in this update caused confusion and
  concern with some of our customers about how we may contact you.

  To clear up any confusion, we have modified the terms of Section 1.10 of
  our User Agreement. The new language is intended to make it clear that
  PayPal primarily uses autodialed or prerecorded calls and texts to:

     Help detect, investigate and protect our customers from fraud
     Provide notices to our customers regarding their accounts or
       account activity
     Collect a debt owed to us

  In addition, the new Section 1.10(a) and 1.10(b) makes it clear that:

     We will not use autodialed or prerecorded calls or texts to contact
  our customers for marketing purposes without prior express written consent.
     Customers can continue to enjoy our products and services without
  needing to consent to receive autodialed or prerecorded calls or texts.
     We respect our customers' communications preferences and recognize
  that their consent is required for certain autodialed and prerecorded
  calls and texts. Customers may revoke consent to receive these
  communications by contacting PayPal customer support and informing us of
  their preferences.

  If you are interested, you can read this updated section of the User
  Agreement below and by clicking on the links at the bottom of this
  message.

  We apologize for any confusion we may have caused. Should you have any
  additional questions, please don't hesitate to reach out to our customer
  service team.

https://view.paypal-communication.com/w/DXWSIO7/MS9YBC/ASU0OD8/QXQPJP/1/34db06e43778403c1835/


How a Simple Browser Add-On is Changing the Way Visually Impaired People Use the Web

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Jul 2015 18:32:09 -0700
NNSquad

http://magazine.good.is/articles/depict-accessibility-visual-impairment-web-browsing

  Last month, Parsley presented Depict, a crowd-sourced image description
  tool that could change the experience of the browsing the web for the
  blind and visually impaired. The tool works in two parts--a browser
  extension for blind users that provides user-created descriptions of
  images around the Internet, and a website for sighted users to provide
  those requested descriptions. If a blind user clicks on an image of an
  apple tree, which is not properly described in the HTML code, the photo
  will appear on the crowd-sourced website where sighted users can write
  "apple tree." The highest rated description based on sighted user votes
  will then replace the original description, and be read aloud to any blind
  user that scrolls over the photograph in the future. Parsley's husband
  Jason Sanders helped her develop the final iteration of Depict, which is
  now available as an extension on Google Chrome browsers.


Win10 updates to be mandatory for Home users (Peter Bright)

Henry Baker <hbaker1@pipeline.com>
Fri, 17 Jul 2015 06:15:39 -0700
  [The beginning or the end of an error?]

Peter Bright, Ars Technica, 17 Jul 2015
Now it will only take a National Security Letter for Microsoft to install
some govt's malware (warrant completely optional).
Only Enterprise users will be able to hold back the updates longterm.
http://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/


New York Stock Exchange System Failure Draws Attention to Staff Cuts

Monty Solomon <monty@roscom.com>
Tue, 14 Jul 2015 22:55:58 -0400
http://www.nytimes.com/2015/07/15/business/big-board-system-failure-draws-attention-to-staff-cuts.html

Staff reductions in New York have been under scrutiny because of the
possibility that they left the exchange without enough experienced people to
manage a crisis like the one it faced last Wednesday.


"Hacking Team hacked, attackers claim 400GB in dumped data" (Steve Ragan)

Gene Wirchenko <genew@telus.net>
Mon, 20 Jul 2015 09:58:28 -0700
Steve Ragan, CSO, 5 Jul 2015
Firm made famous for helping governments spy on their citizens left exposed
http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html


Why the Islamic State leaves tech companies torn between free speech and security (WashPost)

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Jul 2015 11:22:58 -0700
*The Washington Post* via NNSquad
https://www.washingtonpost.com/world/national-security/islamic-states-embrace-of-social-media-puts-tech-companies-in-a-bind/2015/07/15/0e5624c4-169c-11e5-89f3-61410da94eb1_story.html

  "ISIS has been confronting us with these really inhumane and atrocious
  images, and there are some people who believe if you type 'jihad' or
  'ISIS' on YouTube, you should get no results," Victoria Grand, Google's
  director of policy strategy, told The Washington Post in a recent
  interview. "We don't believe that should be the case. Actually, a lot of
  the results you see on YouTube are educational about the origins of the
  group, educating people about the dangers and violence. But the goal here
  is how do you strike a balance between enabling people to discuss and
  access information about ISIS, but also not become the distribution
  channel for their propaganda?"

Related: "Terrorism, the Internet, and Google":
http://lauren.vortex.com/archive/001111.html (6/30/2015)


Heartbleed and beyond: Marine Corps 'cyber range' trains to fight off hackers

Gabe Goldberg <gabe@gabegold.com>
Wed, 15 Jul 2015 23:12:20 -0400
  [This sure is vague about exactly what this "range" consists of...]

A virtual training range developed for the Marine Corps to prepare troops
for cyber operations has been adapted to do everything from prepare for
offensive actions to secure networks defensively against hacking threats
like the Heartbleed security bug, Marine officials said.

The network was established by defense contractor ManTech within the last
year at a cost of about $9.1 million. Maintained at an office park just
south of Marine Corps Base Quantico, Va., it is used to train not only
troops who focus on cyber operations, but Marines who focus on
communications, intelligence and operational planning.

"Conceptually people might have a harder time picturing this battle space,
but it is battle space," said Col. Gregory T. Breazile, the director of the
service's cyber and electronic warfare integration division, in an
interview. "When we in the Marine Corps look at maneuver warfare, this is
maneuver warfare. It's fighting the enemy's weak points and exploiting those
weak points so that you can defeat your adversary."

https://www.washingtonpost.com/news/checkpoint/wp/2015/07/08/heartbleed-and-beyond-marine-corps-cyber-range-trains-to-fight-off-hackers/

Gabriel Goldberg, Computers and Publishing, Inc.  gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042  (703) 204-0433


NSA Summer Camp: More Hacking Than Hiking

Monty Solomon <monty@roscom.com>
Sun, 19 Jul 2015 08:33:20 -0400
http://www.nytimes.com/2015/07/18/us/nsa-summer-camp-hacking-cyber-defense.html

The National Security Agency is making sure that middle school and high
school students—and some teachers, too—are learning how to hack, crack
and defend in cyberspace.


U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push

Monty Solomon <monty@roscom.com>
Sun, 19 Jul 2015 08:37:23 -0400
http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html

Officials and experts acknowledge that the computer networks of many federal
agencies remain highly vulnerable to sophisticated cybercriminals, who are
often sponsored by other countries.


Civil Liability for End2End Encryption? (Conor Friedersdorf)

Henry Baker <hbaker1@pipeline.com>
Thu, 16 Jul 2015 15:25:54 -0700
  [FYI—OK, if we're going to have civil liability for end-to-end
  encryption, then it should go both ways; those who screw up customers'
  encryption should also have to pay—e.g., OPM, Sony, Target,
  Neiman-Marcus, etc.—and a lousy few hundred dollars for "credit
  monitoring" isn't nearly enough by orders of magnitude.  I suspect that
  the vast majority of the money will go to the Neiman customers rather than
  to kidnap victims' parents.]

Conor Friedersdorf, *The Atlantic*, 15 Jul 2015
Do Encrypted Phones Threaten National Security?
A legislator compares manufacturing devices with strong, end-to-end
encryption to dumping toxic waste in a stream.
http://www.theatlantic.com/politics/archive/2015/07/does-encryption-threaten-national-security/398573/


Re: Securing networks is harder than it was two years ago (R-28.78) (BetaNews)

"Bob Frankston" <bob2-53@bob.ma>
17 Jul 2015 21:38:03 -0400
What does it mean to "secure a network"? Is this like securing glass and
copper?

It's not that networks are harder to secure—the increased use of
connectivity exposes the naiveté inherent in the idea of securing the
network. This isn't as much a technical issues as a social problem as we
come to terms with the new topologies of relationships.

Of course this is about marketing a particular solution as if automation is
answer. People tend to forget that those algorithms amplify our naiveté
as well as our understanding.

Please report problems with the web pages to the maintainer

Top