[This is a lovely and quite incisive op-ed piece, and totally relevant for RISKS. PGN] Zeynep Tufekci, Why `Smart' Objects May Be a Bad Idea, *The New York Times* op-ed, 11 Aug 2015 A FRIDGE that puts milk on your shopping list when you run low. A safe that tallies the cash that is placed in it. A sniper rifle equipped with advanced computer technology for improved accuracy. A car that lets you stream music from the Internet. All of these innovations sound great, until you learn the risks that this type of connectivity carries. ... Hackers can empty the smart safe with a single USB stick, while erasing activity logs... Researchers managed to remotely manipulate a high-tech rifle, unbeknownst to the shooter... The Internet of Hacked Things ...
Mark Ward, BBC News, 9 Aug 2015 via ACM TechNews Wednesday, August 12, 2015 The Linux-based Web server software that generates random numbers used to scramble or encrypt data should be stronger, suggests a study presented at the Black Hat security event in Las Vegas. The sources of data that some computers call on to generate random numbers often run dry, according to security analyst Bruce Potter and researcher Sasha Wood. The software generates strings of data used as "seed" for random numbers, and ideally the pool of data would possess a high degree of "entropy." However, Potter and Wood found the entropy of the data streams is often very low because the machines are not generating enough raw information for them. Moreover, the researchers warn the server security software does little to check whether a data stream has high or low entropy. The research exposed unknown aspects of encryption on millions of widely used servers. Potter and Wood describe the finding as "scary," and caution it could mean random numbers are more susceptible to well-known, brute-force attacks that leave personal data vulnerable.
Adam Rogers, *WiReD*, 6 Aug 2015 https://www.wired.com/2015/08/googles-search-algorithm-steal-presidency/ Imagine an election—a close one. You're undecided. So you type the name of one of the candidates into your search engine of choice. (Actually, let's not be coy here. In most of the world, one search engine dominates; in Europe and North America, it's Google.) And Google coughs up, in fractions of a second, articles and facts about that candidate. Great! Now you are an informed voter, right? But a study published this week says that the order of those results, the ranking of positive or negative stories on the screen, can have an enormous influence on the way you vote. And if the election is close enough, the effect could be profound enough to change the outcome. [Apparently paywalled.] http://www.eurekalert.org/jrnls/pnas/1419828112.full.pdf In other words: Google's ranking algorithm for search results could accidentally steal the presidency. “We estimate, based on win margins in national elections around the world,'' says Robert Epstein, a psychologist at the American Institute for Behavioral Research and Technology and one of the study's authors, “that Google could determine the outcome of upwards of 25 percent of all national elections.'' Epstein's paper combines a few years' worth of experiments in which Epstein and his colleague Ronald Robertson gave people access to information about the race for prime minister in Australia in 2010, two years prior, and then let the mock-voters learn about the candidates via a simulated search engine that displayed real articles. One group saw positive articles about one candidate first; the other saw positive articles about the other candidate. (A control group saw a random assortment.) The result: Whichever side people saw the positive results for, they were more likely to vote for—by more than 48 percent. The team calls that number the `vote manipulation power', or VMP. The effect held -- strengthened, even—when the researchers swapped in a single negative story into the number-four and number-three spots. Apparently it made the results seem even more neutral and therefore more trustworthy.
Claire Cain Miller, *The New York Times*, 10 Aug 2015 In an interview, Microsoft Research scientist Cynthia Dwork describes how algorithms can learn to discriminate because they are programmed by coders who incorporate their biases. In addition, she says they are patterned on human behavior, so they reflect human biases. Dwork defines her research as "finding a mathematically rigorous definition of fairness and developing computational methods--algorithms--that guarantee fairness." She notes a study she co-authored found that "sometimes, in order to be fair, it is important to make use of sensitive information while carrying out the classification task. This may be a little counterintuitive: the instinct might be to hide information that could be the basis of discrimination." Dwork says fairness entails similar people are treated in a similar manner. "A true understanding of who should be considered similar for a particular classification task requires knowledge of sensitive attributes, and removing those attributes from consideration can introduce unfairness and harm utility," she notes. The development of a fairer algorithm would involve serious consideration about who should be treated similarly to whom, according to Dwork. She says the push to train algorithms to protect certain groups from discrimination is relatively young, but the Fairness, Accountability, and Transparency in Machine Learning workshop is a promising research area.
Corhon Law via NNSquad http://cohornlaw.com/what-attorneys-and-their-clients-need-to-know-about-windows-10-and-microsofts-new-privacy-policies/ In addition [to] killing what remained of privacy on the Internet, Microsoft also purports to require its users to give up important intellectual property rights: When you share Your Content with other people, you expressly agree that anyone you've shared Your Content with may, for free and worldwide, use, save, record, reproduce, transmit, display, communicate ... Your Content. If you do not want others to have that ability, do not use the Services to share Your Content." I have serious doubts about the enforceability of this provision - but users should be aware of it.
https://plus.google.com/+LaurenWeinstein/posts/EUU9G8ss1nQ The key factor is the change from expected state prior to the upgrade. When people bump up to W10, the default info sharing is utterly different -- vastly expanded—from what they consider normal under W7. And even more to the point, now involves all manner of data that has traditionally been local under Windows. When you use a cloud-based service, you normally have made a conscious decision to do so, and then a variety of boilerplate comes into play to permit processing. But the 180 done by MS is dramatic. A law firm that may in the past have chosen to keep their data all local—for whatever reason—now would be in a very different ecosystem simply by accepting the W10 upgrade with its defaults. Very bad.
http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html The international scheme generated more than $100 million in illegal profits, and the S.E.C. is bringing a parallel lawsuit in the case.
https://plus.google.com/+LaurenWeinstein/posts/aW53ypatwVy BMW reports that their alphabet.com site is overloaded (testing shows it to be currently unreachable) since Google's ALPHABET, Inc. announcement. BMW has asserted that not only do they not want to relinquish that domain, which they say is an active part of a subsidiary, but that they were not approached by Google to sell the domain or pre-informed in any way of the Google announcement. If BMW's statements in these regards are true, it strikes me as impolite and uncaring at best for Google to have not given BMW some sort of warning—issues of wanting to surprise the world notwithstanding—given that it was entirely predictable that an announcement like this would cause activity that would likely overwhelm BMW's servers unless proactive action were taken.
NBCNews, August 7, 2015 http://www.nbcnews.com/tech/security/cyberattack-pentagons-joint-staff-emails-take-system-offline-n405321 The Pentagon took its Joint Staff unclassified email system offline nearly two weeks ago, after detecting a "sophisticated cyberattack" by alleged Russian hackers, U.S. officials told NBC News on Thursday. According to the officials, the intrusion occurred sometime around July 25 and affected about 4,000 military and civilian personnel who work for the Joint Chiefs of Staff. ...
The Hacker News via NNSquad http://thehackernews.com/2015/08/icann-hacked.html ICANN (Internet Corporation for Assigned Names and Numbers) - the organisation responsible for allocating domain names and IP addresses for the Internet - has been hacked, potentially compromising its customers' names, email addresses, hashed passwords, and more. The US-administered non-profit corporation admitted on Wednesday that its server security was breached within the past week and that ... an "unauthorised person" gained access to usernames, email addresses, and encrypted passwords for profile accounts on ICANN.org public website. The organisation believes that the leaked information includes harmless information such as user preferences, public biographies, interests, newsletters, and subscriptions. "Fool me once, shame on you—fool me twice, shame on me."
Engadget via NNSquad http://www.engadget.com/2015/08/07/zigbee-security-flaw/ Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home. Every morning it's "I Got You Babe" on the radio. This is getting tiresome.
[Note: This item comes from friend Mike Cheponis. DLH]<via Dave Farber> Sean Michael Kerner, E-Week, 7 Aug 2015 http://www.eweek.com/security/def-con-proxyham-talk-disappears-but-technology-is-no-secret.html LAS VEGAS—Part of the drama at any Black Hat or DefCon security conaference in any given year usually revolves around a talk that is canceled for some mysterious reason, typically over fears that it could reveal something truly disruptive. Such is the case in 2015 at DefCon with a talk called ProxyHam, which was supposed to reveal technology that could enable an attacker to wireless proxy traffic over long distances, hiding their true location. The original ProxyHam talk was also set to be accompanied by the sale of ProxyHam devices that could have enabled purchasers to conduct the wireless proxy attack at their leisure. Speculation around why the ProxyHam talk was canceled involved theories that the Federal Communications Commission got the talk canceled, though that has never officially been confirmed or denied. While the ProxyHam talk was canceled, it has been replaced, by a talk set to be delivered at 4 p.m. PT at DefCon and titled "HamSammichâ€”long-distance proxying over radio" in which security researchers Robert Graham, CEO of Errata Security, and David Maynor, chief scientist at Bastille Networks, will reveal how ProxyHam works and how it can be built using off-the-shelf technology today. In an exclusive video interview with eWEEKprior to the talk, Graham and Maynor detail the technology and its shortcomings, as well as suggestions for how an organization can attempt to protect itself from a ProxyHam-type risk."With ProxyHam, the idea was to take a little box, hide in a bar or a Starbucks, tap into their WiFi and then use a long-distance point-to-point link in order to tap in remotely from many miles away to the bar's WiFi network," Graham told eWEEK. The technique that ProxyHam uses involves the use of a Raspberry Pi device and a large antenna. The HamSammich approach does the same thing in terms of long-distance proxy, but with an off-the-shelf WiFi router and a 900MHz radio transmitter that, according to Graham and Maynor, can be used legally within the confines of FCC regulations. The promise of using 900MHz is that it's a piece of radio spectrum that is typically not monitored by organization. The challenge is that it generally requires line of sight, meaning that a proxied attacker could likely be easily located as well. Maynor noted that there was a backlash on social media when the original ProxyHam talk was canceled. "Our goal is to show that ProxyHam did not actually enhance security," Maynor said. "It does the exact opposite, causing more trouble than you can fix." Watch the full video discussion of how ProxyHam works with Graham and Maynor [...]
Santa Ana police officers sue to quash video of pot shop raid Scott Schwebke, OC Register, 3 Aug 2015 http://www.ocregister.com/articles/police-675722-officers-video.html SANTA ANA—Three Santa Ana police officers want to quash a surveillance video that shows officers making derogatory comments about a disabled woman and possibly snacking on pot edibles during a recent raid of a medical marijuana dispensary. A lawsuit, filed last week in Orange County Superior Court by three unidentified police officers and the Santa Ana Police Officers Association, seeks to prevent Santa Ana Police Department internal affairs investigators from using the video as they sort out what happened during the May 26 raid of Sky High Collective. [...] Matthew Pappas, a lawyer for Sky High, pointed to the irony of police seeking to shoot down the use of video as evidence in an investigation when they routinely use videos to investigate other crimes. [...] The lawsuit argues that the video doesn't paint a fair version of events. The suit also claims the video shouldn't be used as evidence because, among other things, the police didn't know they were on camera. “All police personnel present had a reasonable expectation that their conversations were no longer being recorded and the undercover officers, feeling that they were safe to do so, removed their masks.'' The dispensary also did not obtain consent of any officer to record them. “Without the illegal recordings, there would have been no internal investigation of any officer.'' Pappas counters that the suit is baseless because the officers were aware the dispensary had video cameras and managed to disable most of them. “They knew they were on video. ... Just because they missed one camera doesn't make it illegal.'' [...] [Is the pot calling the fettle back? PGN]
http://www.abqjournal.com/608325/news/social-media-breaks-new-legal-ground.html excerpt: A Texas man used social media to promote his gun store, posting politically charged messages that criticized the president and promoted Second Amendment rights. But after losing ownership of his suburban Houston store in bankruptcy, Jeremy Alcede spent nearly seven weeks in jail for refusing a federal judge's order to share with the new owner the passwords of the business's Facebook and Twitter accounts, which the judge had declared property. Alcede's ultimately failed stand charts new territory in awarding property in bankruptcy proceedings and points to the growing importance of social media accounts as business assets. Legal experts say it also provides a lesson for all business owners who are active on social media. Bankruptcy Judge Jeff Bohm, who handled Alcede's case, acknowledged “the landscape of social media is yet mostly uncharted in bankruptcy,'' and cited a 2011 New York bankruptcy court case that treated such accounts like subscriber lists, which “provide valuable access to customers and potential customers.'' Villanova University School of Law professor Michael Risch said Facebook and Twitter accounts, among other social media platforms, are now seen as property by companies. “I suspect that's what the judge was looking at, is this primarily an asset being used for business advertising to get customers to talk about what is going on with the company,'' said Risch, who specializes in Internet law.
Information Week via NNSquad http://www.informationweek.com/cloud/infrastructure-as-a-service/ibm-locks-up-cloud-processes-with-patents/a/d-id/1321593 One is about scaling down a virtual machine as its traffic recedes, another deploys sensitive data to a secure server, and a third creates snapshots of virtual machines for rapid recovery in the event of a failed workload. These examples don't necessarily bring to mind a sense of blinding brilliance or original innovation, but these cloud operations can be patented.
A team of researchers have been able to automate "cargo cult programming": (https://en.wikipedia.org/wiki/Cargo_cult_programming) "Code has been automatically "transplanted" from one piece of software to another for the first time, with researchers claiming the breakthrough could radically change how computer programs are created. "The process, demonstrated by researchers at University College London, has been likened to organ transplantation in humans. Known as MuScalpel, it works by isolating the code of a useful feature in a 'donor' program and transplanting this "organ" to the right "vein" in software lacking the feature. Almost all of the transplant is automated, with minimal human involvement. ... "Like an organ that has been translated, there's a chance that features could be rejected by the new host. But when a code transplant fails the system can simply try again, potentially hundreds or even thousands of times." —*WiReD*, Programming, 30 July 2015. http://www.wired.co.uk/news/archive/2015-07/30/code-organ-transplant-software-myscalpel Poor programmers have always written programs by chopping out bits of old programs and smooshing them together, fiddling with the result until it "sort of works" and then calling it "done". And creating a huge mess of security holes in the process! Now that this process can be automated, good programmers (who actually try to control complexity) will never be able to compete with the "productivity" of the computer-assisted cut-and-paste brigade. Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering firstname.lastname@example.org http://www.cse.dmu.ac.uk/~mward/ [Can you spell `malware'? PGN]
Rover, the registrar run by Tucows had an event: i.e., "... there appears to have been a brief period of time when unauthorized access to one of our systems could have occurred." So they reset all the user account passwords & sent a note around. BUT: They sent the letter from a totally unrelated domain: <mcdlv.net> It appears to belong to something called "MailChimp.com". Plus the URL's embedded in that mail are from elsewhere: "list-manage1.com" And while their webpage is responding at http://www.hover.com, there is no note on the site's pages mentioning the break-in & mailing. And this is NOT a "too clueless to fail" multinational bank or such. A register's *whole existence* is to sell you on the personalization owning your domain brings you. Too bad they don't practice what they preach. When I reached them by phone, at a number I had in my records, the poor representative admitted she had *many* callers say just what I did.
FYI—Finally, a cyberwar expert who admits that "deterrence" is a bankrupt strategy for stopping cyberattacks. However, Arquilla doesn't understand what "defense" is required in this case; he thinks the fighter pilots of the Battle of Britain will save the day in today's cyberwars. Nevertheless, perhaps Arquilla can stop the U.S. from hurling invectives that only underline the impotence of U.S. cyberstrategy and significantly destabilize the world's security. "The innocent are held hostage by the threat of nuclear holocaust" MAD = "mutual assured *disruption*" = "a less stable situation" "deterrence becomes problematic" "deterrence is in pretty poor shape" "The threat of retaliation with virtual weapons of mass disruption probably won't deter" "the virtual defenses of the leading cyberpowers puts the United States in last place" John Arquilla, Deterrence after Stuxnet, CACM, 4 Aug 2015 http://m.cacm.acm.org/blogs/blog-cacm/190371-deterrence-after-stuxnet/fulltext
Ars via NNSquad http://arstechnica.com/information-technology/2015/08/an-att-problem-allegedly-caused-outage-on-verizon-sprint-and-t-mobile/ The four major wireless carriers in the US had an outage lasting about five hours in several states last night, and a report from Re/code says it was all caused by a hardware problem in AT&T's network. Although AT&T, Verizon Wireless, T-Mobile US, and Sprint each operate their own cell towers, in the states where the outage occurred they apparently all acquire backhaul from AT&T's network. Re/code reported that "several telecommunications industry sources" confirmed that AT&T's network caused the outage for all four carriers in parts of Tennessee, Alabama, Kentucky and Indiana. (Another report said Georgia was affected as well.)
NPR via NNSquad http://www.npr.org/sections/alltechconsidered/2015/08/05/429649509/under-pressure-google-promises-to-update-android-security-regularly?utm_medium=RSS&utm_campaign=news Google is making big promises to fix its Android operating system. The company recently came under sharp criticism after researchers found a major flaw in Android would let hackers take over smartphones, with just a text message. Now, Google tells NPR and writes in a blog post, it'll work with other phone makers to fix that bug. And, going one step further, Google is rolling out a brand new system to protect smartphones regularly (not just once in a while). Very glad to see Google moving forward decisively in this direction. Kudos to the teams. Reference: "Lauren's Blog: When Google Leaves Users Behind" - http://lauren.vortex.com/archive/001097.html (4/22/15)
*The Guardian* via NNSquad http://www.theguardian.com/world/2015/aug/05/cybersecurity-cisa-bill-hackers-privacy-surveillance "Details are absolutely crucial especially when it comes to the sordid history the federal government has had protecting the kind of stuff you'd expect them to protect," Weinstein said. "I mean, how many examples do you need to have of the basic inability of the government to protect what you'd think would be the most sensitive information out there? We had a young guy clean out NSA with a thumb drive. Then they say they're going to ask for all this additional information and we're supposed to believe they're going to protect that."
Punch-line: “I love self-driving cars.'' http://www.xkcd.com/1559/
Whether it is fuel savings, safer commutes or freed-up time behind the wheel, motorists have many reasons to embrace self-driving cars. But another group is just as eager to see these vehicles on the road: politicians. Lawmakers from California, Texas and Virginia are wooing the autonomous-car industry, along with the jobs and tax revenue that come with it. They are financing research centers, building fake suburbs for testing the cars and, perhaps most important, going light on regulation, all in an effort to attract a rapidly growing industry. The prize: a piece of the estimated $20 billion automakers and other companies will spend globally on development over the next five years, according to an analysis by Gartner. http://www.nytimes.com/2015/08/07/automobiles/self-driving-cars-ignite-gold-rush-among-states.html
Surely I'm not the only one that realizes a software update is not going to fix the fundamental problem that this recall is about. The safety problem to be fixed is not that "someone found one of the vulnerabilities in the entertainment system and is going public with it". The problem is that someone put a wireless modem on the CAN bus, which is safety critical. Patching the one vulnerability in the entertainment system is not going to solve the problem because there are almost certainly plenty of other vulnerabilities in the entertainment system. People who write entertainment systems tend to worry more about features, performance, and a pretty UI. They were almost certainly not expecting anyone's life to depend on the correctness of their code. It's kind of like they're saying, "See, your colander has a hole in it here and your design depends on it not having any holes." "Oh, OK, we'll just patch that one hole you pointed out." I realize Chrysler might want to receive telemetry from the ECU. I wouldn't mind too much if there was a one way connection so safety critical components could send information over the Internet, but there's no way they should be able to accept commands over the Internet. Something as simple as half an RS-232 interface should do to ensure one-way communications. (Connect TX and GND but ground RX.) Of course, that would cost a little more... I would say surely it would cost less than the loss of confidence when people realize how poorly designed the car is, but at this point I'm not sure consumers have much confidence left to lose.
Thanks to Peter Ladkin for his appropriate and well-reasoned disagreement with Alister Macintyre's blame-finding description of the accident of SpaceShip Two (RISKS-28.84 and 28.82, respectively). Macintyre cast blame on people and organizations for the accident, but with zero evidence. This should not be permitted within RISKs. I was also sadly disappointed by *The NY Times* article about the report from the U.S. National Transportation Safety Board's public session (NTSB). NTSB clearly laid blame on the deficient human-factors design which permitted a simple slip (the technical term for one class of human error) by the co-pilot to lead to the tragedy. As NTSB properly pointed out, safety systems should never have a single point of failure. Where mechanical, electronic, or software systems are involved, elaborate care is taken to avoid single points of failure: Why do we allow it for human systems? I've been arguing this point for years. I am delighted NTSB finally understands. But I have further cause for disappointment. Although the NY Times reported the hearing fairly and accurately, they headlined it CCo-Pilot's Error Is Blamed for Crash of Space Plane. Here is what the Times reported that NTSB said: “Would a single-point mechanical failure with catastrophic consequences be acceptable?'' Robert L. Sumwalt, one of the safety board members, asked the investigators Tuesday. It would not, answered Michael Hauf, part of the investigation team that spent nine months looking into the crash. “So why would a single-point human failure be acceptable?'' Mr. Sumwalt asked. “And it really should not be acceptable. The fact is, if you put all your eggs in the basket of a human to do it correctly—and I don't mean this flippantly, because I've made plenty of mistakes—humans will screw up anything if you give them enough opportunity. The mistake is often a symptom of a flawed system.'' The safety board laid the primary blame on Scaled Composites, the company that designed this part of the system, describing the probable cause as Scaled Composites's failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShipTwo vehicle. *The NY Times* article was excellent. But the headline writer ignored the article and entitled the piece Co-Pilot's Error Is Blamed for Crash of Space Plane. This propagates the myth that people are flawed, incompetent, etc. No folks, it is bad design, design that ignores decades of research on proper human factors. It ignores the article itself where the blame was (properly) NOT placed on the co-pilot but rather on the poor design. NY Times: Shame on your headline writer. Peter Ladkin: thank you. Don Norman, Prof. and Director, DesignLab, UC San Diego email@example.com designlab.ucsd.edu/ www.jnd.org <http://www.jnd.org/>
The real problem is that instead of coming to terms with the dangerous and failed idea of perimeter security we see increasing efforts to work around the borders only exacerbating problems. The complex schemes for trading bandwidth are another face of this tendency to pile on additional mechanisms rather than recognizing that bandwidth is a construct. Bandwidth is a real technical term but billing for it is far removed from the realities of a packet network.
Verizon has offered something very similar to the new Siri offering called "Premium Visual Voice Mail". It came bundled with my Samsung Galaxy 5 for a couple months, and then switched to $2.99/month. (I didn't take it.) It describes the advantages as "Voice Mail to Text: Discreetly read voice mails without listening to them". See http://www.verizonwireless.com/support/voice-mail-comparison/ for a comparison with the iPhone offering. Not endorsing the product or minimizing the risk, just noting that it's not really new.
Please report problems with the web pages to the maintainer