The Ashley Madison Hack Shows We're Too Dumb to Cheat Jennifer Weiner, *The New York Times* op-ed, 21 August 2015 [We covet smart appliances, smart pebbles (in space), smart robots, but what about smart people? Jennifer Weiner's wonderful NYT op-ed this morning is absolutely delightful. In response to the surprisingly large number of government employees outed by the AshMadHack, Jennifer proposes a new category along the lines created by Fran Lebowitz, who once created useful categories for people she believed were committing crimes against the rest of us. Here is her suggested new category:] “You are a government employee and you were too stupid to create a new email account when you registered on a website for cheaters.” Here are some savory snippets from her op-ed piece: “According to *The Washington Post*, the capital has the highest rate of membership for the site of any American city. A number of those caught up in the hack work at the Department of Justice and - #irony - the National Security Agency.” “Maybe it shouldn't come as a surprise that D.C. is full of cheaters, but why, oh why, did it have to be full of stupid cheaters, cheaters too lazy and incurious to go to Gmail.com before they cheated? We're talking minimal effort here, people. Five minutes, a couple of security questions, a password that isn't PASSWORD, and you're email@example.com, or firstname.lastname@example.org, and France isn't laughing at us anymore.” “If you're going to cheat, cheat smart.” [The ACM Risks Forum does not endorse the last line, but smirks a little at the irony and satire of the op-ed. It is just one more reminder that our computer systems are inadequately trustworthy and that many users are unjustly trusting. PGN]
FYI—So the Ashley Madison hack is the “Cyber Pearl Harbor” that Adm. Michael Rogers has been incessantly warning us about? What is our Cyber Commander's plan for retaliating against this hack which will live in infamy? Perhaps Gen. Petraeus has a better retaliation strategy? The economic devastation from the Ashley Madison hack will likely exceed that from the Tianjin explosion. “5 million marriages at risk” "So we have around 800,000 extra divorces [as a result of the Ashley Madison hack]" “The Ashley Madison hack might mean that more kids grow up without married parents.” “all the divorcing couples out there looking for studio apartments will drive up rents and make it harder for millennials to move out of their parents' basements — adding another aspect of economic drag.” “The big costs here are real, it's just that most of them aren't measured in our economic statistics.” http://www.nytimes.com/2015/08/20/upshot/an-ashley-madison-recession-or-an-ashley-madison-stimulus.html Wages of Sin: An Ashley Madison Recession? Or an Ashley Madison Stimulus? Josh Barro and Justin Wolfers, *The New York Times*, 20 Aug 2015 The revelation of who opened accounts on the Ashley Madison site for adulterers got the attention of curiosity seekers and suspicious spouses. Josh Barro and Justin Wolfers had a different impulse. They wondered whether a surge in marital trouble resulting from the Ashley Madison hack could hurt the economy—or even, surprisingly, make it grow faster. [The rest of this article is a delightful back-and-forth between Josh and Justin, omitted here. PGN]
Companies are frequently making upgrades to their technology, not always for the better. My Bank's ATM used to be one transaction per instance of stick in plastic & PIN#. Now, at end of transaction it asks if we want another transaction, click on the YES or NO. Many customers have apparently not noticed this feature, because about the time when I arrive at the ATM, it is showing the final screen, from the prior customer. I always select No, but I wonder if some other customers are not as honest as me. The ATM security camera footage may figure it out, but the prior customer could be inconvenienced until then. A person does not need to even be a customer of the ATM network, to make a killing. Many drive through ATM screens can be seen from a distance, and the normal start screen is pretty obviously distinct from the more transactions one. I plan to suggest they need some kind of sensor to detect that a prior customer has left the station, so that it can assume a No, before next customer arrives. [A nasty example of this risk mode involved election fraud cases in Kentucky (R 25 76, correction in R 26 77) where the “change vote” ability was misrepresented, and voters who did not properly finalize their votes (which required more than clicking on the ”vote“ icon that merely meant “review”) allowed voting officials to change the intended votes. PGN]
http://www.nytimes.com/2015/08/21/opinion/consumers-are-cutting-the-cord-to-gain-choices-and-pay-less.html Congress and the FCC can help consumers have more broadband options as they choose online services over cable TV.
Orwell's MinTruth would love this *Consumerist* item. Dave [PGN-ed] http://consumerist.com/2015/08/21/u-k-orders-google-to-forget-9-news-articles-about-the-right-to-be-forgotten/ Although Europeans in 28 countries have the option to ask Google to remove Internet search results about themselves under certain conditions, Google is pushing back against a new Right To Be Forgotten request one that seeks to remove nine news articles about the right to be forgotten itself from its Internet search results. The United Kingdom's Information Commissioner's Office has ordered Google to scrub the articles in question from the Internet, because they mention a man who previously made a successful RTBF request. See, the RTBF rule in the European Union says Google and other search engines have to remove links to outdated or inaccurate information about a person if they request they do so. That keeps defamatory statements, arrest records for minor crimes and other information a person might like to keep hidden in their present from coming back to haunt them whenever their name is searched on the Internet. Though Google complied and took down links related to a man's conviction for a minor crime committed 10 years ago, ICO says news articles since then about Google doing so have mentioned the man's name and details about that conviction. Google declined the request, ICO says, arguing that the articles concern one of its decisions to delist a search result and that they were an essential part of a recent news story relating to a matter of significant public importance. But ICO deputy commissioner David Smith wrote in a statement that the same RTBF rules apply here, just as they did when Google agreed to take down the other web results for the man. “Google was right, in its original decision, to accept that search results relating to the complainant's historic conviction were no longer relevant and were having a negative impact on privacy. It is wrong of them to now refuse to remove newer links that reveal the same details and have the same negative impact.” Are those RTBF stories about individual requests in the public interest? Yes, ICO says, but they shouldn't show up on a Google search for that person's name, as that completely defeats the purpose of having the other mentions removed in the first place. Commissioner Smith: “Let's be clear, we understand that links being removed as a result of this court ruling is something that newspapers want to write about. And we understand that people need to be able to find these stories through search engines like Google. But that does not need them to be revealed when searching on the original complainant's name.” In July, a complaint filed here in the U.S. with the Federal Trade Commission by advocacy group Consumer Watchdog argues not just that Google should be honoring RTBF requests stateside, but that the company's refusal to do so is a violation of federal law.
> Some pipeline explosions have been due to mistakes in the control rooms of > the pipeline companies. Can they be hacked to cause such an accident on > purpose? The answer seems to be that it has happened, according to Thomas Reed, a former USAF secretary and former member of the USG NSC. See http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com
I would not be surprised if many comp.risks readers, like myself, stay away from things like Google groups on general principles! It has been an issue for me: there is someone involved with a hobby I enjoy (amateur radio) who wants to be able to send a set of us email using exactly that mechanism. I explained what I thought about almost all such social media and their risks and she has been willing to send me email separately. But I think this is another problem with that proposed solution that is worse than the time it takes to set up a group.
[I can't tell whether this reply is tongue-in-cheek or not, so I'll answer it seriously.] Yes, it's true that the SW—e.g., Win10—(presumably) controls this HW audio spying feature. However, Intel's audio spying capability provides an additional *attack surface* for hackers/govts/spouses/competitors to exploit. There appears to be no way to disable this ”feature“ permanently, so one is forevermore at risk of being bugged by his/her own cellphone/computer due to “misconfiguration” and/or hacking. Now it's entirely possible that there are many other electronic components already in a computer/cellphone that can be used as microphones—in particular, the motion sensors have already been hacked to do exactly that. But an audio capability with enough fidelity to enable speech understanding is also good enough to cause an enormous amount of privacy trouble.
There is no microphone in the Intel processor. No new attack surface. Just an improvement in wake up from sleep. Previously, waking up the processor or putting it back to sleep took many tens of milliseconds, so if it was woken up every time a voice sound was heard it would not get back to sleep before the next phoneme. It's not even audio specific. You are critical of an application someone at MS dreamed up.
You'll have to excuse me, but I consider the ability of a “sleeping” computer to recognize & interpret speech as a new attack surface—right up there with various TV settop boxes constantly listening to their customers' bedrooms. If it's all the same to Intel, I'd like to let my sleeping computers lie. You have just confirmed that Intel's “feature” is even creepier than the article indicated. Intel apparently has a “tin ear” when it comes to their customers' privacy.
On a serious note, I can think of several problems with putting a microphone on a CPU, but in terms of privacy and security implications: it would be no different from a smartphone. We already have those.
The joke Dimitri refers to is good enough to spell out (!) in full: https://www.springer.com/cda/content/document/cda_downloaddocument/9781893115729-c1.pdf “A great example appeared in a 1999 issue of Computing . A representative of a company with a voice recognition product prepared to demonstrate their product and asked the crowd gathered to see the demonstration to be quiet. Someone in the back of the room shouted, “Format C Colon Return!” Someone else shouted, “Yes, Return!” The software worked perfectly, reformatting the primary disk on the demonstration unit, requiring that the machine finish its format and have all of its software and data reinstalled.”
Please report problems with the web pages to the maintainer