The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 93

Thursday 3 September 2015

Contents

Bloomberg: HSBC Fault Keeps 275,000 People From Payday
Gabe Goldberg
Automating Oil Drilling
Forbes
It's A Bird... It's A Plane... It's NonLethalDrone
Justin Glawe via Henry Baker
Drone-Killing Laser Cannon
Jordan Golson via Henry Baker
Comey high 5's Turkey for arresting encrypting journalists
Umut Uras
Breaking Wyndham
FTC via Henry Baker
A Roadmap for a World Without Drivers
Medium via Lauren Weinstein
Google's Driverless Cars Run Into Problem: Cars With Drivers
NYTimes
Uber Hires Two Engineers Who Showed Car Hackings
Isaac/Perlroth
Vehicles with keyless ignition systems may continue to run unattended
Bob Gezelter
Many new top-level domains have become Internet's `bad neighborhoods'
Ars Technica
Popular Belkin Wi-Fi routers plagued by unpatched security flaws
Lucian Constantin
Act Now To Save WiFi From The FCC
Brian Benchoff
Two-Factor Authentication Phishing From Iran
Citizen Lab
Heidelberg Laureate Forum on data collection
Katherine Noyes
No gigabyte nets for autonomous vehicles
Mike Liebhold
Ross Stapleton-Gray
Tools for Tailored Learning May Expose Students' Personal Details
NYTimes
Zuckerberg cheers as 1 billion suckers login to Facebook in 24 hours
Matthew Kruk
Windows 7, 8, and 10: Now all collecting user data for Microsoft
Fahmida Y. Rashid
Windows Creepy Spying extended to Win7/8
????
Unwanted data transmissions by Windows 10
Joe Durusau
U.S. Senate Report on Target breach
Alister Wm Macintyre
Ashley Madison Hack Creates Ethical Conundrum For Researchers
HuffPost
Re: Data from hack of Ashley Madison cheater site
Dan Jacobson
Re: ATM security risk: nonfinalization
Dan Jacobson
Info on RISKS (comp.risks)

Bloomberg: HSBC Fault Keeps 275,000 People From Payday

Gabe Goldberg <gabe@gabegold.com>
Fri, 28 Aug 2015 14:47:05 -0400
[Not the kind of payday loan people want...]

Bloomberg, 28 Aug 2015

HSBC Holdings Plc said most of the 275,000 payments from U.K. business
customers it failed to process Friday will be completed by the end of the
day after a software problem held up transactions before a long weekend.

To read the entire article, go to http://bloom.bg/1NLnjqV


Automating Oil Drilling (Forbes)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 26 Aug 2015 19:24:32 -0500
The 7 Sep 2015 edition of Forbes Magazine (cover story about Tesla) has an
article pages 46-48 about the future of oil drilling, how humans are to be
replaced by robots. There is an illustration on page 48 of how this will
work, where personnel back at HQ will manage all the hardware at the
drilling site, in much the same way as military drones over the Middle East,
and Asia, are operated by remote pilots at NATO military bases.

I see things which can go wrong with this notion. The page 48 illustration
looks to me to be *exactly* what BP had at the time of the Gulf of Mexico
oil spill. People back at HQ had lots of feeds telling them exactly what was
going on at the drill site, but were clueless even before the explosion
ripped out their Internet connections.  I watched US Coast Guard hearings
into that disaster.  The hardware back at HQ reminded me of computer
security logs.  You have to be ultra-trained in what the heck all that
means, to make heads or tails of it, but a lot of corporate hiring is of
people with no relevant experience.

There are similar things going on with ground transportation disasters.
Hardware seems to be designed with the assumption that nothing will ever go
wrong, so the info about what's going on is not made user-friendly.  The
first a place knows that they have had a major disaster is when human
witnesses nearbye phone in what they see, so human technicians are sent out
to investigate, who may not have the right tools or training to deal with it
properly.  The data is at HQ, but no one there knows how to interpret it.

State-of-art needs to be upgraded, in many industries, to make the data
intelligible to non-technical management, so it does not need specialist
training for translation.  Also more industries need rapidly deployable
First Responders, with a good spectrum of resources, similar to what city
Public Utilities have.

People on-site, at the BP Gulf Oil disaster, could have averted it, had they
been given relevant training, and documentation, which they did not get.

Will the same mentality program the robots?

They are getting data faster, from deep below the ground, expect that soon
the oil workers will have the data on their smart phones.

There's more problems, which we learn from the killer drones.

Every auto driver knows that we need to avoid tailgating, or going too fast
for conditions, because when there is trouble ahead, our eyes see it, our
brain interprets the situation, then tells our body to react, changing
steering, speed of auto.  This does not happen instantaneously.

The military drones have an added dimension called "latency," or the time it
takes, for what the drone sees, to bounce off a satellite in space, get to
the remote operator, to decide what to do, then there is the signal in the
reverse direction.  So if the drone sees a potential enemy, and the remote
pilot says to kill that enemy, then thanks to latency, the drone will miss,
as the target has probably moved in the mean time.  That's why our military
blows up entire buildings - schools, restaurants, housing complexes.  They
don't move, and there is a suspect inside.  That's one reason why there is a
high rate of innocent bystander collateral damage killed by that technology.

So if the automated oil rigs are to be managed by operators at HQ, is there
any data for which the latency will make reactions too slow?

The killer drones can be hacked.  How about the feed between HQ and an
automated oil well, to cause an accident on purpose?

Already some oil wells are fully automated.


It's A Bird... It's A Plane... It's NonLethalDrone (Justin Glawe)

Henry Baker <hbaker1@pipeline.com>
Wed, 26 Aug 2015 21:03:08 -0700
FYI—And some people can't understand why campaigns like "Black Lives
Matter" are gaining so much support...

Don't police officers have to announce themselves as police officers
(including wearing a uniform and showing a badge) in order to not get shot
at themselves when they pull out a deadly weapon?

How does an armed police drone properly announce itself so as not to get
shot down?

And how exactly is an ordinary citizen to know that his/her life is *not* in
danger when some drone (police or otherwise) starts shooting at him/her?

There still is a Second Amendment to the Constitution, and imminent deadly
force can be met with deadly force—particularly when the only thing left
`dead' is an inanimate drone.

Quotes:

“Less than lethal weapons like rubber bullets, pepper spray, tear gas,
sound cannons, and Tasers are therefore *permitted* on police drones.''

“At least 39 people have been killed by police Tasers in 2015 so far.''

“Rost said he needs to use drones for surveillance in order to obtain a
warrant in the first place.'' [Going fishing, are we?]

Justin Glawe, Armed Drones for Cops Are Now Legal, 26 Aug 2015
ND: First State Legalizes Taser Drones for Cops, Thanks to a Lobbyist
http://www.thedailybeast.com/articles/2015/08/26/first-state-legalizes-armed-drones-for-cops-thanks-to-a-lobbyist.html


Drone-Killing Laser Cannon (Jordan Golson)

Henry Baker <hbaker1@pipeline.com>
Thu, 27 Aug 2015 20:48:04 -0700
FYI—Let's see: a number of high efficiency precision corner reflectors
mounted on the drone would do a pretty good job on this IR laser cannon
and/or its operator.  If these corner reflectors weren't individually too
large, they wouldn't reflect back very much in the microwave wavelengths,
thus making it harder for radar detection and guidance.  Millions of dollars
of equipment ruined by a few dollars worth of corner reflectors.

https://en.wikipedia.org/wiki/Corner_reflector

And what could possibly go wrong with a 2kw continuous invisible IR laser in
an urban environment ?  Lemme guess: the name of the weapon?  "Archimedes" ?
Shouldn't we worry that this IR cannon "cure" could be worse than the drone
disease?

http://www.sciencebuzz.org/blog/archimedes-heat-ray

“Other than numerous safety warnings to ensure *no one was blinded by the
two-kilowatt infrared laser*, there was no fanfare.  No explosions, *no
visible beam*.''

“Boeing's developed a laser cannon specifically designed to turn unmanned
aircraft [and your entire neighborhood] into flaming wreckage.''

http://www.wired.com/2015/08/welcome-world-drone-killing-laser-cannon/

Welcome to the World, Drone-Killing Laser Cannon
Jordan Golson, *WiReD*, 27 Aug 2015

http://www.wired.com/wp-content/uploads/2015/08/IMG_6496-copy-582x418.jpg


Comey high 5's Turkey for arresting encrypting journalists

Henry Baker <hbaker1@pipeline.com>
Wed, 02 Sep 2015 09:51:51 -0700
FYI: "The main issue seems to be that the [Vice News] fixer uses a complex
encryption system on his personal computer that a lot of ISIL militants also
utilise for strategic communications."

The journalists were also using cars that could have been used as car bombs.
Water bottles were also found; 100% of terrorists are known to use water.

http://www.aljazeera.com/news/2015/09/vice-news-fixer-arrested-encryption-software-150901200622345.html

Umut Uras, Vice News fixer 'charged over encryption software', 2 Sep 2015

Turkey official tells Al Jazeera charges made after fixer found to have
encryption software used by ISIL on his laptop.

Three staff members from Vice News were charged with "engaging in terrorist
activity" because one of the men was using an encryption system on his
personal computer which is often used by the Islamic State of Iraq and the
Levant (ISIL), a senior press official in the Turkish government has told Al
Jazeera.

Two UK journalists, Jake Hanrahan and Philip Pendlebury, along with their
Turkey-based Iraqi fixer and a driver, were arrested on Thursday in
Diyarbakir while filming clashes between security forces and youth members
of the outlawed and armed Kurdistan Workers' Party (PKK).

On Monday, the three men were charged by a Turkish judge in Diyarbakir with
"engaging in terrorist activity" on behalf of ISIL, the driver was released
without charge.

The Turkish official, who spoke on condition of anonymity, told Al Jazeera:
"The main issue seems to be that the fixer uses a complex encryption system
on his personal computer that a lot of ISIL militants also utilise for
strategic communications."

Speaking to Al Jazeera, Tahir Elci, the head of the Diyarbakir lawyers
association, said: "I find it ridiculous that they were taken into custody.
I don't believe there is any accuracy to what they are charged for.  "To me,
it seems like an attempt by the government to get international journalists
away from the area of conflict.  [...]


FTC: Breaking Wyndham

Henry Baker <hbaker1@pipeline.com>
Thu, 27 Aug 2015 07:45:26 -0700
FYI—And companies are asking the govt to provide them with even more
immunity from liability?  This is yet more of the same type of "socializing
losses while privatizing profits" scheme that we have come to know & love
from the recent financial crisis.

According to the FTC complaint, “there were no fewer than 10 practices that
taken together, unreasonably and unnecessarily exposed consumers'
personal data to unauthorized access and theft.''

“Apparently both the username and password for a Wyndham property management
system developed by Micros Systems Inc. was *micros*.''

“The company had no security controls whatsoever in many of these areas.''

The 2007 FTC guidebook “advises companies to *consider encrypting sensitive
information*'' ["Consider" ?  As in a street sign that says *Consider
Stopping*?]

“The FTC [is] in a very tricky position—trying to hold companies
accountable for failing to implement reasonable security measures without
ever defining what those reasonable measures are.''

“How were we supposed to implement adequate security when no one ever told
us what that means?''

Josephine Wolff, *Slate*, 26 Aug 2015
What Exactly Does Reasonable Mean?
The FTC's maddening attempts to hold companies liable for cybersecurity lapses.
http://www.slate.com/articles/technology/future_tense/2015/08/the_ftc_punishes_wyndham_for_failing_to_protect_customer_data.html


A Roadmap for a World Without Drivers

Lauren Weinstein <lauren@vortex.com>
Sun, 30 Aug 2015 08:52:18 -0700
Medium via NNSquad
https://medium.com/@alexrubalcava/a-roadmap-for-a-world-without-drivers-573aede0c968

  The reaction to the first car bombing using an AV is going to be massive,
  and it's going to be stupid. CNN will go into "missing airplane"
  mode. There will be calls for the government to issue a stop to all AV
  operations, much in the same way that the FAA ordered a ground stop after
  9/11. But unlike 9/11, which involved a decades-old transportation
  infrastructure, the first AV bombing will use an infrastructure in its
  infancy, one that will be much easier to shut down. That shutdown could
  stretch from temporary to quasi-permanent with ease, as security
  professionals grapple with the technical challenge of distinguishing
  between safe, legitimate payloads and payloads that are intended to
  harm. The scenario described above—using an AV to commit a violent
  crime—involves no hacking. Hacking is the second major barrier to
  adoption that will present unique problems to AVs.

Yep, like I've been saying for ages. To be clear, I fully support
autonomous vehicle research, because I believe it will save millions of
lives just through advanced driver assist systems. But once you go truly
autonomous, the Pandora's Box opens in ways most of us have only begun
to think about.


Google's Driverless Cars Run Into Problem: Cars With Drivers

Monty Solomon <monty@roscom.com>
Wed, 2 Sep 2015 02:24:56 -0400
http://www.nytimes.com/2015/09/02/technology/personaltech/google-says-its-not-the-driverless-cars-fault-its-other-drivers.html

The cars have been involved in a smattering of minor accidents because they
observe traffic laws to the letter—and people don't.


Uber Hires Two Engineers Who Showed Car Hackings

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 29 Aug 2015 15:32:18 PDT
The above subject line is the title of an article by Mike Isaac and Nicole
Perlroth in *The New York Times*, 29 Aug 2015 (page B2 in the National
Edition).

Charlie Miller and Chris Valasek have been hired by Uber's offices in
Pittsburgh to help ensure the security and safety of Uber's self-driving car
and robotics research.  (See RISKS-28.80 and .81 on their most recent
exploits.)

Whatever you think of Uber, the desire for greater security and safety is
welcome.  However, Uber is also going to need more people with broad
expertise in total system architectures for trustworthy systems.

Despite the hype, trustworthy self-driving cars in a completely automated
highway that is meaningfully risk-free seem to be a long ways off.


Vehicles with keyless ignition systems may continue to run unattended

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 28 Aug 2015 12:40:16 -0700
Many new vehicles are equipped with keyless ignition systems. The vehicle is
started with a button, so long as a electronic key fob is present.
Unfortunately, this creates the potential for a number of hazards not found
in keyed ignition systems.  Apparently, some of these vehicles will continue
operation if the key fob is no longer in the vehicle. With some of the
quieter running power plants (e.g., hybrids), they will eventually activate
their internal combustion power plants when the batteries run low. This
creates a carbon monoxide hazard when the car is in a closed space (e.g.,
garage).  The hazard happens when the owner leaves the vehicle without
successfully turning off all the ignition (e.g., clumsy button push with
gloved hand).  Solutions to this problem are not simple. Simply requiring
the presence of a working key fob opens the possibility of unexpected system
shutdown if the key fob stops functioning (e.g., bad battery).  The complete
Money article is at CNN:
money.cnn.com/2015/08/26/autos/keyless-ignition-lawsuit/index.html


Many new top-level domains have become Internet's "bad neighborhoods"

Lauren Weinstein <lauren@vortex.com>
Thu, 3 Sep 2015 10:24:08 -0700
http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/

  There were many who warned that the Internet Corporation for Assigned
  Names and Numbers' (ICANN) decision to allow a host of new commercial
  generic top-level Internet domains was going to create a huge opportunity
  for Internet scammers and hackers.  The approval of top-level domains
  (TLDs) beyond those assigned to countries and generic ones such as .com,
  .org, and .net created an opportunity, some in the security industry
  warned, for criminals to set up "look-alike" domains in the new namespace
  that aped legitimate sites already registered in .com or elsewhere.  Well,
  the warnings were spot-on.

Uh, like nobody predicted this, right? As Gomer Pyle would say,
  "Surprise, surprise, surprise!"


"Popular Belkin Wi-Fi routers plagued by unpatched security flaws" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 03 Sep 2015 09:19:42 -0700
Lucian Constantin (credit: Michael Homnick), PC World, 1 Sep 2015,
ISP-provided routers are full of security vulnerabilities
Attackers could exploit the flaws to hijack DNS requests or
completely take over affected devices
http://www.infoworld.com/article/2978777/networking/popular-belkin-wi-fi-routers-plagued-by-unpatched-security-flaws.html

opening text:

If your Wi-Fi network is using the popular Belkin N600 DB router, be warned:
it may have several vulnerabilities that could allow hackers to take it
over.


Act Now To Save WiFi From The FCC

Henry Baker <hbaker1@pipeline.com>
Wed, 02 Sep 2015 10:12:56 -0700
FYI—The FCC wants to *ban open-source firmware for your wifi router*.
Note that although this rule supposedly affects only 5GHz, it would affect
*ALL* routers because no one is going to make a 2.4GHz-only router.

Brian Benchoff, Save WiFi: Act Now To Save WiFi From The FCC, 2 Sep 2015
http://hackaday.com/2015/09/02/save-wifi-act-now-to-save-wifi-from-the-fcc/

Right now, the FCC is considering a proposal to require device manufacturers
to implement security restricting the flashing of firmware.  We posted
something about this a few days ago, but completely missed out on a call to
action.  Contrary to conventional wisdom, we live under a system of
participatory government, and there is still time to convince the FCC this
regulation would stifle innovation, make us less secure, and set back
innovation in the United States decades.

  [Henry also goes on to excerpt from the following items, truncated for
  RISKS, but URLs left for those readers who might be documenting this.]

http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/
https://libreplanet.org/wiki/Save_WiFi/Individual_Comments
https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&descY4280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number9498
https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices
https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices
http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/
https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&descY4280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number9498
https://apps.fcc.gov/oetcf/kdb/forms/FTSSearchResultPage.cfm?id9498&switch=P


Two-Factor Authentication Phishing From Iran

Lauren Weinstein <lauren@vortex.com>
Thu, 27 Aug 2015 14:39:37 -0700
Citizen Lab via NNSquad
https://citizenlab.org/2015/08/iran_two_factor_phishing/

  This report describes an elaborate phishing campaign against targets in
  Iran's diaspora, and at least one Western activist. The ongoing attacks
  attempt to circumvent the extra protections conferred by two-factor
  authentication in Gmail, and rely heavily on phone-call based phishing and
  "real time" login attempts by the attackers. Most of the attacks begin
  with a phone call from a UK phone number, with attackers speaking in
  either English or Farsi.  The attacks point to extensive knowledge of the
  targets' activities, and share infrastructure and tactics with campaigns
  previously linked to Iranian threat actors. We have documented a growing
  number of these attacks, and have received reports that we cannot confirm
  of targets and victims of highly similar attacks, including in Iran.  The
  report includes extra detail to help potential targets recognize similar
  attacks. The report closes with some security suggestions, highlighting
  the importance of two-factor authentication.


Heidelberg Laureate Forum on data collection (Katherine Noyes)

"ACM TechNews" <technews@hq.acm.org>
Mon, 31 Aug 2015 12:13:10 -0400 (EDT)
Katherine Noyes, Orange Hosting, IDG News Service (08/26/15)
via ACM TechNews, Monday, August 31, 2015

Many of the world's top computer science experts met last week at the
Heidelberg Laureate Forum to determine how the widespread collection of data
about consumers can be prevented from causing harm in the future.  Much of
today's data collection happens on the websites people visit, and that can
spill over into surveillance by governments, according to the Electronic
Frontier Foundation's (EFF) Jeremy Gillula.  Most of the participants at the
forum agreed there is a need for better mechanisms for protecting
individuals' privacy, as well as for more transparency on the part of those
collecting and using the data.  "We need a policy approach" that offers not
just privacy by design, but privacy by default, says Carnegie Mellon
University professor Alessandro Acquisti.  Although public policy and
legislation are one approach to the problem, some experts do not see much
reason for optimism in that direction.  The EFF already has published a "Do
Not Track" policy, which organizations can adopt, and it is working on a
Privacy Badger, a browser extension for Firefox and Chrome that blocks
spying ads and invisible trackers.  The EFF also advocates end-to-end
encryption because government agencies cannot do mass surveillance if all
the data is encrypted, according to Gillula.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e0a0x2d36fx063635&


No gigabyte nets for autonomous vehicles (via Dave Farber)

Mike Liebhold <mnl@well.com>
Monday, August 31, 2015
In the midst of all of the hype and hoopla over self driving cars, let's
pause for a reality check: None of the many rosy media discussions of the
future of autonomous vehicles show any awareness that there are no credible
network plans at all to support these vehicles - at scale - in cities and in
the countryside.  Meanwhile among the engineers, there is a growing
consensus that autonomous vehicles will need dense networks supporting
gigabyte low latency streams for every vehicle. e.g. at least "300gBytes/
per month" of *coordinated* secure networks of LTE WiFi DSRC-V2V meshes ,
and satellites according to Andeas Mai, Director Smart Connected Vehicles at
Cisco http://viodi.com/2015/06/15/300-gbytes-of-data-per-month-per-car/

Here are some other recent relevant quotes about network requirements for
autonomous vehicle:

Intel: “Approximately 1 GB of data will need to be processed each second in
the car's real-time operating system.''
https://www-ssl.intel.com/content/www/us/en/automotive/driving-safety-advanced-driver-assistance-systems-self-driving-technology-paper.html

Telecom Italia: “A primary bottleneck is the overall sum of application
and network latencies, which are far too high today.''
http://www.networkcomputing.com/cloud-infrastructure/enabling-the-self-driving-car/a/d-id/1319538

BMW: “... need ultra-reliable networks, low-latency, and they must work
everywhere.''
http://www.computerworlduk.com/news/it-vendors/bmw-5g-could-be-key-self-driving-car-deployment-3501253/

Ericsson" “... self-driving cars, will rely on as-yet-undefined 5G
technology.  The networks that we have today have nowhere near that
quality-of-service guarantee.''
http://www.computerworlduk.com/news/it-vendors/the-smartest-cars-may-need-5g-ericsson-says-3497872/

When thinking about self driving cars, I try to remember the words of two
former colleagues at IFTF: One of our founders Roy Amara observed that
“When thinking about the future we tend to over estimate the impacts in the
near-term and under estimate impacts in the long term.''  or as aptly
paraphrased by former long time IFTF Fellow Paul Saffo, “Never mistake a
clear view for a short distance.''

Mike Liebhold, Distinguished Fellow, Institute for the Future, IFTF.org


No gigabyte nets for autonomous vehicles (Re: Liebhold)

"Ross Stapleton-Gray" <ross.stapletongray@gmail.com>
Aug 31, 2015 6:34 PM
  (via Dave Farber)

I would have to think that humans are an existence proof that driving a car
doesn't necessarily require high long-haul bandwidth. I'm sure one could
collect 1 GB of data per second just from optical/radar/sonar/lidar sensors
in the car, of the road ahead, along with GPS for general proximity, digital
maps carried onboard, etc., etc.

We can also expect that an increasing amount of the information absorbed
from other than the car's organic sensors would be short-range wireless,
e.g., car-car and car-curb data, that require little in the way of complex
infrastructure, but which can augment situational awareness (just like I get
digital sign data today telling me that travel time to particular
destinations is X minutes presently).

If the average 100 IQ human with modest visual ability and reflexes can
successfully navigate, it's not at all clear to me why my future Subaru++ is
going to require the equivalent of a streaming Hollywood movie, from long
distances, to compete.

Stapleton-Gray & Associates, Inc., Albany, CA


Tools for Tailored Learning May Expose Students' Personal Details

Monty Solomon <monty@roscom.com>
Mon, 31 Aug 2015 05:43:32 -0400
http://www.nytimes.com/2015/08/31/technology/tools-for-tailored-learning-may-expose-students-personal-details.html

Many technological tools used by schools are designed to customize learning,
but concern is developing over the collection and use of data on individual
students.


Zuckerberg cheers as 1 billion suckers login to Facebook in 24 hours

"Matthew Kruk" <mkrukg@gmail.com>
Sat, 29 Aug 2015 00:29:00 -0600
  [My sentiments exactly.]

http://www.computerworld.com/article/2977085/social-business/one-billion-people-facebook-monday-itbwcw.html


Windows 7, 8, and 10: Now all collecting user data for Microsoft (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Tue, 01 Sep 2015 15:47:46 -0700
Fahmida Y. Rashid, InfoWorld, 1 Sep 2015
http://www.infoworld.com/article/2979054/windows-security/windows-7-8-10-now-all-collecting-user-data-for-microsoft.html
Uncomfortable with Windows 10 slurping personal data? Too bad --
Microsoft rolls out similar snooping capabilities to Windows 7, Windows 8


Windows Creepy Spying extended to Win7/8

Henry Baker <hbaker1@pipeline.com>
Tue, 01 Sep 2015 05:43:58 -0700
FYI—Why is Microsoft doing this?  Google/Facebook envy?  FBI/NSA NSL?

http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

Microsoft intensifies data collection on Windows 7 and 8 systems

Martin Brinkmann, GHacks, 28 Aug 2015

Microsoft has been criticized by privacy advocates in regards to the data
hunger of its Windows 10 operating system.  The operating system slurps data
like there is no tomorrow, especially when systems are set up using the
express settings.

http://www.ghacks.net/2015/07/30/windows-10-and-privacy/

Experienced users may disable telemetry and data collection partially during
setup, and then some more afterward using the Registry or Group Policy.

  [Long item truncated for RISKS.]


Unwanted data transmissions by Windows 10 (RISKS-28.92)

"Joe Durusau" <durusau@att.net>
Wed, 26 Aug 2015 15:21:07 -0600
I can't test this myself, since I don't have windows 10 (and might never
have it), but I wonder if any of those complaining about unwanted data
transmissions have tried editing the hosts file to see whether this solves
the problem?

It would do so on a Unix-like system, but, as I said, I can't try it myself,
so wondered whether anyone else has tried doing so.


U.S. Senate Report on Target breach

Alister Wm Macintyre <macwheel99@wowway.com>
Wed, 2 Sep 2015 12:51:58 -0500
A 16-page PDF report on the Target breach has been issued by the US Senate
Committee on Commerce, Science, and Transportation.

<http://www.commerce.senate.gov/public/?a=Files.Serve&File_id$d3c229-4f2f-405d-b8db-a3a67f183883>

It is dated March 2014, but I just found the link in an article about
Federal Trade Commission (FTC) involvement.

http://www.msn.com/en-us/news/us/ftc-investigates-target-data-breach/ar-AAdQDA5?ocid=iehp

At the time of the Senate report, the investigations had not yet figured
out:

. Details of the Fazio penetration.

. How the attackers got from the access granted Fazio, to Target's POS
  terminals.

. How the attackers found default account password access for BMC software
  IT management system; or if the password interface was bypassed.

There are some nice diagrams at the end of the report, such as a time line
of when Target allegedly received warnings, apparently ignored, of what the
attackers were up to.  There are also lots of links to more info.  The body
of the report talks about other things Target could have done to avert this
disaster.


Ashley Madison Hack Creates Ethical Conundrum For Researchers

Lauren Weinstein <lauren@vortex.com>
Wed, 2 Sep 2015 08:22:22 -0700
HuffPost via NNSquad
http://www.huffingtonpost.com/entry/ashley-madison-hack-creates-ethical-conundrum-for-researchers_55e4ac43e4b0b7a96339dfe9

  Frederick and other experts agreed that the research applications of these
  data are potentially endless. At the most basic level, you could use them
  to tease out patterns of infidelity (or at least interest in infidelity)
  in terms of geography, age, race, religion, sex, height or income.  But
  with the tremendous benefits come serious risks. As sex researchers dig
  into the data from the Ashley Madison hack, they're confronted with a set
  of thorny questions: Is the data reliable?  Is it proper for researchers
  to analyze? Is it even legally permissible to access?  “We're in
  uncharted ethical waters with the Internet and all the data that's coming
  out of social networks. The Ashley Madison hack is just a particularly
  difficult example of a much larger issue,'' said Dr. Sharlene Hesse-Biber,
  a sociologist and research ethics expert at Boston College.  The
  reliability question is the most pressing; after all, if the data are so
  unreliable that they're not usable, the ethics and logistics don't
  matter. Early, non-academic analysis of the data has shown that a huge
  share of the 36 million accounts in the hack were fake, inactive or
  incomplete. And Ashley Madison made essentially no effort to verify any of
  the information in these accounts—even email addresses—so much of
  that information may wind up being useless.

You mean researchers are concerned that users might have put FALSE
information on forms at an online marriage cheating site?  Surely you jest!
(I know, I know, don't call you Shirley.)


Re: Data from hack of Ashley Madison cheater site (RISKS-28.92)

Dan Jacobson <jidanni@jidanni.org>
Thu, 03 Sep 2015 21:32:01 +0800
> highly embarrassing for the men and women

... a huge portion of Ashley Madison's software development efforts are
aimed at refining their fembot army, to make it seem that women are active
on the site. Either they did this because the number of real women was
vanishingly small, or because they didn't want men to hook up with real
women and stop buying credits from the company. Whatever the reason, it
appears that the Ashley Madison money-making scheme was bots all the way
down.

http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924


Re: ATM security risk: nonfinalization (McIntyre)

Dan Jacobson <jidanni@jidanni.org>
Thu, 03 Sep 2015 20:41:21 +0800
Where I live it is:
Please take your card.
Please take your cash.
In that order.
You are not getting your cash if you don't remove your card.
Seems to solve most problems.

Please report problems with the web pages to the maintainer

Top