The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 94

Sunday 20 September 2015

Contents

America's Voting Machines at Risk
Brennan Center
Hanging chad redux? US heading for 2000-style election catastrophe, report finds
Ed Pilkington
Leaked NSC Memo on Encryption
WashPost
Obama faces growing momentum to support widespread encryption
Nakashima and Peterson
WH Realizes Mandating Backdoors To Encryption Isn't Going To Happen
Tech Dirt
Why We Positively, Absolutely, Can't Trust the Government with Encryption
Lauren Weinstein
CISA on OPM: “responding to a bear attack by stockpiling honey''
Eric Geller via Henry Baker
Tech Companies Resist Govt Surveillance
Calo and Penuela
Kilton Public Library Reactivates Tor Node
Nora Doyle-Burr
Major Internet outage strikes again
Matthew Reed
American Airlines flew wrong plane to chawaii
WashPost
Hack on United Airlines Makes CIA's Job More Difficult
Cybersecintell
Drug lord may be in Costa Rica, based on tweet
Dan Jacobson
Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos
WiReD
Researcher Hacks Self-driving Car Sensors
IEEE Spectrum
Russian Hackers Hijack Satellite to Steal Data from Thousands of Hacked Computers
PGN
FireEye Malware Protection System hacked with malware
Henry Baker
Programming errors allow cracking of 11 million+ Ashley Madison passwords
Dan Goodin
Buffer Overflows: Blast from the Past
Henry Baker
"Attackers install highly persistent malware implants on Cisco routers"
Lucian Constantin
Brain Hacking state-of-art
Lovett in Analog
How Can a Netizen be Responsible and Secure?
Dick Mills
How to make the Internet worse for everyone except the slimeballs
Lauren Weinstein
One Symptom in New Medical Codes: Doctor Anxiety
NYTimes
Watch Out: If You've Got a Smart Watch, Hackers Could Get Your Data
David Robertson
"How Microsoft's data case could unravel the US tech industry"
Zack Whittaker
Mozilla: data stolen from hacked bug database was used to attack Firefox
Ars Technica
How Ashley Madison Hid Its Fembot Con From Users and Investigators
Gizmodo
"The Web's 10 most dangerous neighborhoods"
Maria Korolov
Faults Sense of Security
Henry Baker
Facebook's Like Buttons Will Soon Track Your Web Browsing to Target Ads
Technology Review
Boston still tracks vehicles, lies about it, and leaves sensitive resident data exposed online
Dig Boston
HP didn't get the security memo re HTTPS
Henry Baker
FBI Safety: Disconnect IoT Devices from the Internet
Henry Baker
Need to install a font on Windows 10? Turn on the firewall
SuperUser
Microsoft is downloading Windows 10 to your machine 'just in case'
LW
Re: Windows 7, 8, and 10: Now all collecting user data for Microsoft
Erling Kristiansen
Re: Unwanted data transmissions by Windows 10
Wol
Re: No gigabyte nets for autonomous vehicles
Dimitri Maziuk
Wol
Re: Vehicles with keyless ignition systems...
Chris Drewe
Re: Google's Driverless Cars Run Into Problem: Lack of appreciation of "social"
Bob Frankston
Info on RISKS (comp.risks)

America's Voting Machines at Risk (Brennan Center)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 15 Sep 2015 7:30:04 PDT
A new report published by the New York University School of Law Brennan
Center for Justice says that 43 states will use electronic voting machines
older than 10 years in the 2016 elections, increasing the risk of failures
and system crashes.

Lawrence Norden, Christopher Famighetti, The Brennan Center, 15 Sep 2015
America's Voting Machines at Risk
https://www.brennancenter.org/publication/americas-voting-machines-risk

Executive Summary

In January 2014, the bipartisan Presidential Commission on Election
Administration (PCEA) issued a stern warning that should be of grave concern
to all Americans: There is an “impending crisis—from the widespread
wearing out of voting machines purchased a decade ago.  Jurisdictions do not
have the money to purchase new machines, and legal and market constraints
prevent the development of machines they would want even if they had
funds.''

This report, nearly two years later, documents in detail the extent of the
problem and the steps we must take in the coming years to address it. Over
the past 10 months, the Brennan Center surveyed more than 100 specialists
familiar with voting technology, including voting machine vendors,
independent technology experts, and election officials in all 50 states. In
addition, we reviewed scores of public documents to quantify in greater
detail the extent of the crisis. We explore the current challenge in three
parts: (1) the danger, looking at the age of machines around the country
relative to their expected lifespans and the problems that we can expect;
(2) the new technologies that can help solve the problem going forward; and
(3) recommended solutions to the impending crisis.


Hanging chad redux? US heading for 2000-style election catastrophe, report finds (Ed Pilkington)

"Hendricks Dewayne" <dewayne@warpspeed.com>
Sep 15, 2015 12:39 PM
Ed Pilkington, *The Guardian*, 15 Sep 2015, via Dave Farber
Voting technology deployed by most states across the US is now so
antiquated it is in danger of breaking down, experts say
http://www.theguardian.com/us-news/2015/sep/15/2016-election-old-voting-machines-hanging-chad

The United States is heading for another catastrophe in its voting system
equivalent to the notorious *hanging chad* affair that shook the country in
2000 and propelled George W Bush into the White House, experts on electoral
procedures are warning.

The voting technology deployed by most states around the country is now so
antiquated and unreliable that it is in danger of breaking down at any
time, the experts say. Some states are having to go on eBay to buy spare
parts for machines that are no longer manufactured.

The extent of decay in America's electoral infrastructure is laid bare in a
new report from the Brennan Center, a nonpartisan institute at the New York
University School of Law specializing in democracy and justice. Having
consulted more than 100 voting specialists in all 50 states, the center
concludes that the country is facing an impending crisis in the way it
conducts elections. [...]


WashPost: Leaked NSC Memo on Encryption

Henry Baker <hbaker1@pipeline.com>
Wed, 16 Sep 2015 17:11:50 -0700
FYI—This is an OCR'd version of the National Security Council memo leaked
to the Washington Post.  The pdf of the original looks like it was typed on
a *manual* typewriter—the NSC clearly following the lead of Russia to
avoid being intercepted electronically!  [The irony of the NSC using a
manual typewriter for a memo on encryption is truly delicious!]

http://www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks

The most distressing part of this memo is its complete disregard of the
Constitution.  The only "stakeholders"—according to this NSC memo—in
favor of "civil liberties" and "human rights" seem to be organizations --
e.g., the EFF and the ACLU; ordinary citizens are apparently not
"stakeholders", and have no "stake" in this discussion.

Of course, every time someone uses the term "stakeholder", the only images
that come to mind are those scenes from black-and-white horror movies in
which the townspeople are chasing a vampire with wooden stakes that they
intend to drive through his heart!

http://apps.washingtonpost.com/g/documents/national/read-the-nsc-draft-options-paper-on-strategic-approaches-to-encryption/1742/

REVIEW OF STRATEGIC APPROACHES

Option 1: Disavow Legislation and Other Compulsory Actions
Option 2: Defer on Legislation and Other Compulsory Actions
Option 3: Remain Undecided on Legislation or Other Compulsory Actions

[Each has Engagement Strategy, timeline, Top Line Message; pros and cons;
  Much too long for RISKS, but fascinating reading.  PGN]


Obama faces growing momentum to support widespread encryption (Nakashima and Peterson)

Henry Baker <hbaker1@pipeline.com>
Wed, 16 Sep 2015 16:58:09 -0700
Ellen Nakashima and Andrea Peterson, *The Washington Post*, 16 Sep 2015
https://www.washingtonpost.com/world/national-security/tech-trade-agencies-push-to-disavow-law-requiring-decryption-of-phones/2015/09/16/1fca5f72-5adf-11e5-b38e-06883aacba64_story.html

White House officials have backed away from seeking a legislative fix to
deal with the rise of encryption on communication devices, and they are even
weighing whether to publicly reject a law requiring firms to be able to
unlock their customers' smartphones and apps under court order.

For the past year, law enforcement and the intelligence community have
warned that an inability to obtain decrypted data is putting public safety
and national security at risk, arguing it will allow criminals and
terrorists to communicate securely.  They have appealed to tech companies to
voluntarily come up with solutions for their own products, and they don't
want to rule out legislation entirely.

But over the summer, momentum has grown among officials in the commerce,
diplomatic, trade and technology agencies for a statement from the president
*strongly disavowing* a legislative mandate and supporting widespread
encryption, according to senior officials and documents obtained by The
Washington Post.

Their argument: Ruling out a law and supporting encryption would counter the
narrative that the United States is seeking to expand its surveillance
capability at the expense of cybersecurity.  They say the statement from the
president also would help repair global trust in the U.S. government and
U.S. tech companies, whose public images have taken a beating in the wake of
disclosures about widespread National Security Agency surveillance.

And, they argue, it would undercut foreign competitors' claims that U.S.
firms are instruments of mass surveillance. [...]


WH Realizes Mandating Backdoors To Encryption Isn't Going To Happen (Tech Dirt via Dave Farber)

Richard Forno <rforno@infowarrior.org>
September 17, 2015 at 2:18:41 PM EDT
https://www.techdirt.com/articles/20150916/15035232275/white-house-realizes-mandating-backdoors-to-encryption-isnt-going-to-happen.shtml

Over the last few months, I've heard rumblings and conversations from
multiple people within the Obama administration suggesting that they don't
support the FBI's crazy push to back door all encryption. From Congress, I
heard that there was nowhere near enough support for any sort of legislative
backdoor mandate. Both were good things to hear, but I worried that I was
still only hearing from one side, so that there could still be serious
efforts saying the opposite as well. However, The Washington Post has been
leaked quite a document that outlines three options that the Obama
administration can take in response to the whole "going dark" question. And
the good news? None of them involve mandating encryption. Basically, the key
message in this document is that no one believes legislation is a realistic
option right now (more on that in another post coming shortly).

That's big!

The document's three options can be summarized as follows:

* Option 1: Do the right thing, admit that backdooring encryption is a bad
  idea and dumb, and stand up for real cybersecurity by saying that more
  encryption is generally good for society. This will make lots of people
  happy—including civil liberties folks and the tech industry, and it
  will also do more to protect the public. It will also help the most with
  many foreign countries in showing that the US isn't just trying to spy on
  everyone—though it may piss off a few countries (mainly the UK) who
  have doubled down on backdooring encryption. Also, it will undermine
  China's plan to backdoor encryption as well. Let's call this the right
  option.

* Option 2: Yeah, we know what the right thing to do is, but we'll take a
  half-assed approach to it to try to appease the FBI/law enforcement folks
  and not come out nearly as strongly against legislation. We'll say there's
  no legislation, but we'll at least leave the door open to it. In private,
  we may still push tech companies to backdoor stuff. This will anger lots
  of folks, but maybe (the administration believes) some civil liberties
  types will think it's enough of a win to celebrate. Then we pretend that
  we can hold some sort of "discussion" between people who disagree.

* Option 3: We totally punt on the issue and don't really say anything. If
  we do say something, we say that this issue needs a lot more discussion
  and study (just like people have been saying for the last year). In other
  words, endless cryptowars with no end in sight.

Clearly, Option 1 is the only sensible option, and the report lays out some
pretty strong arguments for why coming out against backdooring encryption
would be good. It would actually make the tech industry much more willing to
work with the government in productive ways, rather than stupid, privacy and
security-destroying ways. It would actually better protect the public and it
would stop authoritarian regimes from using our own language against us to
break encryption. The cons are basically that law enforcement might whine
about it. Well, the administration actually says that it "provides no
immediate solution to the challenges that the expanding use of encryption
poses to law enforcement and national security" but given that law
enforcement still hasn't done a good job showing this is a real problem,
that's not really a big deal.

In fact, law enforcement is still relying on made up ghost stories rather
than any real evidence that encryption is a problem.

So, now the big question is which option the administration will
choose. Will it stand up and take leadership on this issue (Option 1),
thereby actually protecting Americans? Or will it do a variety of half-assed
measures believing that it has to support "both sides" or some crap like
that? From the leaked report, it appears that if it chooses either Option 1
or 2, the White House will make a public statement on the matter within the
next few weeks.

  It's better to burn out than fade away.]


Why We Positively, Absolutely, Can't Trust the Government with Encryption

Lauren Weinstein <lauren@vortex.com>
Fri, 11 Sep 2015 19:16:49 -0700
            http://lauren.vortex.com/archive/001123.html

By now you're hopefully aware that the U.S. federal government is engaged in
a major effort to pressure technology firms like Google and Apple to provide
"backdoors" into encryption systems (particularly for mobile devices) that
are increasingly designed so that the firms themselves cannot even decrypt
the data without cooperation from the devices' owners. Simultaneously, there
are efforts to pressure Congress into mandating such backdoors if the firms
refuse to voluntarily cooperate.

Despite the fact that essentially every reputable security, encryption, and
privacy expert agrees that it is technically impossible to design such a
backdoor that would not massively increase the potential for black-hat
hacking—and so dramatically decrease the security of these systems—law
enforcement continues to imply that if you don't see things their way --
well, perhaps you're not a loyal American.

This was very nearly stated explicitly by the FBI and CIA directors at the
Intelligence and National Security Summit in Washington yesterday, where the
men bemoaned negative public opinion, "deep cynicism," and "venom" directed
at the backdoor access plans—with CIA Director John Brennan suggesting
that persons promulgating these views "may be fueled by our adversaries."

Mr. Brennan's remark is reminiscent of President Richard Nixon's paranoid
delusions that antiwar Vietnam protesters were all the puppets of ghostly
Communist agents.

Well, Mr. Brennan, let me help set you straight regarding your comment,
which I believe many of us in the technology community find to be extremely
misguided and offensive.

We don't have any foreign masters. We simply don't trust you.

And it's not just you. Almost everywhere we look at the intersection of
technology and any agencies involved even peripherally in law enforcement
activities, there's a long list of lies, errors, mismanagement, screw-ups,
and abuses galore.

It's an ironic situation to be sure, given that the technology displaying
these very words at this very moment can trace their ancestry to a
Department of Defense computer networking project.

But the sad truth is that at every level of government, no matter whether
Democrats or Republicans are in power, it's generally the same story.

It starts at the local level, with municipalities lying to citizens about
red light cameras, license plate readers, and police surveillance systems.

At the state level it moves up to abuse and foul-ups of DMV databases and
more.

And at the federal level the list is almost too long to even begin.

The recently revealed Office of Personnel Management hack exposed the
personal data—including sensitive security clearance applications and
related forms—of perhaps four million people or more. A 29-year-old
contractor waltzes out of NSA with a thumb drive filled with reams of the
agency's most sensitive documents.

No—Mr. CIA Director and Mr. FBI Director—you're not going to sell us
your foreign influence bogeymen this time.

We simply believe that we cannot trust government agencies to have the
honesty and competency to be entrusted with keys to our own encryption --
the security of which is rapidly becoming a fundamental requirement of our
day-to-day lives.

Frankly, even if there were a magic wand that could create that impossible
backdoor system in a seemingly secure and safe manner—we still wouldn't
and couldn't entrust you not to find avenues to abuse it.

This is overall a very unfortunate state of affairs, because yes, we know
that encryption may be leveraged for evil in very serious ways.

But you still can't get blood out of a stone.

The technical reality is that the kinds of encryption backdoors you want
cannot be made secure and would themselves represent horrific security
risks.

Perhaps someday you'll find ways to earn back our trust. But all the trust
in the world won't change the technical realities that make encryption
backdoors a non-starter.

And the sooner you understand these truths, the better it will be for us
all.


CISA on OPM: “responding to a bear attack by stockpiling honey''

Henry Baker <hbaker1@pipeline.com>
Tue, 15 Sep 2015 08:46:21 -0700
“the OPM inspector general had identified real risks to OPM's security
practices as early as 2007''

“If you can't protect it, don't collect it.''

'just because you put the word *cybersecurity* in the bill doesn't
necessarily make it a good idea'

Eric Geller, Daily Dot, 14 Sep 2015
Sen. Ron Wyden thinks the next big cybersecurity bill could make things worse
https://www.dailydot.com/politics/ron-wyden-opm-cisa-cybersecurity-interview/

Is the U.S. government doomed to repeat its past cybersecurity mistakes?
That's the big question currently plaguing Sen. Ron Wyden (D-Ore.), the
Senate's leading privacy advocate, as Congress begins to consider another
piece of cybersecurity legislation in the wake of the largest cyberattack in
U.S. government history.

Before Congress passes the major cybersecurity bill that's on its plate,
Wyden wants to analyze what went wrong in the massive data breach at the
U.S. Office of Personnel Management (OPM).  In the shadow of evidence
showing that OPM's vulnerabilities were known internally as far back as
2007, Wyden sent a letter to William Evanina, the head of the National
Counterintelligence and Security Center, asking how aware the agency was of
these flaws.  [...]


Tech Companies Resist Govt Surveillance (Calo and Penuela)

Henry Baker <hbaker1@pipeline.com>
Tue, 08 Sep 2015 08:42:12 -0700
FYI—An excellent rebuttal to this weekend's NYTimes article, which was
written *in advance* of said article!   [Indeed, a Prebuttal!  PGN]

Ryan Calo, Gabriella Penuela, Fusion, 07 Sep 2015 10 a.m.
Tech companies may be our best hope for resisting government surveillance
(This op-ed is adapted from a forthcoming essay in University of Chicago Law
Review.

"this move by tech giants to make government surveillance harder reflects
public opinion"

"we face serious hurdles in seeking to resist and reform surveillance in
practice"

"we can elect privacy-minded politicians, but how will we furnish them with
the access, expertise, or incentives needed to pursue reform?"

"criminals make bad surrogates for our Fourth Amendment rights"

"corporations act as custodians of our digital life" (from author's
U. Chi. L. Rev. paper)

"corporations have historically been complicit in, even enabling of, mass
surveillance"

"if a company promises to fight for its users, who will enforce that promise
if broken?"

"Citizens can extract promises from firms to push back against surveillance
on their behalf but have no recourse if these promises are not enforced."
(from author's U. Chi. L. Rev. paper)

"[Nevertheless, tech companies such as Apple and Google] may [still] be our
best chance out of this surveillance mess."

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2635181 )
http://fusion.net/story/193583/tech-companies-may-be-our-best-hope-for-resisting-government-surveillance/


Kilton Public Library Reactivates Tor Node

Henry Baker <hbaker1@pipeline.com>
Wed, 16 Sep 2015 11:59:22 -0700
FYI—An amazing "John Hancock" moment in history!  (John Hancock was the
1st signer of the Declaration of Independence.)
https://en.wikipedia.org/wiki/John_Hancock

Nora Doyle-Burr, *Valley News*, 16 Sep 2015
Despite Law Enforcement Concerns, Lebanon Board Will Reactivate Privacy
  Network Tor at Kilton Library
http://www.vnews.com/home/18620952-95/despite-law-enforcement-concerns-lebanon-board-will-reactivate-privacy-network-tor-at-kilton-library

"the city is not going to shut down its roads simply because some people
choose to drive drunk"

West Lebanon—The Kilton Public Library will reactivate its piece of the
anonymous Internet browsing network Tor, despite law enforcement's concerns
that the network might be used for criminal activities.

The Lebanon Library Board of Trustees let stand its unanimous June decision
to devote some of the library's excess bandwidth to a node, or relay, for
Tor, after a full room of about 50 residents and other interested members of
the public expressed their support for Lebanon's participation in the system.


Major Internet outage strikes again (Matthew Reed)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sat, 5 Sep 2015 18:23:38 -0600
Matthew Reed, *Fort Bragg Advocate-News*, 4 Sep 2015

A fiber optic line AT&T says was deliberately cut near Hopland sent
Mendocino County back into an Internet blackout.

The fiber was sliced at about 10 a.m. yesterday. The break caused 911
emergency service to be interrupted for many customers in Mendocino and
Humboldt Counties.

Capt. Greg Van Patten, MCSO public information officer, said yesterday that
the department was preparing for a 24 hour Internet black-out and put extra
deputies on patrol.

Van Patten said the investigation into the incident is ongoing.

“It was obvious that someone cut the line intentionally, which constitutes
an act of vandalism.  The investigation into the identity of any suspects is
underway, and also into the motive for the act.''

The cut was in a rural area about 1.5 miles south of Burke Hill Road in
Ukiah, according to MCSO, and the fiber optic line was located above ground.

http://www.advocate-news.com/general-news/20150904/major-internet-outage-strikes-again

I'm curious, were the extra deputies to prevent more vandalism, or to calm
the masses who can't post their Facebook/Twitter/Instagram/etc.  updates?


American Airlines flew wrong plane to chawaii

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 13 Sep 2015 21:35:54 PDT
http://www.washingtonpost.com/news/morning-mix/wp/2015/09/13/american-airlines-accidentally-flew-the-wrong-plane-from-l-a-to-hawaii-last-month/


Hack on United Airlines Makes CIA's Job More Difficult

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 12 Sep 2015 9:16:51 PDT
<http://www.cybersecurityintelligence.com/blog/hack-on-united-airlines-makes-cias-job-more-difficult-601.html>

The Chinese hackers that stole the personally identifying information of
more than 20 million people from the Office of Personnel Management (OPM)
last year also hacked into United Airlines, Bloomberg reports. And Dave
Aitel, CEO of cybersecurity firm Immunity, Inc., notes that the hackers'
breach of United is especially significant as it's the main airline in and
out of Washington, DC's Dulles International, the nearest international
airport to the CIA's headquarters in Langley, Virginia.  “Every CIA
employee and visitor coming from abroad flies in and out of Dulles, and
chances are they=E2=80=99re flying United, The combination of information
the hackers obtained from OPM with the travel information they now have from
United is hugely powerful, and it will make the kind of work the CIA does
much more difficult.'' [...]


Drug lord may be in Costa Rica based on tweet

Dan Jacobson <jidanni@jidanni.org>
Mon, 07 Sep 2015 11:38:58 +0800
http://insidecostarica.com/2015/09/01/authorities-investigating-wanted-son-el-chapo-guzman-worlds-want-drug-lord-costa-rica/

Jesus Alfredo Guzman Salazar, 29, who is also wanted by the US Drug
Enforcement Administration (DEA), posted a tweet to the social networking
site, Twitter on Monday that may have inadvertently revealed his presence in
Costa Rica.  The social networking app, when used from a smartphone, pins a
user's location to each tweet, unless the feature is turned off.


Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos

Monty Solomon <monty@roscom.com>
Fri, 11 Sep 2015 00:47:23 -0400
The TSA is learning a basic lesson of physical security in the age of 3-D
printing: If you have sensitive keys—say, a set of master keys that can
open locks you've asked millions of Americans to use—don't post pictures
of them on the Internet.

A group of lock-picking and security enthusiasts drove that lesson home
Wednesday by publishing a set of CAD files to Github that anyone can use to
3-D print a precisely measured set of the TSA's master keys for its
`approved' locks—the ones the agency can open with its own keys during
airport inspections. Within hours, at least one 3-D printer owner had
already downloaded the files, printed one of the master keys, and published
a video proving that it opened his TSA-approved luggage lock.

Those photos first began making the rounds online last month, after the
Washington Post unwittingly published (and then quickly deleted) a photo of
the master keys in an article about the `secret life' of baggage in the
hands of the TSA. It was too late. Now those photos have been used to derive
exact cuts of the master keys so that anyone can reproduce them in minutes
with a 3-D printer or a computer-controlled milling machine. [...]

http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/

  [Also noted in *The Washington Post* by Mark Thorson:
    http://boingboing.net/2015/08/21/make-your-own-tsa-universal-lu.html
  PGN]


Researcher Hacks Self-driving Car Sensors

Lauren Weinstein <lauren@vortex.com>
Mon, 7 Sep 2015 08:28:46 -0700
via NNSquad
http://spectrum.ieee.org/cars-that-think/transportation/self-driving/researcher-hacks-selfdriving-car-sensors

  The multi-thousand-dollar laser ranging (lidar) systems that most
  self-driving cars rely on to sense obstacles can be hacked by a setup
  costing just $60, according to a security researcher.  "I can take echoes
  of a fake car and put them at any location I want," says Jonathan Petit,
  Principal Scientist at Security Innovation, a software security
  company. "And I can do the same with a pedestrian or a wall."  Using such
  a system, attackers could trick a self-driving car into thinking something
  is directly ahead of it, thus forcing it to slow down. Or they could
  overwhelm it with so many spurious signals that the car would not move at
  all for fear of hitting phantom obstacles.  In a paper written while he
  was a research fellow in the University of Cork's Computer Security Group
  and due to be presented at the Black Hat Europe security conference in
  November, Petit describes a simple setup he designed using a low-power
  laser and a pulse generator. "It's kind of a laser pointer, really. And
  you don't need the pulse generator when you do the attack," he says. "You
  can easily do it with a Raspberry Pi or an Arduino.  It's really off the
  shelf."


Russian Hackers Hijack Satellite to Steal Data from Thousands of Hacked Computers

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 11 Sep 2015 3:58:29 PDT
  [Thanks to Laura S. Tinnel.]  Turla APT group, which was named after its
notorious software Epic Turla, is abusing satellite-based Internet
connections in order to:

* Siphon sensitive data from government, military, diplomatic, research and
  educational organisations in the United States and Europe.
* Hide their command-and-control servers from law enforcement agencies.

Read more here: http://thehackernews.com/2015/09/hacking-satellite.html


FireEye Malware Protection System hacked with malware

Henry Baker <hbaker1@pipeline.com>
Wed, 16 Sep 2015 13:37:21 -0700
FYI—This hack of FireEye's Malware Protection System (MPS) is very
instructive.

We are all told *never to open* attachments from suspicious-looking emails.
That's great advice.

Unfortunately, FireEye's MPS system never got that memo.  Attachments
*specially crafted to attack the FireEye MPS system itself* are opened by
the MPS system in order to look for malware.  Unfortunately, when a
specially-crafted ".zip" file is opened to look for malware inside, the
FireEye system itself is compromised.  Oops!

This is a general problem with antivirus/antimalware systems: they generally
run with high privileges, and they generally do risky stuff like opening
attachments on suspicious emails.

Thus, an antivirus/antimalware system should be constructed like the bomb
squad's Total Containment Vessels (TCV's).  Furthermore, this malware should
be moved to a safe location before opening it within said TCV.  FireEye's
TCV was thus compromised by an "explosive" device specifically constructed
to destroy just this TCV.

http://www.nabcoinc.com/vessels

 - - - -

Felix Wilhelm, ERNW
Playing with Fire: Attacking the FireEye MPS [Malware Protection System]
https://www.ernw.de/download/ERNW_44CON_PlayingWithFire_signed.pdf

Kim Zetter, *WiReD*, 11 Sep 2015
A Bizarre Twist in the Debate Over Vulnerability Disclosures
http://www.wired.com/2015/09/fireeye-enrw-injunction-bizarre-twist-in-the-debate-over-vulnerability-disclosures/

Dan Goodin, Ars Technica, 11 Sep 2015
Security company litigates to bar disclosure related to its own flaws
http://arstechnica.com/security/2015/09/security-company-sues-to-bar-disclosure-related-to-its-own-flaws/


Programming errors allow cracking of 11 million+ Ashley Madison passwords (Dan Goodin)

Henry Baker <hbaker1@pipeline.com>
Fri, 11 Sep 2015 06:42:03 -0700
Dan Goodin, ComputerWorld, 10 Sep 2015
"Data that was designed to require decades or at least years to crack was
instead recovered in a matter of a week or two."
  http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

Once seen as bulletproof, 11 million+ Ashley Madison passwords already
cracked; Programming errors make 15.26 million accounts orders of magnitude
faster to crack.

When the Ashley Madison hackers leaked close to 100 gigabytes' worth of
sensitive documents belonging to the online dating service for people
cheating on their romantic partners, there seemed to be one saving grace.
User passwords were cryptographically protected using bcrypt, an algorithm
so slow and computationally demanding it would literally take centuries to
crack all 36 million of them.

Now, a crew of hobbyist crackers has uncovered programming errors that make
more than 15 million of the Ashley Madison account passcodes orders of
magnitude faster to crack.  The blunders are so monumental that the
researchers have already deciphered more than 11 million of the passwords in
the past 10 days.  In the next week, they hope to tackle most of the
remaining 4 million improperly secured account passcodes, although they
cautioned they may fall short of that goal.  The breakthrough underscores
how a single misstep can undermine an otherwise flawless execution.  Data
that was designed to require decades or at least years to crack was instead
recovered in a matter of a week or two.

The cracking team, which goes by the name "CynoSure Prime," identified the
weakness after reviewing thousands of lines of code leaked along with the
hashed passwords, executive e-mails, and other Ashley Madison data.  The
source code led to an astounding discovery: included in the same database of
formidable bcrypt hashes was a subset of 15.26 million passwords obscured
using MD5, a hashing algorithm that was designed for speed and efficiency
rather than slowing down crackers. [...]


Buffer Overflows: Blast from the Past

Henry Baker <hbaker1@pipeline.com>
Wed, 16 Sep 2015 08:36:42 -0700
Somehow, it seems more efficient to simply replay a past posting from Boxing
Day, 2001.  Nearly 15 years later, and things haven't improved; we're still
weeding out large numbers of buffer overflow bugs.  We're also very close to
having a person killed by a buffer overflow bug in automotive software.

Remind me again about how it would be *too expensive* to rewrite all this
bad code from scratch?

“it's high time that someone defined *buffer overflow* as being equal to
*gross criminal negligence*''

“If buffer overflows are ever controlled, it won't be due to mere crashes,
but due to their making systems vulnerable to hackers.''

“the records of our customer service department show very few complaints about software crashes due to buffer overflows and the like''

“The lauded Microsoft programming tests of the 1980's were designed to weed
out anyone who was careful enough to check for buffer overflows, because
they obviously didn't understand and appreciate the intricacies of the C
language.''

“If I remove array bounds checks from my software, I will get a raise and
additional stock options due to the improved performance and decreased
number of calls from customer service.''

'Software people would never drive to the office if building engineers and
automotive engineers were as cavalier about buildings and autos as the
software engineer is about his software.'

[See Henry Baker, Buffer Overflow Security Problems, RISKS-21.85, 26 Dec 2001
http://catless.ncl.ac.uk/Risks/21.84.html
]


"Attackers install highly persistent malware implants on Cisco routers" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 17 Sep 2015 19:41:49 -0700
Lucian Constantin, InfoWorld, 15 Sep 2015
The firmware on at least 14 business routers has been replaced with a
backdoored version, researchers from Mandiant found
http://www.infoworld.com/article/2984085/security/attackers-install-highly-persistent-malware-implants-on-cisco-routers.html


Brain Hacking state-of-art (Analog, Lovett)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 11 Sep 2015 21:37:53 -0500
Analog SF & Fact Magazine, November 2015 issue, has an article, by Richard
A. Lovett, on Legal; Social; Scientific; etc. Ramifications of the Latest
(Very Real) Mind-Reading Technologies, with many scary examples of both good
and evil applications in both current state-of-art, and where the tech
appears to be going.

Researchers show volunteers various topics, then use brain scanning to
monitor how the brain reacts, to build up a data base, to see what's common
across many volunteers, when they interact with same subjects.  Then a
computer compares brain scan patterns of different volunteers, to the data
base, to deduce what they were thinking about.

Failures include volunteers misidentifying what they are viewing.  Plus the
technology can only handle still photos, is not yet fast enough to track a
human brain watching something in motion. It is not clear from the article
what kinds of computers were used.  The limiting factor seems to be in the
brain-scanning technology, not the computer analysis.

Anyone, who cares about Mental Privacy, ought to pick up a copy, on sale at
news stands until Oct-27, when it gets replaced by the December issue.  If
this is not sold in your area, back issues can be obtained from  Dell
Magazines Direct 1-800-220-7443  More info at www.analogsf.com

Technology, developed for good medical purposes, can have non-medical
applications.

Human Genome Mapping led to Law Enforcement use and abuse of DNA in crime
identification of suspects, finding some innocent, but there are such high
costs, that there can be inadequate budget to address minor crimes.  US
police have an astronomical volume of untested rape kits, money budgeted to
resolve the backlog, but many localities have opted to spend the money on
other things, than bringing justice for rape victims, by catching serial
rapists.

Similarly, Human Brain De-Coding can determine:

.       If a suspect has been at a crime scene;

.       Get someone's password ,which was never written down anywhere;

.       What pictures someone saw, including in a dream.

Just as Google Translate does not measure up to Star Trek's Universal
Translator, current Brain Hacking Technologies are vastly inferior to Vulcan
Mind Meld.

The technology is in its infancy, is frightfully expensive, but has
significant world wide research funding.  It will get more effective, and
cheaper.  So right now its use is mainly by governments and medical
researchers, not terrorists & criminals. In the future: schools may use it
on kids; married partners won't need a breach to detect cheaters; and hand
held portable scanners, to find out which politicians are lying to us, will
revolutionize elections.

 - - - -

Will this become like taking photos in a public place, where police harass
citizens legally recording their work now, and will go crazy when we can
detect corrupt cops electronically?

How soon will this be mounted on drones, to detect people thinking "Death to
America" and how to go about it?

Do Mind Readers need a Search Warrant?  Does the Right not to Self
Incriminate oneself apply?  The article presents arguments on both sides of
such legal questions.

There are technologies which may not be exported to repressive states.  This
may belong on the list, but they probably already have it.


How Can a Netizen be Responsible and Secure?

Dick Mills <dickandlibbymills@gmail.com>
Sat, 12 Sep 2015 10:00:10 -0400
I got an email that claimed to be from Paypal.  It said that a subscription
payment to Lastpass password manager had failed; click here.  Of course, as
an informed netizen I would never click on an emailed link.  It was clearly
phishing.

I forwarded the phishing email to Paypal security and to Lastpass security.
Paypal responded saying yes indeed it was a phishing attempt and that Paypal
would never ever send me an email with a link.  Lastpass responded with an
email that said, "To see our response to your ticket, click here."

I thought it was safe to click on the Lastpass emailed link because I
requested it.  So, I did click it, but I immediately regretted doing so.  It
could have been a two-stage phishing attempt anticipating a Lastpass
follow-up.

Today, I got emails from both Paypal and Lastpass saying that my
subscription was canceled because of nonpayment. (Both emails offered links
to click to remedy the situation.)

It appears that all those "phishing" emails were actually legitimate.  It
also appears that Paypal security claimed that their own legitimate email
was a phishing attempt to cover up their embarrassment over bad security
practices.

My lifestyle is not compatible with snail mail, brick and mortar stores,
cars, buses, or cash.  I must live electronically.  How the dickens can I do
that while being responsible and secure?


How to make the Internet worse for everyone except the slimeballs

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Sep 2015 19:56:52 -0700
https://plus.google.com/+LaurenWeinstein/posts/TPGq25rCG5C

One of the most likely responses to the widespread use of ad blockers will
be a vast increase in so-called "native advertising," exemplified by
articles, stories, or other materials—including "editorials" and the like
-- that do not reveal in a straightforward manner that they are actually
*placements* whose content is being paid for by advertisers. In essence,
these are "stealth ads"—designed to pretend they're not ads at all. And
ad blockers normally won't be able to touch them. So now instead of knowing
that there's an ad trying to convince you to buy something or change your
point of view, you won't even know someone is paying to put the words and
images in front of you. Congratulations.


One Symptom in New Medical Codes: Doctor Anxiety

Lauren Weinstein <lauren@vortex.com>
Sun, 13 Sep 2015 20:19:34 -0700
http://www.nytimes.com/2015/09/14/us/politics/one-symptom-in-new-medical-codes-doctor-anxiety.html?partner=rss&emc=rss

  The more than 100,000 new codes, which will take effect on Oct. 1, have
  potential benefits, as they will require doctors to make a deeper
  assessment of many patients.  But the change is causing waves of anxiety
  among health care providers, who fear that claims will be denied and
  payments delayed if they do not use the new codes, or do not use them
  properly. Some doctors and hospitals are already obtaining lines of credit
  because they fear that the transition to the new system will cause
  cash-flow problems.

This could end up being a situation where the desire to collect more
detailed data ends up killing people.


Watch Out: If You've Got a Smart Watch, Hackers Could Get Your Data

"ACM TechNews" <technews@hq.acm.org>
Mon, 14 Sep 2015 12:35:49 -0400 (EDT)
David Robertson, University of Illinois News Bureau, 9 Sep 2015 via
ACM TechNews, Monday, Sept. 14, 2015

University of Illinois at Urbana-Champaign (UIUC) researchers recently
concluded the Motion Leaks through Smartwatch Sensors (MoLe) project, which
found smartwatches are vulnerable to hackers.  The researchers designed an
app and were able to guess what a user was typing through data "leaks"
produced by the motion sensors on smart watches.  The research has privacy
implications, as an app that looks harmless could gather data from email
messages, search queries, and other confidential documents.  Although
smartwatches can offer valuable insights into human health and context, "the
core challenge is in characterizing what can or cannot be inferred from
sensor data and the MoLe project is one example along this direction," says
UIUC professor Romit Roy Choudhury.  The app uses an accelerometer and
gyroscope to track the micro-motion of keystrokes as a wearer types on a
keyboard.  A possible solution to these motion leaks would be to lower the
sample rate of the sensors in the watch, notes UIUC Ph.D. student He Wang.
The researchers' current system cannot detect special characters such as
numbers, punctuation, and symbols that could appear in passwords, but the
researchers say hackers could develop techniques for these characters in the
future.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-e154x2d3eax063843&


"How Microsoft's data case could unravel the US tech industry" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 09 Sep 2015 11:59:01 -0700
Zack Whittaker, Zero Day, 3 Sep 2015
The case, if lost, could see a mass exodus of international customers
from the US cloud.
http://www.zdnet.com/article/why-microsoft-data-case-could-unravel-the-us-tech-industry/

opening text:

Saying "no" to the government is never a good idea. But Microsoft had little
option.

In a little under a week, Microsoft will again head to a Manhattan court in
an effort to try to quash a search warrant, sought by the US Justice
Department, in an international drugs-related case.

The warrant itself isn't out of the ordinary, but it does contain a crucial
facet: It is demanding data on an email account stored by Microsoft in a
datacenter in Ireland.


Mozilla: data stolen from hacked bug database was used to attack Firefox (via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Fri, 4 Sep 2015 16:58:57 -0700
http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/

  An attacker stole security-sensitive vulnerability information from the
  Mozilla's Bugzilla bug tracking system and probably used it to attack
  Firefox users, the maker of the open-source Firefox browser warned
  Friday. In an FAQ published (PDF) alongside Mozilla's blog post about the
  attack, the company added that the loss of information appeared to stem
  from a privileged user's compromised account.  The user appeared to have
  re-used their Bugzilla account password on another website, which suffered
  a data breach. The attacker then allegedly gained access to the sensitive
  Bugzilla account and was able to "download security-sensitive information
  about flaws in Firefox and other Mozilla products."

No 2-factor login protection Mozilla? REALLY?


How Ashley Madison Hid Its Fembot Con From Users and Investigators

Lauren Weinstein <lauren@vortex.com>
Mon, 14 Sep 2015 11:12:09 -0700
NNSquad

http://gizmodo.com/how-ashley-madison-hid-its-fembot-con-from-users-and-in-1728410265

 To the Ashley Madison "guest," or non-paying member, it would appear that
  he was being personally contacted by eager women. But if he wanted to read
  or respond to them, he would have to shell out for a package of Ashley
  Madison credits, which range in price from $60 to $290. Each subsequent
  message and chat cost the man credits. As documents from company e-mails
  now reveal, 80 percent of first purchases on Ashley Madison were a result
  of a man trying to contact a bot, or reading a message from one. The
  overwhelming majority of men on Ashley Madison were paying to chat with
  Angels like Sensuous Kitten, whose minds were made of software and whose
  promises were nothing more than hastily written outputs from algorithms.
  But the men were not fooled. At least, not all of them. An analysis of
  company e-mails, coupled with evidence from Ashley Madison source code,
  reveals that company executives were in a constant battle to hide the
  truth. In emails to disgruntled members of the site, and even the
  California attorney general, they shaded the truth about how the bots fit
  into their business plan.


"The Web's 10 most dangerous neighborhoods" (Maria Korolov)

Gene Wirchenko <genew@telus.net>
Wed, 09 Sep 2015 10:40:24 -0700
Maria Korolov, InfoWorld, 1 Sep 2015
Ten top-level domains are to blame for at least 95 percent of the
websites that pose a potential threat to visitors
http://www.infoworld.com/article/2978801/security/the-webs-10-most-dangerous-neighborhoods.html

opening text:

Wouldn't it be convenient if all the spam and malware sites were all grouped
together under one top-level domain—.evil, say—so that they would be
easy to avoid? According to a new study from Blue Coat, there are in fact 10
such top-level domains, where 95 percent or more of sites pose a potential
threat to visitors.


Faults Sense of Security

Henry Baker <hbaker1@pipeline.com>
Mon, 07 Sep 2015 11:05:17 -0700
Oscar Wilde supposedly said "ASSUME makes an ASS out of U and ME", which
makes Wilde the first security researcher, since a security "exploit" by
definition takes advantage of an *assumption* that isn't always true.

(Mark Twain was another early security researcher: "It ain't what you don't
know that gets you into trouble.  It's what you know for sure that just
ain't so.")

The "Rowhammer" hardware bug recently discussed at Blackhat 2015 has
converted a run-of-the-mill DRAM *reliability* problem into a *security*
problem.

But this won't be the last such conversion.

*To a first approximation, *every* HW/SW bug can potentially be escalated
into a security exploit.*

In short, HW bugs don't just cause BSOD's (Blue Screens of Death); it's now
only a matter of months/weeks(?) before such a rowhammer exploit is found in
the wilde that empties bank accounts.

Here are some excepts from the Blackhat Rowhammer talk slides:

Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

How to cause and exploit single bit errors

Mark Seaborn and Halvar Flake <mseaborn@chromium.org>

Timeline, 2014

June, 2014 CMU paper published
Sept, 2014 CMU paper read
Oct, 2014 NaCl exploit working & tested on more laptops
Nov, 2014 Kernel exploit working (12 weeks)

"Reliability" problems are often security problems

e.g., Memory corruption bugs
* Originally treated as "just reliability" issues
* Clever exploits showed they're more dangerous than that

Hardware industry hasn't internalised this lesson yet.

Bad cells

"Badness" varies by DRAM module:
* % of rows with bad cells: Varies from 30% to 99.9%
* # of row activations causing failure: Can be as low as 98,000
([only] 8% of the 1,300,000 allowed by spec)

Repeated row activations can cause bit flips in adjacent rows
* A fault in many DRAM modules, from 2010 onwards
* Bypasses memory protection: One process can affect others
* The three big DRAM manufacturers all shipped memory with this problem
* A whole generation of machines

Mitigations
CMU paper: The industry has been aware of this problem since at least 2012
* Industry preparing mitigations—but no security advisories
* ECC (Error Correcting Codes)
* TRR (Target Row Refresh)
* Higher DRAM refresh rates

Conclusions
* As software-level sandboxes get better, attackers will likely target more esoteric bugs, such as hardware bugs
* Rowhammer: not just a reliability problem
* Hard to verify that hardware meets spec
* Vendors should adopt security mindset
* Vendors should be more transparent

https://www.youtube.com/watch?v=0U7511Fb4to

https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges-wp.pdf

http://arxiv.org/pdf/1507.06955v1.pdf

https://github.com/google/rowhammer-test


Facebook's Like Buttons Will Soon Track Your Web Browsing to Target Ads (Technology Review)

Lauren Weinstein <lauren@vortex.com>
Wed, 16 Sep 2015 20:46:32 -0700
http://www.technologyreview.com/news/541351/facebooks-like-buttons-will-soon-track-your-web-browsing-to-target-ads/

  Facebook's ad targeting algorithms are about to get a new firehose of
  valuable and controversial personal data.  Starting next month, the
  millions of Facebook "Like" and "Share" buttons that publishers have added
  to their pages and mobile apps will start funneling data on people's Web
  browsing habits into the company's ad targeting systems.  After the
  change, the types of sites you visit could be used to tune ads shown to
  you inside Facebook's social networking service, its photo-sharing service
  Instagram, and websites that use Facebook's ad exchange.


Boston still tracks vehicles, lies about it, and leaves sensitive resident data exposed online (Dig Boston via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Tue, 8 Sep 2015 17:24:38 -0700
https://digboston.com/license-to-connive-boston-still-tracks-vehicles-lies-about-it-and-leaves-sensitive-resident-data-exposed-online/

  Prior to two weeks ago, when this reporter alerted authorities that they
  had exposed critical data, anyone online was able to freely access a City
  of Boston automated license plate reader (ALPR) system and to download
  dozens of sensitive files, including hundreds of thousands of motor
  vehicle records dating back to 2012. If someone saw your shiny car and
  wanted to rob your equally nice house, for example, they could use your
  parking permit number to obtain your address. All they had to do was find
  the server's URL.


HP didn't get the security memo re HTTPS

Henry Baker <hbaker1@pipeline.com>
Sun, 06 Sep 2015 12:18:28 -0700
I went to support.hp.com today to check on possible driver updates for an HP
computer.

I downloaded some of the drivers, but was appalled to see that HP used
"http:" rather than "HTTPS:" on its driver downloads.

Furthermore, some of the downloads terminated early—but *completely
quietly* on the latest Chrome browser—so that one would only notice later
that the download had been corrupted—in this particular case by simple
truncation.

HP seems to be blissfully unaware of:
1.  There are bad actors out there on the Internet;
2.  Who would like nothing better than to infect everyone's computers;
3.  Who find drivers and BIOS updates to be wonderful attack surfaces;
4.  And who can infect http downloads *silently* and in *real time*.

For example, security researchers have shown how a "Backdoor Factory" can
"patch" downloads "on-the-fly" which can't be detected later (see below).

"The technology doesn't necessarily know how an attacker was able to get
into a system, but [HP's] SureStart will find a way to detect that malware
of some form is present in the BIOS" [Duh!  Perhaps the malware got into the
BIOS during a download from http://ftp.hp.com ?]

HP is apparently selling off its TippingPoint security division; one can
only hope that one of HP's other security divisions will educate HP's
computer unit about how to encrypt driver downloads.

"[TippingPoint's] technology is not a key part of HP's broader security
strategy, which is focused on more sophisticated, faster-growing areas such
as *encryption*."

"Earlier this year, HP bought an encryption company Voltage Security, which
*helps customers protect their data*."

 - - - -

The Backdoor Factory (BDF)

For security professionals and researchers only.

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

https://github.com/secretsquirrel/the-backdoor-factory

 - - - -

HP seeks to sell cyber security unit TippingPoint: sources

http://uk.reuters.com/article/2015/09/02/us-tippingpoint-m-a-hp-idUKKCN0R229120150902
 - - - -
HP Enhances SureStart Tech to Protect Users From BIOS Attacks

http://www.eweek.com/security/hp-enhances-surestart-tech-to-protect-users-from-bios-attacks.html

"The promise of SureStart is to help users protect, detect and recover from
BIOS attacks, Ali said.  *The technology doesn't necessarily know how an
attacker was able to get into a system*, but SureStart will find a way to
detect that malware of some form is present in the BIOS, he added."


FBI Safety: Disconnect IoT Devices from the Internet

Henry Baker <hbaker1@pipeline.com>
Tue, 15 Sep 2015 07:45:17 -0700
  We at the FBI know about these vulnerabilities, because we use them all
  the time to attack our own citizens' IoT devices.  We also don't want
  these vulnerabilities to be fixed, because otherwise, we'll "go dark", and
  won't be able to read your emails or view your daughter's webcam.

  Our job is now done.  You have been warned.  But don't forget to leave
  that Golden Key under the mat by the front door just for us. —FBI
  Director Comey

'The FBI ... offers some tips on mitigating those cyber threats.'

'purchase IoT devices from manufacturers with a track record of providing
secure devices' [i.e., *none* !]

'the criminal can access the home or business network and collect personal
information or remotely monitor the owner's habits and network traffic'

Alert Number I-091015-PSA. 10 Sep 2015
Internet of Things Poses Opportunities for Cyber Crime
http://www.ic3.gov/media/2015/150910.aspx

The Internet of Things (IoT) refers to any object or device which connects
to the Internet to automatically send and/or receive data.

As more businesses and homeowners use web-connected devices to enhance
company efficiency or lifestyle conveniences, their connection to the
Internet also increases the target space for malicious cyber actors.
Similar to other computing devices, like computers or Smartphones, IoT
devices also pose security risks to consumers.  The FBI is warning companies
oand the general public to be aware of IoT vulnerabilities cybercriminals
could exploit, and offers some tips on mitigating those cyber threats.

  [Long item truncated for RISKS.  PGN]


Need to install a font on Windows 10? Turn on the firewall

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 9 Sep 2015 21:32:39 PDT
http://superuser.com/questions/957907/unable-to-install-fonts-on-windows-10

"After a week of trying everything. The answer as weird as it sounds it's to
enable the windows firewall. I, know makes no sense right? It's not
connected to font settings, however once "On" I was able to fix My issue
with installing fonts on windows 10 and not a valid font message!"


Microsoft is downloading Windows 10 to your machine 'just in case'

Lauren Weinstein <lauren@vortex.com>
Thu, 10 Sep 2015 12:51:14 -0700
NNSquad

http://www.theinquirer.net/inquirer/news/2425381/microsoft-is-downloading-windows-10-to-your-machine-just-in-case

  He told us: "The symptoms are repeated failed 'Upgrade to Windows 10' in
  the WU update history and a huge 3.5GB to 6GB hidden folder labeled
  '$Windows.~BT'. I thought Microsoft [said] this 'upgrade' was optional.
  If so, why is it being pushed out to so many computers where it wasn't
  reserved, and why does it try to install over and over again?  "I know of
  two instances where people on metered connections went over their data cap
  for August because of this unwanted download. My own Internet (slow DSL)
  was crawling for a week or so until I discovered this problem. In fact,
  that's what led me to it. Not only does it download, it tries to install
  every time the computer is booted."


Re: Windows 7, 8, and 10: Now all collecting user data for Microsoft

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 04 Sep 2015 10:44:15 +0200
Seems to leave us with two options:

  1. Abandon Windows altogether.<br>

  2. Stick with Windows XP, which, according to Microsoft policy, will no
     longer be updated. It will therefore not get "spying features" added.

What I do, and have done for years, is to use Linux for everything, except
when there is something that requires Windows.  I then use XP (or
occasionally Vista on an old laptop), but only for those specific tasks.


Re: Unwanted data transmissions by Windows 10 (Durusau, RISKS-28.93)

Wols Lists <antlists@youngman.org.uk>
Fri, 04 Sep 2015 20:31:31 +0100
I have tried editing the hosts file on Windows - I wanted to add an explicit
entry for my printer, iirc.

WINDOWS WON'T LET YOU!

The windows self-protection feature - from as long ago as XP - will by
default revert any changes made to important system files - such as the
hosts file.

It can be defeated - I know it's possible to make changes stick - but it's
some magic incantation that defeated me.

So no. For a naive user, it is impossible to edit the hosts file.


Re: No gigabyte nets for autonomous vehicles (Stapleton-Gray, R-28.93)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 3 Sep 2015 15:11:46 -0500
Errmm... because an on-board computer with processing ability even
remotely close to that of an average 100 IQ brain is even further away
in the future than "as-yet-undefined 5G technology" with hard
"quality-of-service guarantee"?


Re: No gigabyte nets for autonomous vehicles (RSG, RISKS-28.93)

Wols Lists <antlists@youngman.org.uk>
Fri, 04 Sep 2015 20:40:20 +0100
> If the average 100 IQ human with modest visual ability and reflexes can
> successfully navigate, it's not at all clear to me why my future Subaru++ is
> going to require the equivalent of a streaming Hollywood movie, from long
> distances, to compete.

Many years ago (in the 80s, I believe, in the days of 8-bit processors) I
remember the stories about how much processing power would be required to
achieve AI and make robots that could walk etc. Then I read a story, about a
guy who *had* *made* robot crabs, that could successfully navigate the surf
zone on a beach. With water flowing backwards and forwards. With the sand
shifting underfoot. With breakers crashing over the little robots.

And all with minimal processing power that did little more than assess
the immediate situation, and adjust the stance of the robot so that when
the robot was free to move, it did so, and when the water was crashing
about it the aerodynamic (or waterdynamic) forces pushed it down and
held it firm.

We think we need to throw huge amounts of processing power at a problem
to solve the entire problem. But all biology does is throw minimal power
at it to solve the immediate issue, and that is usually more than is needed.


Re: Vehicles with keyless ignition systems... (RISKS-28.93)

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 05 Sep 2015 20:56:47 +0100
There's a vaguely similar problem with public transport in London.  As well
as contactless credit/debit cards, Apple Pay and similar smartphone systems
can now be used fare payment.  All fine and dandy, but the London Transport
web site warns:

> Make sure you have enough battery
>
> Your iPhone or Apple Watch must be switched on to use it to travel. You
> should also check that you have enough battery on your iPhone or Apple
> Watch to complete your journey. If you don't and:
>
> It runs out of battery in the middle of a rail journey, you will not be
> able to touch out at the end and could be charged a maximum fare. If an
> inspector asks you to touch your iPhone or Apple Watch on their reader, it
> will not be able to be read and you could be liable for a penalty fare.

https://tfl.gov.uk/fares-and-payments/contactless/other-methods-of-contactless-payment/apple-pay

Of course the passive RFID-type of contactless cards don't have problems
with power supplies, but now that there are many more of them around, there
can be trouble with 'card clash' (when readers try to read two
close-together cards at once and fail) or, worse, when a passenger
unintentionally has one card read at the starting station and a different
one read at the final station.

PS: There was a small item in the newspaper about Twitter, and in particular
the 140-character limit (co-founder Jack Dorsey quoted as saying that it was
inspired by the 160-character limit of SMS), with the obvious aim of
preventing unnecessary verbosity.  Fine for English, but other languages can
need more letters to say something worthwhile, e.g. German...


Re: Google's Driverless Cars Run Into Problem: Lack of appreciation of "social" (Solomon, RISKS-28.93)

"Bob Frankston" <bob19-0501@bobf.frankston.com>
3 Sep 2015 16:02:27 -0400
Perhaps the real failure here is in failing to understand that driving is a
social activity. You are cooperating with other drivers with some suggested
rules of the road. The law doesn't work if we take it too seriously.

When I rented a Tesla in California the adaptive cruise control was set to 4
seconds behind the car in front of me. It worked there but would've failed
in Boston where other drivers would recognize an opportunity to use the
empty space between cars. I look forward to driverless cars so that I can
play chicken with them—I'll get right of way by winning 100% of the time.
Sure the driverless cars could try to respond by gaming me back but unlike
me they have a lawyer circuit that can't claim ignorance or inattention.

I do worry that insurance companies will view people doing their own driving
as reckless rather than innovative. You can't say you want innovation if you
are too efficient and serious about enforcing rules. The risk of optimizing
against arbitrary metrics.

And why are we characterizing the problem as automation rather than
assisting the driver and also setting aside some venue such as guideways
where driverless cars can cooperate with their peers?

This also reflects the larger inability to understand the Internet as a
byproduct of using software to cooperating in using common facilities to
create our own solution. This is why buffer bloat is a problem—a provider
is denying us the information essential for cooperation in hiding the true
characteristics of the infrastructure behind opaque buffers. The Internet is
a network in the social sense and not in the sense of something being
provided.

Please report problems with the web pages to the maintainer

Top