The RISKS Digest
Volume 29 Issue 22

Sunday, 24th January 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Roger Kemp on the Lancaster Floods
Peter Bernard Ladkin
Nest Thermostats Are Having Battery Problems and There's No Fix Yet
Kate Knibbs
The Internet of Things that Talk About You Behind Your Back
Bruce Schneier
Automakers increasing efforts to enhance safety and defend against cyberattacks
Gabe Goldberg
Affinity sues Trustwave
security news media
Why no secure architectures in commodity systems?
Nick Sizemore
Overhaul Puts Pentagon in Charge of Protecting Federal Security Clearance Data
Damian Paletta
French seem to have rejected crypto/security backdoors
The Register
Royal Melbourne Hospital virus attack
The Age
Virus hits TRMC computers
As More Pay by Smartphone, Banks Scramble to Keep Up
Rarely Patched Software Bugs in Home Routers Cripple Security
Android bug
Martin Schaef
"Windows 10 Spying is worse than I ever imagined"
Gene Wirchenko
Instagram negatively impacting survival of big cats in the wild
Kaleigh Rogers
Facebook vs Indian Internet regulators
Prashanth Mundkur
Pakistan lifts ban on Youtube after launch of own version
Lauren Weinstein
"Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan"
Lauren Weinstein
74% of leading US 2016 Presidential Candidates flunk privacy & data security
Trust Alliance
Linux bug imperils tens of millions of PCs, servers, Android phones
Ars Technica
ColoSpgs NCIC national hub for cybersecurity
Warren Pearce
Why do people keep coming to this couple's home looking for lost phones
Kashmir Hill
Time Inc. Is in the Midst of a Replyallpocalypse
Monty Solomon
Risks of impostors
Dave Kristol
The resolution of the Bitcoin experiment
Mike Hearn
Pound vs. Dollar vs. ASCII
Dan Jacobson
Re: Ballot Battles: The History of Disputed Elections in the U.S.
Mark E. Smith
Re: Michigan IT security audit
Dimitri Maziuk
Re: USC students required to detail sexual history before registering for classes
John Levine
Privacy, Safety, Security & Healthcare --> Seeking Your Scholarship
Robert Mathews
Info on RISKS (comp.risks)

Roger Kemp on the Lancaster Floods

Peter Bernard Ladkin <>
Sun, 24 Jan 2016 18:08:38 +0100
On 5th December, 2015, the River Lune in the city of Lancaster in northwest
England overflowed its banks. The flood took out an electricity substation
on Caton Road, on the banks of the river, which blacked out the entire city
centre. The distinguished engineer Roger Kemp lives in the affected area and
wrote a fascinating short account. Roger kindly agreed to let my RVS group
publish it on our WWW pages.

"Power cuts - a view from the affected area" is the item from 24 January
2016 under I think it
is one of the most important notes on engineered-systems resilience which I
have ever read.

Fifty years ago in the UK, during a power cut you would lose the lights, and
the TV if you had one. Heating wasn't affected (except for the affluent
few), neither was cooking or telephone communications or your transistor
radio for information and entertainment, and young people did what they
always did, which apart from playing table tennis was mostly without
lights. Your local pub could still pull a pint and it was more fun by
candlelight. (A decade earlier, though, you'd have lost the radio as
well. Thank you Messrs. Bardeen, Brattain and Shockley.) Nowadays, ....
well, read about it!

Is it progress to replace critical independent systems with interdependent
systems subject to single points of failure? Almost every standard for
critical systems warns you not to do it, but that's what we've done.

Prof. Peter Bernard Ladkin, University of Bielefeld, 33594 Bielefeld, Germany

Nest Thermostats Are Having Battery Problems and There's No Fix Yet (Kate Knibbs)

Jim Reisert AD1C <>
Thu, 14 Jan 2016 10:32:12 -0700
Kate Knibbs, Gizmodo, 8 Jan 2016

A Gizmodo reader told us that his Nest had a software bug that caused his
battery to drain—which caused Nest to shut off and leave him with a
frigid home. This is, of course, exactly the opposite of what you want a
smart thermostat to do. Nest has admitted that people are having problems
with its batteries.

A Nest spokesperson told Gizmodo.  “We are aware of a low-battery issue
impacting some Nest Thermostat owners. In some cases, this may cause the
device to respond slowly or become unresponsive, We are actively
investigating the issue and working on a solution. In the meantime,
performing a manual restart of the thermostat will help until a fix is put
in place.''

The Internet of Things that Talk About You Behind Your Back

Bruce Schneier <>
Fri, 15 Jan 2016 02:35:56 -0600
CRYPTO-GRAM, January 15, 2016
Bruce Schneier (CTO, Resilient Systems, Inc.)

SilverPush is an Indian startup that's trying to figure out all the
different computing devices you own. It embeds inaudible sounds into the
webpages you read and the television commercials you watch. Software
secretly embedded in your computers, tablets, and smartphones picks up the
signals, and then uses cookies to transmit that information back to
SilverPush. The result is that the company can track you across your
different devices. It can correlate the television commercials you watch
with the web searches you make. It can link the things you do on your tablet
with the things you do on your work computer.

Your computerized things are talking about you behind your back, and for the
most part you can't stop them—or even learn what they're saying.

This isn't new, but it's getting worse.

Surveillance is the business model of the Internet, and the more these
companies know about the intimate details of your life, the more they can
profit from it. Already there are dozens of companies that secretly spy on
you as you browse the Internet, connecting your behavior on different sites
and using that information to target advertisements. You know it when you
search for something like a Hawaiian vacation, and ads for similar vacations
follow you around the Internet for weeks.  Companies like Google and
Facebook make an enormous profit connecting the things you write about and
are interested in with companies trying to sell you things.

Cross-device tracking is the latest obsession for Internet marketers.  You
probably use multiple Internet devices: your computer, your smartphone, your
tablet, maybe your Internet-enabled television—and, increasingly,
"Internet of Things" devices like smart thermostats and appliances. All of
these devices are spying on you, but the different spies are largely unaware
of each other. Start-up companies like SilverPush, 4Info, Drawbridge,
Flurry, and Cross Screen Consultants, as well as the big players like
Google, Facebook, and Yahoo, are all experimenting with different
technologies to "fix" this problem.

Retailers want this information very much. They want to know whether their
television advertising causes people to search for their products on the
Internet. They want to correlate people's web searching on their smartphones
with their buying behavior on their computers. They want to track people's
locations using the surveillance capabilities of their smartphones, and use
that information to send geographically targeted ads to their
computers. They want the surveillance data from smart appliances correlated
with everything else.

This is where the Internet of Things makes the problem worse. As computers
get embedded into more of the objects we live with and use, and permeate
more aspects of our lives, more companies want to use them to spy on us
without our knowledge or consent.

Technically, of course, we did consent. The license agreement we didn't read
but legally agreed to when we unthinkingly clicked "I agree" on a screen, or
opened a package we purchased, gives all of those companies the legal right
to conduct all of this surveillance. And the way US privacy law is currently
written, they own all of that data and don't need to allow us to see it.

We accept all of this Internet surveillance because we don't really think
about it. If there were a dozen people from Internet marketing companies
with pens and clipboards peering over our shoulders as we sent our Gmails
and browsed the Internet, most of us would object immediately. If the
companies that made our smartphone apps actually followed us around all day,
or if the companies that collected our license plate data could be seen as
we drove, we would demand they stop.  And if our televisions, computer, and
mobile devices talked about us and coordinated their behavior in a way we
could hear, we would be creeped out.

The Federal Trade Commission is looking at cross-device tracking
technologies, with an eye to regulating them. But if recent history is a
guide, any regulations will be minor and largely ineffective at addressing
the larger problem.

We need to do better. We need to have a conversation about the privacy
implications of cross-device tracking, but—more importantly—we need to
think about the ethics of our surveillance economy. Do we want companies
knowing the intimate details of our lives, and being able to store that data
forever? Do we truly believe that we have no rights to see the data that's
collected about us, to correct data that's wrong, or to have data deleted
that's personal or embarrassing? At a minimum, we need limits on the
behavioral data that can legally be collected about us and how long it can
be stored, a right to download data collected about us, and a ban on
third-party ad tracking. The last one is vital: it's the companies that spy
on us from website to website, or from device to device, that are doing the
most damage to our privacy.

The Internet surveillance economy is less than 20 years old, and emerged
because there was no regulation limiting any of this behavior. It's now a
powerful industry, and it's expanding past computers and smartphones into
every aspect of our lives. It's long past time we set limits on what these
computers, and the companies that control them, can say about us and do to
us behind our backs.

This essay previously appeared on Vice Motherboard.


Surveillance is the business model of the Internet:

Cross-device tracking:

Smartphone apps that follow us around:

License plate data collection:

Ethics of our surveillance economy:

Automakers increasing efforts to enhance safety and defend against cyberattacks

Gabe Goldberg <>
Tue, 19 Jan 2016 18:39:52 -0500
The U.S. Transportation Department and 17 automakers have reached agreement
on efforts to enhance safety, including sharing information to thwart
cyber-attacks on their increasingly wired vehicles, according to Bloomberg.
"Automakers including General Motors Co., Ford Motor Co. and Toyota Motor
Corp. also agreed to reform the way they report fatalities, injuries and
warranty claims to the government," Jeff Plugis writes.  "The companies
agreed to keep meeting regularly to exchange information and identify
emerging safety issues."

Affinity sues Trustwave (security news media)

Alister Wm Macintyre <>
Tue, 19 Jan 2016 16:58:42 -0600
Trustwave disputes some of the following story, from Affinity.

Different news media have different dates for some events.  We may need to
use data from the law suit to clarify.

Here is the law suit:

Casino company Affinity Gaming learned about an Oct 2013 data breach and
card malware outbreak from customers and local law enforcement.  Affinity,
HQ in Las Vegas NV, operates 11 casinos in 4 US states, also runs hotels and

Affinity immediately informed card issuers, and their Cyber Security
Insurance company = ACE.  Card companies had to re-issue cards for the
approx 300,000 customers impacted.  ACE told Affinity that they should hire
a digital forensic investigation firm, of which Trustwave (based in Chicago
IL) was one ACE recommended.  [Truncated for RISKS.  Lots more... PGN]

Why no secure architectures in commodity systems?

Nick Sizemore <>
Thu, 14 Jan 2016 21:46:02 -0700
This message is addressed to the RISKS group as a whole, though the primary
target is the group of security researchers who often post here.  I read
only the digests—and those, grouped together, at intervals, when I want
to catch up on recent events and developments.  Folks with substantive
responses are encouraged to email me personally, as well as the newgroup.

Just yesterday I received my letter from OPM regarding the records
compromise, and directing me to their website to avail myself of the
identity protection services they're offering under contract through "ID
Experts".  This prompted me to pose a question that has vexed me for some

In the late seventies researchers working on or associated with Multics came
to the conclusion that truly secure computing was possible only with direct
hardware support.  In the following decade, I saw at least two proposed
commercial ventures to build SW/HW architectures with at least the
beginnings of such hardware support.  Oddly enough, neither venture found
sufficient interest.  Of course, at the time such added hardware would have
been prohibitively expensive for all but the largest organizations with
extremely sensitive information.  Still, it seemed to me that at least some
government agencies and defense contractors would have been eager customers.

Of course, with today's miniaturization, boutique silicon architecture
shops, and foundries, implementing basic features, or even a full secure
kernel, would be straightforward, though establishing user-friendly
configuration mechanisms, or suitable default configurations for different
markets, would still be somewhat of a challenge.  Equally obviously, the
formal design, proof, and testing would be expensive.  Presumably some
consortium of government and corporate organizations could fund the initial
work on the premise that as volume rose on marketing these relatively secure
systems at commodity scale, the revenues and security benefits would reward
their efforts handsomely

It's possible that at some point researchers determined that security
through software alone was at least possible, if, perhaps, really difficult,
but I never encountered reports of such a discovery.  If this has happened,
I would appreciate one or more pointers to the relevant literature.  If not,
perhaps some among you who have had greater insight into related design and
marketing decisions could share what rationale has prevented relatively
secure architectures from appearing in commodity systems.

It's my perception that such HW/SW architectures, reasonably configured and
deployed, would increase the difficulty - in resource costs - of what, for
want of a better phrase, I will call 'routine hacking' by at least an order
of magnitude.  For systems configured for intensive use of security hardware
features, or a security kernel, the increase might be two or three orders of
magnitude.  Of course, we'd still need much more attention to security-aware
software engineering for systems handling life-critical and mission-critical
systems, but there's already some awareness of that, and it seems to be
increasing, albeit with agonizing slowness.

Nonetheless, unless someone has shown that security is achievable on
commodity architectures in software alone, it seems extremely wasteful to
push more security-aware software engineering, anti-malware software, and
security appliances out into an architectural environment that is severely
handicapped at its lowest levels.

Perceptual corrections welcome.

Nicky L. Sizemore (retired), bolshev (at) theriver (dot) com
Agent, 2nd Class, The Turing Authority ;)

Overhaul Puts Pentagon in Charge of Protecting Federal Security Clearance Data (Damian Paletta)

*Richard Forno* <>
Friday, January 22, 2016

The White House Friday announced an overhaul of the government's security
clearance system, creating a new division to handle screenings and directing
the Pentagon to protect the data.

The creation of the National Background Investigations Bureau—and its
close partnership with the Department of Defense—is the latest change to
come after the sweeping cyber attack that hit the Office of Personnel
Management last year. In that breach, which U.S. officials have said likely
emanated from Chinese hackers, more than 20 million background check records
and millions of fingerprint reports were stolen.

Many lawmakers were astonished after the breach to find that none of the
background check records were encrypted, making it much easier for thieves
to potentially use the information.

The NBIB will be a division of OPM, but the responsibility for protecting
the information will shift to the Pentagon. The NBIB will incorporate an
existing agency—the Federal Investigative Service—which already
conducts background checks for more than 100 federal agencies.

The NBIB's chief will be appointed by the president and [is] expected to
have a higher profile than its predecessor.

Richard Hale, the Pentagon's deputy chief information officer for cyber
security, said Friday that “we will use encryption everywhere [*} that [is]
appropriate'' and will look closely at what information should remain online
and what records will be essentially disconnected from this network.

“We intend to apply the best practices that we've been able to apply at the
Pentagon, said Marcel Lettre, the Defense Department's under secretary for

The U.S. government conducts more than 600,000 security clearance checks
each year for a wide range of agencies, including posts within the military
and law enforcement.

 [* Encryption everywhere, with backdoors so that it can easily be exploited
    by everyone else?  By the way, if you received a letter from OPM
    offering free security/privacy services as compensation for your having
    been included in the purloined data, you might find that if you
    subscribe to the offered services, you will be asked many of the
    questions the answers to which were already in the compromised OPM data
    source!  PGN]

French seem to have rejected crypto/security backdoors

"Peter G. Neumann" <>
Mon, 18 Jan 2016 8:54:54 PST

  [Thanks to Steven M. Bellovin.  PGN]

Royal Melbourne Hospital virus attack

"Peter G. Neumann" <>
Mon, 18 Jan 2016 21:58:45 PST
“Patient safety has always been our highest priority and has been maintained
...  Elective surgeries and outpatient appointments are continuing as

Virus hits TRMC computers

"Peter G. Neumann" <>
Sat, 23 Jan 2016 10:08:24 PST
  [Thanks to Richard I Cook MD]

As More Pay by Smartphone, Banks Scramble to Keep Up (NYTimes)

Monty Solomon <>
Sat, 23 Jan 2016 11:51:59 -0500

A millennial-led shift to digital financial services could upend the
consumer banking industry.

Rarely Patched Software Bugs in Home Routers Cripple Security (WSJ)

Lauren Weinstein <>
Tue, 19 Jan 2016 13:15:38 -0800
WSJ via NNSquad

  The reason: A component maker had included the 2002 version of Allegro's
  software with its chipset and hadn't updated it.  Router makers used those
  chips in more than 10 million devices.  The router makers said they didn't
  know a later version of Allegro's software fixed the bug.  The router flaw
  highlights an enduring problem in computer security: Fixing bugs once they
  have been released into the world is sometimes difficult and often
  overlooked. The flaw's creator must develop a fix, or "patch."  Then it
  often must alert millions of technically unsophisticated users, who have
  to install the patch.  The chain can break at many points: Patches aren't
  distributed. Users aren't alerted or neglect to apply the patch.  Hackers
  exploit any weak link.

Android bug

Martin Schaef <>
Wed, 20 Jan 2016 19:27:30 +0000
Nice bug in linux/android:

The question is, how would you detect something like this?

"Windows 10 Spying is worse than I ever imagined"

Gene Wirchenko <>
Mon, 18 Jan 2016 09:16:38 -0800

Instagram negatively impacting survival of big cats in the wild (Kaleigh Rogers)

Jim Reisert AD1C <>
Tue, 19 Jan 2016 11:31:16 -0700
Kaleigh Rogers, Cheetahs are Hard, Motherboard, 11 Jan 2016

Adam Roberts, the CEO of Born Free USA, posits that the biggest threat right
now is the capture of wild cheetahs as exotic pets.  From the article:

Around the world, but in particular the Middle East, pet cheetahs have
become a status symbol and getting your hands on exotic pets in some areas
is “as easy as acquiring a cupcake.''  With Instagram making it convenient
to flaunt cheetahs-as-accessories, the market for big cats is growing.

Facebook vs Indian Internet regulators

Prashanth Mundkur <>
Thu, 21 Jan 2016 10:36:17 -0800
Facebook is facing an unusually stiff resistance from Indian
regulators in offering its Free Basics service.

 India's Internet regulator just called Facebook's Free Basics campaign
 'crude' and 'dangerous'; Rohan Venkataramakrishnan,, 19 Jan 2016

Anuj Srivas,  Net Neutrality Standoff Escalates As TRAI Hauls Facebook Over
the Coals in New Letter, The Wire, 19 Jan 2016

Although reports in the US press (e.g., below) implied the battle was over,
it continues.

Vindu Goel, Indian Regulators Suspend Facebook's Free Basic Services,
*The New York Times*,  23 Dec 2015,

Pakistan lifts ban on Youtube after launch of own version

Lauren Weinstein <>
Mon, 18 Jan 2016 18:56:03 -0800
[subject to government censorship] (via NNSquad)

  "On the recommendation of PTA, Government of Pakistan has allowed access
  to recently launched country version of YouTube for Internet users in
  Pakistan," the ministry said.  "Google has provided an online web process
  through which requests for blocking access of the offending material can
  be made by PTA to Google directly and Google/YouTube will accordingly
  restrict access to the said offending material for users within Pakistan."
  Blasphemy is a highly sensitive subject in Pakistan, where angry mobs have
  killed many people accused of insulting Islam. The crime of blasphemy can
  carry the death penalty, although a death sentence has never been carried
  out.  Pakistan has blocked thousands of web pages it deems undesirable in
  the last few years as Internet access spreads, but activists say the
  government sometimes blocks sites to muzzle liberal or critical voices.

Government-censorship-enabled YouTube. Not the first time, but an extremely
notable case and potentially the current example with the broadest
implications for creating a slippery slope of ever expanding government
censorship demands made of Google by governments around the planet. Google
must obey national laws where they choose to operate—but voluntary
participation in such politically-oriented censorship regimes as the price
of doing business in such countries—even with the benefits to users there
that limited access to YouTube or other Google services can bring—still
remains highly problematic to say the least.

Lauren's Blog: "Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan"

Lauren Weinstein <>
Tue, 19 Jan 2016 10:02:37 -0800
             Understandable but Very Wrong: Google Enables
               Government YouTube Censorship in Pakistan

Literally within hours of the horrifying and sickening news of a 15-year-old
boy in Pakistan who cut off his own right hand after he was the target of
hysterical false accusations of blasphemy, comes word that Google—in a
successful bid to get a three year YouTube ban in Pakistan lifted—will be
permitting government officials in that country—apparently all the way
down to the local level—essentially unfettered rights to censor and block
individual YouTube videos from view in Pakistan.

This is an enormously troubling development for free speech advocates around
the world, particularly because it's impossible to overlook the relationship
between the boy's actions and the upcoming Pakistan/YouTube censorship
system.  [...]

The powers being ceded to the government there to censor Google at the
individual YouTube video level—arguably even worse than the EU's awful
"Right To Be Forgotten" (RTBF) scheme—continues our acceleration down the
slippery slope of permitting governments to demand rights to micromanage
information for their own political benefit and the personal enrichment
(politically and in some cases financially) of their leaders and other

I like to think of myself as a "responsible" free speech advocate. That is,
I strongly assert the importance of free speech, but acknowledge that
sometimes, in carefully delineated circumstances that must be minimized as
completely as possible, some restrictions are necessary.

So, for example, I generally strongly support Google/YouTube's global Terms
of Service that prohibit videos that are directly violent—such as videos
that show physical abuse of people or other animals.

And I have nothing but respect for the Google policy and legal teams that
must deal with these complex multinational situations. Similarly, the work
done by Google engineers on politically neutral abuse detection systems and
that of the human teams that help apply YouTube anti-abuse rules are also
all exemplary.

I've explicitly noted the exceptional circumstances of videos that incite
terrorism, e.g., recently in my discussion of "A Proposal for Dealing with
Terrorist Videos on the Internet" ( ).

But in Pakistan the concepts of (for example) blasphemy and government
control are intertwined—accusations of the former are frequently used for
purposes of the latter—and any discussions that the government there
feels are blasphemous (by their own broad and self-serving definitions) --
or speaking out against the government in any manner—are key targets for
abusive censorship.

With Google now explicitly buying into this censorship regime as the
price of removing an overall Pakistan block on YouTube—and note that
the Pakistani government apparently will be setting the standards under
which YT videos will be judged in violation—the situation in my view
becomes much worse for the population there than would be the case
without access to YT at all (yes, we know that some relatively small
number of people have always gotten through with VPNs and proxies, but
that's largely irrelevant to the overall population).

The Pakistan version of Google-enabled national censorship isn't as
straightforward as say, a relatively "simple" ban against Nazi
memorabilia-related materials in France. In Pakistan, Google has become
much more of a direct partner in the government's very broad,
politically-motivated and personally suppressing censorship actions.

The kind of YT censorship that will be enabled in Pakistan is much more
akin to how China censors its population—where what will or will not
be allowed to be seen in any media is carefully chosen and restricted to
promote the government line and muzzle dissenting points of view.

I absolutely understand the pragmatic realities of having to obey laws
in those countries in which Google chooses—voluntarily—to operate,
but I find the newly announced and apparently Google-endorsed government
controls over YouTube content in Pakistan to be extremely disturbing,
and a horrific precedent for other countries going forward.

74% of leading US 2016 Presidential Candidates flunk privacy & data security (Trust Alliance)

"Alister Wm Macintyre" <>
Mon, 18 Jan 2016 18:45:41 -0600
On Line Trust Alliance ranked top US 2016 Presidential Candidates on privacy
and data privacy practices.  74% flunked. 26% got excellent grades.  There
was no middle ground.  Since these scores, some have dropped out of the
race, failed to keep their good scores.

4 Candidates had no privacy policy.  Several were silent on data sharing.
Several reserved the right to share or sell data.

44% of the candidates used secret domain ownership, making it impossible for
ordinary consumers to distinguish them from criminal look-alikes.

Only 26%, of US presidential candidates making the honor roll, is not the
worst.  In past audits, it was 20% for IoT and 8% for News.

Overall failing grades by sector:

80% News
76% IoT
74% 2016 US Pres
54% US Fed
41% IR 100
38% Social

The US Presidential candidates audit:

  [long message truncated for RISKS.  PGN]

Linux bug imperils tens of millions of PCs, servers, Android phones

Lauren Weinstein <>
Tue, 19 Jan 2016 13:20:30 -0800
Ars Technica via NNSquad

  For almost three years, millions of servers and smaller devices running
  Linux have been vulnerable to attacks that allow an unprivileged app or
  user to gain nearly unfettered root access.  Major Linux distributors are
  expected to fix the privilege escalation bug this week, but the difficulty
  of releasing updates for Android handsets and embedded devices means many
  people may remain susceptible for months or years.  The flaw, which was
  introduced into the Linux kernel in version 3.8 released in early 2013,
  resides in the OS keyring. The facility allows apps to store encryption
  keys, authentication tokens, and other sensitive security data inside the
  kernel while remaining in a form that can't be accessed by other apps.
  According to a blog post published Tuesday, researchers from security firm
  Perception Point discovered and privately reported the bug to Linux kernel
  maintainers. To demonstrate the risk the bug posed, the researchers also
  developed a proof-of-concept exploit that replaces a keyring object stored
  in memory with code that's executed by the kernel.

ColoSpgs NCIC national hub for cybersecurity

Warren Pearce <>
Sun, 17 Jan 2016 16:27:55 -0700
The opening of a National Cyber Intelligence Center in Colorado Springs is
expected to accelerate efforts to make the city a national hub for
cybersecurity that will help the thriving local industry grow more quickly,
officials say.

Source: *Colorado Springs Gazette*, 17 Jan 2016

W. Warren Pearce,, Colorado Springs, Col. 1-719-548-1748

Why do people keep coming to this couple's home looking for lost phones (Kashmir Hill)

Jim Reisert AD1C <>
Thu, 21 Jan 2016 13:32:28 -0700
January 21, 2016 5:00 a.m.

"It started the first month that Christina Lee and Michael Saba started
living together. An angry family came knocking at their door demanding the
return of a stolen phone. Two months later, a group of friends came with the
same request. One month, it happened four times.  The visitors, who show up
in the morning, afternoon, and in the middle of the night, sometimes
accompanied by police officers, always say the same thing: their
phone-tracking apps are telling them that their smartphones are in this
house in a suburb of Atlanta."

"The most frustrating thing for Saba and Lee is that there's no definite
answer for why it's happening, no government agency willing to take
ownership over the issue, and so no way to get it to stop.  Since
Lee's parents own the house, moving isn't an option, said Saba."

Time Inc. Is in the Midst of a Replyallpocalypse

Monty Solomon <>
Fri, 22 Jan 2016 09:14:53 -0500
There is almost never a good reason to hit *reply all*. Especially not when
*all* includes a listserv that goes out to thousands of employees at Time
Inc., the country's largest magazine publisher.

Risks of impostors

Dave Kristol <>
Mon, 18 Jan 2016 16:41:39 -0500
I was co-editor of two RFCs regarding HTTP Cookies, RFC 2109 and RFC 2965.
I also wrote a paper about the evolution of the cookie RFCs [1].

I don't usually go ego surfing, but I was drawn to the Wikipedia article on
HTTP Cookies [2] by a remark and reference in an IETF mailing list email.  I
proceeded to read the article's History section and learned to my surprise
that "... the group, headed by Kristol himself and Aron Afatsuom, soon
decided to use the Netscape specification...".  I have never heard of Aron
Afatsuom (Lou Montulli was my collaborator), but his name has proliferated
around the web as people have more or less copied the (erroneous) text from
the Wikipedia article.  I have an edit pending to correct the error on
Wikipedia, at least.

The most obvious risk is that people believe what they read on the Internet.
Another is that this person might use the search results for personal

I'd love to know when, how, and why that name got into the Wikipedia

[1] <>
[2] <>

  [Aron Afatsuom = Nora Moustafa reversed?  PGN]

The resolution of the Bitcoin experiment

Lauren Weinstein <>
Thu, 14 Jan 2016 14:25:08 -0800
via NNSquad

  Mike Hearn writes:

  "I've spent more than 5 years being a Bitcoin developer.  The software
  I've written has been used by millions of users, hundreds of developers,
  and the talks I've given have led directly to the creation of several
  startups. I've talked about Bitcoin on Sky TV and BBC News. I have been
  repeatedly cited by the Economist as a Bitcoin expert and prominent
  developer. I have explained Bitcoin to the SEC, to bankers and to ordinary
  people I met at cafes.  From the start, I've always said the same thing:
  Bitcoin is an experiment and like all experiments, it can fail. So don't
  invest what you can't afford to lose. I've said this in interviews, on
  stage at conferences, and over email. So have other well known developers
  like Gavin Andresen and Jeff Garzik.  But despite knowing that Bitcoin
  could fail all along, the now inescapable conclusion that it has failed
  still saddens me greatly. The fundamentals are broken and whatever happens
  to the price in the short term, the long term trend should probably be
  downwards. I will no longer be taking part in Bitcoin development and have
  sold all my coins."

Pound vs. Dollar vs. ASCII (Re: Baker, 29.21)

Dan Jacobson <>
Fri, 22 Jan 2016 22:37:29 +0800
We read: London's City Airport also recently won \243800,000 of funding
$ unicode pound
UTF-8: c2 a3 UTF-16BE: 00a3 Decimal: &#163; Octal: \0243
$ unicode dollar
UTF-8: 24 UTF-16BE: 0024 Decimal: &#36; Octal: \044

So a pound is worth 243/44 times as much as a dollar. Actually more, as
a dollar is ASCII and thus safe from getting mangled...

Re: Ballot Battles: The History of Disputed Elections in the U.S.

"Mark E. Smith" <>
Thu, 14 Jan 2016 18:18:02 -0800
Luthor Weeks wrote: "There is no easy solution. It would likely require a
Constitutional Amendment."

After several years as an election integrity researcher and activist, I came
to a similar but more far reaching conclusion. I think election integrity in
the US would require not just a Constitutional Amendment, but an entirely
new Constitution, one that vested supreme power over government in the hands
of the people rather than in the hands of an unelected supreme court or any
other government officials, branches, or agencies.

Such a Constitution would require that all votes be counted, that the
electoral process be transparent and verifiable, and that disputes be
resolved only by recourse to the voters themselves--since they alone would
have the supreme power to resolve such disputes. It would also establish
that all elected officials could quickly and directly be held accountable by
the voters who elected them if said officials failed to represent their
constituents, and that all ultimate policy decisions be put to a public vote
rather than being decided by elected officials without regard to the wishes
of the people who elected them.

Coincidentally, the vesting of supreme power over government in the hands of
the people happens to be a primary dictionary definition of a democratic
form of government.

In other words, the problem is not what author Edward B. Foley called, "...a
failure of American government to operate as a well-functioning democracy,"
but the failure of the Constitution to have established a democratic form of
government in the first place.

In a democratic form of government, voters do not delegate their power to
those they elect, in the form of a blank check or a full power of attorney,
but merely delegate to elected officials the duties of carrying out the
wishes of the people.

As long as we do not have a democratic form of government, our elections are
not likely to be democratic in nature either.

Re: Michigan IT security audit (AlMac, RISKS-29.21)

Dimitri Maziuk <>
Fri, 15 Jan 2016 13:47:29 -0600
> The State of Michigan had an IT audit, with poor results.

Whether cybersecurity is real or a bubble about to burst, it has at least a
few bubbly features: it's where the jobs are so it's where "teach yourself
IT security in 14 days" professionals get employed. It's also where
investors invest—and expect an ROI back.

I've seen a couple of audits and met an auditor or two. Comments based on
that very limited experience:

> Critical state operations are on 30 unsupported (obsolete) versions of

I'm having a hard time naming 30 versions of UNIX.

A typical security audit reports a version of a software as "obsolete bright
red security hole" because the assessment is: check reported version string
against a list of—typically "known good"—version strings. It does not
take into account for example vendor's patches.

> 90 % of the servers are not kept current with patches. If they get hacked,
> they don't have the controls to detect that.  (very unhealthy)

If they're all obsolete and unsupported, how come 10% of them are still
receiving patches?

In real life turnkey systems don't get patched because it'll void your
warranty. Ditto for installing "un-vetted" software like said controls.  So
you defend them at the perimeter instead—far from ideal, but that the
best you can do. I've never seen an audit take that into account.

> 84% of the servers had not had passwords changed in a timely fashion, with
> one had not been changed in nine years. (I have seen worse.)

There's been plenty said in this forum and elsewhere about how forced
password changes make passwords worse. Sadly, useless metrics are a very
common feature of IT security audits.

> 47% of the tested servers had had no vulnerability scans in over a month.

Well, if you have a system that hasn't been updated in 10 years, the only
new vulnerabilities are if the hackers got in installed backdoors.  In that
scenario periodic vulnerability scans are only useful as part of an
intrusion detection system.

Out of context that metric is of questionable value. In other words,

> $2.9 million had been spent on a security tool, not installed on all
> servers, for which this tool was paid for.

I'm having difficulties with that idea. I mean, if there is a security tool
capable of running on 30 different obsolete versions of unix, $2.9M would be
a fair price tag. I strongly suspect that in reality the tool was for "80%
untested Windows servers" and had nothing to do with the rest of the bullet

Re: USC students required to detail sexual history before registering for classes (Anthony Gockowski)

"John Levine" <>
15 Jan 2016 02:28:02 -0000
I wonder how many students answer truthfully.  From what I can see of the
sample screens, you'll get through the online course a lot faster if you
answer all the questions zero, never, and none.

Privacy, Safety, Security & Healthcare --> Seeking Your Scholarship

"Robert Mathews (OSIA)" <>
Sun, 17 Jan 2016 14:22:57 -0500
Springer [Berlin-Heidelberg] takes great pleasure in announcing that its
peer-reviewed Health & Technology Journalintends to publish a Special Issue
on a subject of vital significance; the topic of Privacy, especially as it
pertains to Healthcare.  This issue will be published during the latter half
of 2016.  The Journal Special Issue aims to produce a volume that will be
prodigious in its scope of inquiry, and contents; beginning with one's
understanding of, and a clarity into the subject of Privacy, and a
noticeable command of its many working components.

Please accept a Letter of Invitation.
Dr. Robert Mathews, D.Phil., Office of Scientific Inquiry & Applications
University of Hawai'i, 1 703 655 7124

Please report problems with the web pages to the maintainer