Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Chinese is a language that to Westerners seems rife with puns, with many words pronounced similarly (if you ignore the four tones) that have quite different meanings and completely different ideograms. Many native Chinese may presume those different words that are phonetically confusing to foreigners may not be thought to be puns—they are just different words. However, intentionally contrived puns in spoken Chinese languages that introduce clever ambiguities and humor apparently have been deemed threatening to Chinese culture. (Incidentally, quite intentional puns are rampant throughout many Shakespeare plays.) PGN Tania Branigan, *The Guardian*, 28 Nov 2014 [old item, but still timely] Officials say casual alteration of idioms risks nothing less than `cultural and linguistic chaos', despite their common usage. From online discussions to adverts, Chinese culture is full of puns. But the country's print and broadcast watchdog has ruled that there is nothing funny about them. It has banned wordplay on the grounds that it breaches the law on standard spoken and written Chinese, makes promoting cultural heritage harder, and may mislead the public—especially children. The casual alteration of idioms risks nothing less than `cultural and linguistic chaos', it warns. Chinese is perfectly suited to puns because it has so many homophones. Popular sayings and even customs, as well as jokes, rely on wordplay. But the order from the State Administration for Press, Publication, Radio, Film and Television says: “Radio and television authorities at all levels must tighten up their regulations and crack down on the irregular and inaccurate use of the Chinese language, especially the misuse of idioms.'' ... http://www.theguardian.com/world/2014/nov/28/china-media-watchdog-bans-wordplay-puns?CMP=share_btn_fb [Thanks to Laura S. Tinnel for pun-ting this one to me. PGN]
* From the government's perspective: If we don't test it, then we don't
know that it won't work, so we don't have to include the cost of fixing it
in our current budget. That way, the cost overruns won't have to be
offset from other spending.
* From the contractor's perspective: If they don't know it won't work,
then we get paid. And when they find out later it won't work, we get paid
again to fix it.
[BTW, does anyone else recall that none of the U.S. submarine torpedoes
in WWII worked until quite late into the war? I don't believe that it
was acknowledged at the time—due to secrecy—and then after the war
no one cared because we won. HB]
David Willman, *LA Times*, 17 Mar 2016
Pentagon skips tests on key component of U.S.-based missile defense system
http://www.latimes.com/nation/la-na-missile-defense-hot-fire-testing-20160317-story.html
Against the advice of its own panel of outside experts, the U.S. Missile
Defense Agency is forgoing tests meant to ensure that a critical component
of the nation's homeland missile defense system will work as intended.
The tests that are being skipped would evaluate the reliability of small
motors designed to help keep rocket interceptors on course as they fly
toward incoming warheads.
The components, called alternate divert thrusters, are vital to the
high-precision guidance required to intercept and destroy an enemy warhead
traveling at supersonic speed—a feat likened to hitting one speeding
bullet with another.
The interceptors, deployed in underground silos at Vandenberg Air Force Base
in Santa Barbara County and at Ft. Greely, Alaska, are the backbone of the
Ground-based Midcourse Defense system (GMD)—the nation's main defense
against a sneak attack by North Korea or Iran.
The interceptors are multi-stage rockets, each with a 5-foot-long *kill
vehicle* at its tip. The 150-pound kill vehicle is designed to separate
from its rocket in space, fly independently at 4 miles per second and crash
into an enemy warhead, destroying it.
The performance of the divert thrusters, which are supposed to keep the kill
vehicles on course during their final approach to their targets, has been a
source of concern for several years. In response, the Missile Defense
Agency oversaw development of a new and supposedly better version, the
alternate divert thruster.
An outside panel of experts privately advised the agency to put the
alternate divert thrusters through *hot fire* testing, in which they would
be revved up on the ground to see whether they burned smoothly and delivered
adequate propulsion.
But in order to stay on schedule for a planned expansion of the GMD system,
none of the 40 thrusters that are being installed on 10 new interceptors
will undergo hot-fire testing, government officials told the Los Angeles
Times.
Forgoing the tests “increases the risk for reliability issues going
undetected,'' according to a newly released report by the U.S. Government
Accountability Office. The report says that such testing “verifies proper
performance and workmanship.'' [...]
http://www.gao.gov/assets/680/675263.pdf
Microsoft has found that the bottom of the ocean is a good place for servers, because water at the bottom of an ocean usually stays at a stable relatively cold temperature, eliminating need for much of the vigorous cooling traditional data centers require. What could go wrong with server farms on the bottom of the ocean? Read science fiction if the answers are not obvious. In Missing Man novel, cyber attack takes out an under-water city, by tampering with the air-conditioning controls. https://sciencefictionruminations.wordpress.com/2011/10/08/book-review-missing-man-katherine-maclean-1976/ Sea Floor datacenters had better have good off-site (on land) backup, in case of a leak taking them out of commission, and good insurance if human technicians are to be sent down there to maintain the hardware (How severe risk of the bends, and are there sharks down there?). How difficult would it be for a drone submarine to hack their contents? (We know drug smugglers use narco-subs to transport drugs from the shores of Columbia to the inland rivers of North America.) http://i-hls.com/2016/02/68173/ The team behind the project is also looking to wave power generating equipment to harvest the hydrokinetic energy of the sea, further reducing operating costs. That is another area of risk. If we muck with ocean currents, that could undermine their path, and if Europe loses the warmth of the Gulf Stream, that is tantamount to an act of weather war. https://en.wikipedia.org/wiki/Gulf_Stream [Don't forget that certain sea creatures might be attracted to the differential warmth, just as squirrels have knocked out SRI's power on multiple occasions—more recently at the junction between our co-generation plant and PG&E. PGN]
A federal judge confirmed that the Software Engineering Institute (SEI <http://www.sei.cmu.edu/> ) of Carnegie Mellon University (CMU) was commissioned by the US government to break ultra-secure Tor network encryption, according to court documents. <https://assets.documentcloud.org/documents/2719591/Farrell-Weds.pdf> PDF Prior to this confirmation, the FBI was able to deny or cover up some of the facts, and people, who believed the FBI, drew erroneous conclusions about what was going on. There were also some suspicions when these researchers canceled a presentation on this topic. That sometimes happens when there is a court order to shut up. This project may have destroyed CERT <http://www.cert.org/> Coordination Center (CERT/CC) reputation both as an honest broker in protecting cyber-security, and having the integrity of academic standards that human beings privacy and civil rights should never be violated by research or other means, without informed consent, or National Security Letter (NSL), or proper court approval. If it was an NSL, recipients may go through their lawyer to protest it, and SEI-CMU administrators should have realized the potential damage to their reputations by accepting this mission. The US has spent $1.73 billion on this? DoD organized the project, while the FBI got the advantage from it, leading to some people speculating that the FBI had conducted this hacking operation. Perhaps SEI-CMU has decided to exit the Cert/CC service, and go into different fields of specialty. US defendants have a right to face their accusers, which includes how the evidence was obtained, so when the government's evidence was obtained by new technologies they want to keep secret, they have a choice: * Use only evidence obtained by means they do not want to keep secret; * Use the formerly secret evidence gathering, knowing that the trial will reveal it; * Do not prosecute those people; * Seek secret trial. As statements come out in court as to how the IP addresses of the defendants were uncovered, Tor thinks a vulnerability has been identified, that they can patch, to prevent that from ever happening again. http://i-hls.com/2016/03/carnegie-mellon-tor-attack-confirmed/ http://thehackernews.com/2016/02/tor-hack.html https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html https://www.deepdotweb.com/2016/02/28/court-documents-confirm-cmu-paid-by-government-in-tor-attacks/ http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security-researchers/ https://blog.torproject.org/blog/statement-tor-project-re-courts-february-23-order-us-v-farrell https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation
The country's lightly regulated casinos and tough bank secrecy laws had prompted warnings from the United States and money-laundering experts before the theft. http://www.nytimes.com/2016/03/17/business/dealbook/brazen-heist-of-millions-puts-focus-on-the-philippines.html
The mining of criminal justice databases for personal use has raised questions on privacy abuse in cases across the country. http://www.nytimes.com/2016/03/18/us/denver-police-criminal-databases-personal-use.html
http://www.nytimes.com/2016/03/16/opinion/where-computers-defeat-humans-and-where-they-cant.html Why it matters that Google's program defeated the world's best [human] Go player.
Windows users who decline to use it find it is repeatedly reintroduced. The language of the counter-malware industry is more appropriate than the language of enterprise IT for GWX. GWX subverts a channel intended for one purpose (security hotfixes) for another (advertising); it changes its *attack vectors*, it uses *polymorphic* techniques; and it consistently overrides users' actions and permissions. http://www.theregister.co.uk/2016/03/17/microsoft_windows_10_upgrade_gwx_vs_humanity/
If the F.B.I. wins its court fight to force Apple's help in unlocking an
iPhone, the agency may run into yet another roadblock: Apple's engineers.
Apple employees are already discussing what they will do if ordered to
help law enforcement authorities. Some say they may balk at the work,
while others may even quit their high-paying jobs rather than undermine
the security of the software they have already created, according to more
than a half-dozen current and former Apple employees. Among those
interviewed were Apple engineers who are involved in the development of
mobile products and security, as well as former security engineers and
executives.
http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html?partner=rss&emc=rss
[Monty Solomon noted:
The potential resistance adds a wrinkle to a very public fight over access
to an iPhone used by one of the San Bernardino attackers.
PGN]
This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA http://arstechnica.com/information-technology/2016/03/this-is-the-phone-nsa-suggested-clinton-use-a-4750-windows-ce-pda/ When former Secretary of State Hillary Clinton was pushing to get a waiver allowing her to use a BlackBerry like President Barack Obama back in 2009, the National Security Agency had a very short list of devices approved for classified communications. It was two devices built for the Secure Mobile Environment Portable Electronic Device (SME PED) program. In fact, those devices were the only thing anyone in government without an explicit security waiver (like the one the president got, along with his souped-up BlackBerry 8830) could use until as recently as last year to get mobile access to top secret encrypted calls and secure e-mail. Despite $18 million in development contracts for each of the vendors selected to build the competing SME PED phones (or perhaps because of it), the resulting devices were far from user-friendly. The phones—General Dynamics' Sectéra Edge and L3 Communications' Guardian—were not technically *smart phones*, but instead were handheld personal digital assistants with phone capability, derived from late 1990s and early 2000s technology that had been hardened for security purposes—specifically, Windows CE technology.
[I often excerpt from Bruce's Crypto-Gram. This issue is so full of
goodies that I'm just listing the Table of Contents. PGN]
In this issue:
Data Is a Toxic Asset
The FBI vs. Apple: Decrypting an iPhone
Lots of News and Essays about the FBI vs. Apple
The Importance of Strong Encryption to Security
News
Security Implications of Cash
WikiLeaks Publishes NSA Target List
Schneier News
Resilient Systems News: IBM to Buy Resilient Systems
Cheating at Professional Bridge
Simultaneous Discovery of Vulnerabilities
Bruce Schneier, CTO, Resilient Systems, Inc. https://www.schneier.com
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily
those of Resilient Systems, Inc. Copyright (c) 2016 by Bruce Schneier. For
back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.
http://www.nytimes.com/2016/03/16/world/asia/bangladesh-bank-chief-resigns-after-cyber-theft-of-81-million.html
[was: Typo thwarts hackers in $1 billion cyber heist] *Thwarts* is rather an overstatement, since the crooks stole $101M—of which only $20M has been retrieved, and $81M is a lot of money for a country as poor as Bangladesh. The $81M went to banks in the Philippines—$50M to accounts belonging to casinos, and $30M in cash to a man in Manila. It's a political issue there, as well. ($30M in $100 bills weighs over 600 pounds, so it's not like the guy walked out of the bank with a briefcase.) Bangladesh's well-regarded finance minister has resigned, and several of his subordinates were fired (and probably more) for trying to cover up the theft and not telling him about it. According to the *Financial Times*, they were SWIFT transfer requests that were fully authenticated at the New York end. The FT says that the current assumption is that Bangladeshi computers were compromised by malware, and a lot of people would like to know the details. Another question is why the thefts, which happened a month ago, have just become public now. https://next.ft.com/content/4275601e-be2d-3529-a5f0-702e635e02ca [Clearly, no one should be allowed to have meaningfully secure computers and strong crypto—not even the U.S. Government! That would solve problems such as this one, even if it is not yet April Fools' Day. PGN]
The interesting question is what does “The spokesman said the payment instructions were 'fully authenticated' using standard methods.'' mean given the amounts involved?
Please report problems with the web pages to the maintainer