The RISKS Digest
Volume 29 Issue 56

Wednesday, 15th June 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

GPS jamming and aircraft control systems
R A Lichtensteiger
"Tesla Model X autonomously crashes into building, owner claims"
Lucas Mearian
Lexus Owners Say Update Bricked Cars' Navigation Systems
Consumerist via Gabe Goldberg
Scary glitch affects luxury cars
Bob Frankston
Faulty update breaks Lexus cars' maps and radio systems
Martyn Thomas
Re: Faulty update breaks Lexus cars' maps and radio systems
Mike Ellims
Car Hacking / VW fun theory
Alister Wm Macintyre
Are we really sure drones are safe?
Charley Kline
Lancaster UK power outage
RAEng
Monkey in Kenya Survives After Setting Off Nationwide Blackout
NYTimes
And why would anyone sign up for this service?
Jeremy Epstein
David Dill: Why Online Voting is a Danger to Democracy
PGN
Tech firms say FBI wants browsing history without warrant
engadget
DEA Wants Inside Your Medical Records to Fight the War on Drugs
DailyBeast
The Internet is blurring the content/metadata distinction into meaninglessness
Steve Bellovin et al. via SSRN
Father of the Internet Worries Our Digital History Is Disappearing
Newsweek via Geoff Goodfellow
Oklahoma Highwaymen Seize Bank Accounts from Drivers
Henry Baker
Takedown, Staydown would be a disaster, Internet Archive Warns
Torrentfreak
Internet greybeards and upstarts gather to redecentralize the Internet
Boingboing
Parents are worried the Amazon Echo is conditioning their kids to be rude
Alice Truong
Morocco bans reading newspapers in public
The Telegraph
Snooper's Charter, aka the Investigatory Powers Bill, UK law
Betanews
Russian penetration of political networks
WashPo
"Let's Encrypt" exposes almost 8K user email addresses
LW
Charlie Osborne
"Hackers could have changed Facebook Messenger chat logs"
Peter Sayer
One of the World's Largest Botnets Has Vanished
Joseph Cox
"Empty DDoS threats earn extortion group over $100,000"
Lucian Constantin
EU Exploring Idea of Using Government ID Cards as Mandatory Online Logins
Softpedia
Local stations' commercial break shorter than national's
Dan Jacobson
Re: This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip
Jeff Jonas
Re: App to get PII from CAC card
Dan Pritts
Re: Another Risk of Self-Driving Cars; Clogged Highways?!?
Jeff Jonas
Isodarco 2017: ADVANCED AND CYBER WEAPONS SYSTEMS: TECHNOLOGY AND ARMS CONTROL
Carlo Shaerf
Info on RISKS (comp.risks)

GPS jamming and aircraft control systems

R A Lichtensteiger <rali@tifosi.com>
Wed, 8 Jun 2016 16:35:24 -0400
The US government will be performing GPS jamming experiments near China
Lake.  The FAA, which publishes Notices to Airman (NOTAMs) has a category
for GPS events.

https://pilotweb.nas.faa.gov/PilotWeb/noticesAction.do?queryType=ALLGPS&formatType=DOMESTIC

And I quote:

  ADDITIONALLY, DUE TO GPS INTERFERENCE IMPACTS POTENTIALLY AFFECTING
  EMBRAER PHENOM 300 AIRCRAFT FLIGHT STABILITY CONTROLS, FAA RECOMMENDS
  EMBRAER PHENOM PILOTS AVOID THE ABOVE TESTING AREA AND CLOSELY MONITOR
  FLIGHT CONTROL SYSTEMS DUE TO POTENTIAL LOSS OF GPS SIGNAL

Awesome.

  [Mark Thorson notes that a large area of southern California may be
  affected.  http://www.dailymail.co.uk/sciencetech/article-3630029 He was
  also found it particularly interesting that Embraer Phenom 300 business
  jets should avoid the area entirely because their flight stability
  controls may be affected.  Uh, what?  PGN]


"Tesla Model X autonomously crashes into building, owner claims" (Lucas Mearian)

Gene Wirchenko <genew@telus.net>
Wed, 08 Jun 2016 12:23:07 -0700
Lucas Mearian, ComputerWorld, 6 Jun 2016
Autopilot was not activated in the car
http://www.computerworld.com/article/3079807/car-tech/tesla-model-x-autonomously-crashes-into-building-owner-claims.html

selected text:

The owner of a brand-new Tesla Model X SUV said the car suddenly accelerated
at "maximum speed" by itself, jumped a curb and slammed into the side of a
shopping mall while his wife was behind the wheel.

The owner of the Model X, Puzant Ozbag, said the vehicle had been delivered
only five days earlier to his home in Irvine, Calif., where the accident
also took place. He said his wife had not activated any self-driving
features at the time of the crash.

Puzant, who wasn't in the SUV at the time of the crash, said it was
fortunate that the vehicle's front wheels were turned slightly left as his
wife was pulling into the parking space because if they'd been straight, the
Model X would have plowed into a nail salon and could have killed someone.

The accident, which occurred at about 2:30 p.m., injured his wife's arm and
caused major damage to the SUV's front end. His wife's arm was burned during
the crash, likely from the airbags being deployed, and remains swollen
today, Puzant said.

If the Model X accident turns out to have been caused by a faulty autonomous
vehicle system, it would not be the first reported by a Tesla owner.

Last month, a Model S owner from Utah reported that his sedan started itself
and rammed into the back of a trailer bed after he'd placed the vehicle in
park and gone into a store to run an errand.


Lexus Owners Say Update Bricked Cars' Navigation Systems

Gabe Goldberg <gabe@gabegold.com>
Fri, 10 Jun 2016 18:23:51 -0400
Just like your phone or computer, your web-connected car needs to get the
occasional software update. Most of these system tweaks happen quietly
without too much interruption to your life, but occasionally one goes wrong
and you end up with a Lexus with navigation and infotainment systems that
can't be used because they are stuck in a reboot loop.

Lexus says it is working around the clock to find a solution for a satellite
communication issue after many owners of vehicles with Lexus' Enform system
with navigation said the head units for their systems stopped working.

https://consumerist.com/2016/06/08/lexus-owners-say-update-bricked-cars-navigation-systems/

And asynchronous updates pushed by car manufacturers over the air seemed
like *such* a good idea. Who (aside from readers of this list) could have
anticipated anything going wrong? It seems to me that "satellite
communication" is the problem, not the "issue". And, while I'd hardly use
Windows as the example of reliable updates, at least restore points
occasionally undo update mischief. Maybe Lexus will introduce them as a
priced feature.


Scary glitch affects luxury cars

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
11 Jun 2016 12:28:51 -0400
http://www.bostonglobe.com/lifestyle/2016/06/09/scary-glitch-affects-luxury-cars/kj4wg2lhphlJDC3gATGuPM/story.html

Carmaker Toyota and its luxury brand Lexus rushed to fix a software bug
Wednesday that had caused a malfunction in vehicles' GPS, climate control
and ''infotainment,'' or front console radio systems. It disabled the backup
camera and hands-free phone functions as well.

  Errant data broadcast Tuesday by the company's traffic and weather service
  confounded vehicles' ''Enform'' infotainment system installed in 2014,
  2015, and 2016 Lexus vehicles and the 2016 Toyota Land Cruiser, the
  company said.  The data made the subscription-based ''Enform'' system
  continuously reboot itself, rendering it unusable and drawing the ire of
  many a driver.

What is most worrisome about this particular bug is that it wasn't isolated
to one function. The good news is that this particular system doesn't seem
critical to the driving (unless, perhaps, the navigation system is going the
driving!). The problem is not so much that a car might have a 1e8 lines of
code—it is in the difficulty of isolating subsystems and unanticipated
interactions between the various systems. And between cars .


Faulty update breaks Lexus cars' maps and radio systems

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 10 Jun 2016 16:57:25 +0100
http://www.bbc.co.uk/news/technology-36478641

"Errant data broadcast by our traffic and weather data service provider was
not handled as expected by the microcomputer in the vehicle navigation head
unit (centre display) of 2014-16 Model Year Lexus vehicles and 2016 Model
Year Toyota Land Cruiser," a spokeswoman explained.

"In some situations, this issue can cause the head unit to restart
repeatedly, affecting operation of the navigation system (if equipped),
audio and climate control features. The data suspected to be the source of
the error was corrected last night."

The firm said "many" vehicles had been affected. The affected vehicles have
been recalled.


Re: Faulty update breaks Lexus cars' maps and radio systems

"Mike Ellims" <michael.ellims@tesco.net>
Fri, 10 Jun 2016 19:14:51 +0100
I think there have been recalls for several other vehicles along these lines
as well.

The Fait 500e and Mitsubishi Outlander which has been hacked, see for some
juicy details.

https://www.theguardian.com/technology/2016/jun/06/mitsubishi-outlander-car-
hacked-security

I also saw somewhere there was a bug in the web browser on the Tesla but
they seem to have fixed it same day over the inter web...


Car Hacking / VW fun theory

Wow
Sunday, June 12, 2016 2:57 PM
  [Here is something I just sent to my Allstate Auto Insurance agent, which
  may also be of interest to you.]

The topic of "car hacking" is troublesome to me, and I know Allstate has
also been looking into this threat. Here is another link which may interest
you.  I found it because I follow cyber security issues on Linked In.  The
comments on this link, are also worth viewing.

http://www.csoonline.com/article/3081480/hardware/securing-your-car-from-cyberattacks-is-becoming-a-big-business.html

There are several issues:

* Most any new technology has a business psychology of being first to market
share, then worry about security and privacy and other issues later, which
turn out to be much more expensive to perfect, than had they be designed in
from the start.  So we now have millions of cars on the road which can be
hacked.  Look at how long it took for the air bag problem to be recognized
and addressed properly.  A Congress hearing last year learned that there are
still new cars being sold with the defective air bags.  My car had one of
them, and I got mine replaced. Most people with them, are not yet replaced.

* Even when some companies try to behave responsibly, they invariably
include standard chips, which can include irresponsibility without the
buyers being aware, such as Iiot at present time, which is now into millions
of consumer products.

* A lot of manufacturing is outsourced in such a way that it is vulnerable
to Manchurian chips, which is extra stuff to support extra activities
(usually crooked, or foreign state surveillance, or cyber war) not what the
customer ordered, and almost impossible to detect.

* Given the rise in interconnectedness of all kinds of gadgets, when there
is risk of malware, hacking, other threats, is there anything the end user
of the gadgets can do to mitigate the threat?  That is the topic of the link
above.  It may be useful for Allstate to track, by vehicle manufacturer
model, which is vulnerable to hacking, which have these cyber security
protections available, review their relative merits, recommend the best to
their customers driving those vehicles.

The process, of software updates, has been shown to be vulnerable to crooks
using that avenue to deliver badware.  I am very disturbed by this notion
that some manufacturers wish to deliver software upgrades to autos when they
are in the world of consumer usage, because that invites the bad people to
use that channel on vehicles on a highway, to trigger massive pile ups.  I
much prefer the notion that we take our car to get the upgrade, some place
where the car is not being driven concurrently, and the upgrade can then be
tested.  This is a model I saw for much of my career with back office
computers.  An upgrade is due.  We wait on a time period with low activity
by our users.  Stop everything.  Get a complete backup.  Apply the upgrade.
Test that it meets standards.  Then decide whether to return to the backup,
without the upgrade, or continue forwards.  Do another backup before
resuming normal operations.  Making sure the update model is safe - this is
something I think the industry needs to address PDQ, because we are headed
towards mainstream news finding out, causing a panic, legislators craft bad
laws.

My comment on the bugs rate:

I was a programmer for over 50 years.  My bugs rate depended on the
programming tools made available to me by the software environment in which
I worked.

There were tools for testing, for checking coding standards, a format
checker to find out if the code was "grammatically correct" in computer
language.  Have you ever prepared some document, where you plan to run off
many copies - you check and check, someone else checks, no one sees a typing
error until after you have run off the many copies.  Programming can be like
that, we make a typing error while keying in the program.

I did not go by the standard of # bugs by lines of code, but rather # bugs
by application run for the end users, because that was priority to fix.

Most of our bugs were not an error made by the programmer at time of
software development, but because programs were originally designed for one
purpose, then the company later used those programs for another purpose, for
which they were not originally designed, and thus did not work right, and
needed to be fixed to meet the new conditions.  Those bugs were not a single
typo in one line of code, but rather a package of logic, where many changes
needed in multiple places.

Even so, the notion of 15 bugs per 1,000 lines of code is unheard of for my
career, even with the most rudimentary of programmer tools.

5 bugs per million lines of code is about the worst I ever saw in my career,
going into production, after testing, then discovered later

VW was one of the first car manufacturers to get a bad rep in the cyber
security world for how they handled news of hackable cars.
Here they are doing something which may help repair their reputation:
  https://www.youtube.com/watch?list=PLH-T358uPi7fY1nz0B9d4BOMjXsHY6-Nc


Are we really sure drones are safe?

"Charley Kline" <csk@mail.com>
June 9, 2016 at 3:48:22 PM EDT
  [via Dave Farber]

Drones hacked and crashed by research team to expose design flaws.

Five graduate students and their professor have discovered three different
ways to send rogue commands from a computer laptop to interfere with an
airborne hobby drone's normal operation and land it or send it plummeting.

The Johns Hopkins University, Baltimore, USA, computer security team has
raised concerns about the ease with which hackers could cause these
increasingly popular robotic devices to ignore their human controllers and
land or, more drastically, crash.

  http://eandt.theiet.org/news/2016/jun/drone-hacking.cfm


Lancaster UK power outage (RAEng)

Peter Neumann <neumann@csl.sri.com>
Tue, 14 Jun 2016 09:39:09 -0700
This is a pithy RISKS-relevant illustration of how utilities are linked
in an emergency, and how pervasive the effects can be.
Courtesy of Cliff Jones and Brian Randell in Newcastle.

  http://www.raeng.org.uk/publications/reports/living-without-electricity


Monkey in Kenya Survives After Setting Off Nationwide Blackout

Monty Solomon <monty@roscom.com>
Thu, 9 Jun 2016 01:51:46 -0400
http://www.nytimes.com/2016/06/09/world/africa/monkey-kenya-survives-blackout-internet-vervet.html

The primate jumped on a transformer at a hydroelectric power station,
starting a chain reaction that knocked out lights and the Internet.


And why would anyone sign up for this service?

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sat, 11 Jun 2016 15:20:53 -0400
The headline is a nice summary: "Creepy startup will help landlords,
employers and online dates strip-mine intimate data from your Facebook page"

British startup Score Assured is used by landlords and others to learn about
individuals - after their customer sends the individual an "invitation"
(sort of an invitation to a lynch mob, IMHO), they are required to provide
credentials for Facebook, LinkedIn, Twitter and/or Instagram accounts,
according to the WashPost.  The data mining software then crawls postings
and develops a profile.

I love this quote from the co-founder: "If you're living a normal life,
then, frankly, you have nothing to worry about."  But perhaps he's
(unfortunately) correct on this one: "People will give up their privacy to
get something they want."

Of course there's no way to correct whatever conclusions it draws.

What's almost as incredible as the product is that the reporter was willing
to share her information with the company, and let them crawl her pages.

https://www.washingtonpost.com/news/the-intersect/wp/2016/06/09/creepy-startup-will-help-landlords-employers-and-online-dates-strip-mine-intimate-data-from-your-facebook-page/


David Dill: Why Online Voting is a Danger to Democracy

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 7 Jun 2016 11:43:36 PDT
http://engineering.stanford.edu/news/%E2%80%8Bdavid-dill-why-online-voting-danger-democracy

If, like a growing number of people, you're willing to trust the Internet to
safeguard your finances, shepherd your love life, and maybe even steer your
car, being able to cast your vote online might seem like a logical, perhaps
overdue, step.  No more taking time out of your workday to travel to a
polling place only to stand in a long line. Instead, as easily as hailing a
ride, you could pull out your phone, cast your vote, and go along with your
day.  Sounds great, right?

Absolutely not, says Stanford computer science professor David Dill
<https://profiles.stanford.edu/david-dill>. In fact, online voting is such a
dangerous idea that computer scientists and security experts are nearly
unanimous in opposition to it.   [Long item PGN-truncated for RISKS.]


Tech firms say FBI wants browsing history without warrant

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Jun 2016 08:42:50 -0700
via NNSquad
http://www.engadget.com/2016/06/07/fbi-ecpa-ammendment-browsing-metadata-no-warrant/

  Tech companies and privacy advocates are warning against new legislation
  that would give the FBI the ability to access "electronic communication
  transactional records" (ECTRs) without a warrant in spy and terrorism
  cases. ECTRs include high-level information on what sites a person
  visited, the time spent on those sites, email metadata, location
  information and IP addresses. To gain access to this data, a special agent
  in charge of a bureau field office need only write a "national security
  letter" (NSL) that doesn't require a judge's approval.


DEA Wants Inside Your Medical Records to Fight the War on Drugs

Lauren Weinstein <lauren@vortex.com>
Fri, 10 Jun 2016 11:22:16 -0700
NNSquad
http://www.thedailybeast.com/articles/2016/06/10/dea-wants-inside-your-medical-records-to-fight-the-war-on-drugs.html

  The feds are fighting to look at millions of private files without a
  warrant, including those of two transgender men who are taking
  testosterone.  Marlon Jones was arrested for taking legal painkillers,
  prescribed to him by a doctor, after a double knee replacement.  Jones, an
  assistant fire chief of Utah's Unified Fire Authority, was snared in a
  dragnet pulled through the state's program to monitor prescription drugs
  after someone stole morphine from an ambulance in 2012. To find the
  missing morphine, cops used their unrestricted access to the state's
  Prescription Drug Monitor Program database to look at the private medical
  records of nearly 500 emergency services personnel--without a warrant.


The Internet is blurring the content/metadata distinction into meaninglessness

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Jun 2016 11:55:13 -0700
Steven M. Bellovin, Matt Blaze, Susan Landau, Stephanie K. Pell
It's Too Complicated: The Technological Implications of Ip-Based
Communications on Content/Non-Content Distinctions and the Third Party
Doctrine
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2791646

  For more than forty years, electronic surveillance law in the United
  States developed under constitutional and statutory regimes that, given
  the technology of the day, distinguished content from metadata with ease
  and certainty.  The stability of these legal regimes and the distinctions
  they facilitated was enabled by the relative stability of these types of
  data in the traditional telephone network and their obviousness to
  users. But what happens to these legal frameworks when they confront the
  Internet? The Internet's complex architecture creates a communication
  environment where any given individual unit of data may change its
  status--from content to non-content or visa-versa--as it progresses
  Internet's layered network stack while traveling from sender to
  recipient. The unstable, transient status of data traversing the Internet
  is compounded by the fact that the content or non-content status of any
  individual unit of data may also depend upon where in the network that
  unit resides when the question is asked.


Father of the Internet Worries Our Digital History Is Disappearing

the keyboard of geoff goodfellow <geoff@iconia.com>
Fri, 10 Jun 2016 08:13:49 -1000
http://www.newsweek.com/father-internet-worries-our-digital-history-disappearing-468642?utm_medium=email&utm_source=Father-of-the-Internet-Worries-Our-History-Is-Vani&utm_campaign=newsweek_email_newsletter

This is a very serious problem.


Oklahoma Highwaymen Seize Bank Accounts from Drivers

Henry Baker <hbaker1@pipeline.com>
Wed, 08 Jun 2016 13:04:51 -0700
FYI—The organized crime syndicate known as "Civil Asset Forfeiture" can
now steal money from your bank accounts without a warrant using a new "ERAD"
machine.

"It shows [Oklahoma] is paying ERAD Group Inc., $5,000 for the software and
scanners, then 7.7 percent of all the cash the highway patrol seizes."

This is major escalation by the highwaymen from the older *red light camera
scams* and *speed trap scams*.

Aaron Brilbeck, News 9, 7 Jun 2016  [long item, pruned for RISKS.  PGN]
OHP Uses New Device To Seize Money Used During The Commission Of A Crime
http://fusion.net/story/5055/red-light-camera-programs-coming-to-a-screeching-halt/
https://www.motorists.org/blog/7-ways-to-shut-down-a-speed-trap/

BTW, Cyrus Vance seems to be funding his anti-Fourth Amendment "Going Dark"
campaign using civil asset forfeiture funds.  Vance has thereby scored a
hat-trick: using violations of the Fifth & Fourteenth Amendments to fund
violations of the Fourth Amendment!

http://www.nytimes.com/2015/11/08/nyregion/cyrus-vance-has-dollar-808-million-to-give-away.html
https://en.wikipedia.org/wiki/Due_Process_Clause
http://www.news9.com/story/32168555/ohp-uses-new-device-to-seize-money-used-during-the-commission-of-a-crime


Takedown, Staydown would be a disaster, Internet Archive Warns

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Jun 2016 16:46:24 -0700
NNSquad
https://torrentfreak.com/takedown-staydown-would-be-a-disaster-internet-archive-warns-160607/

  To end this cycle they're pushing for a new mechanism provisionally titled
  'Takedown, Staydown' or 'Notice and Staydown'. This would order web
  platforms to ensure that once content is taken down it will never appear
  again on the same platform. These proposals are currently under review by
  the US Copyright Office.  But while copyright holders feel this would be a
  great tool for them, it's perhaps unsurprising that content platforms are
  less enthusiastic. After weighing in earlier in the year, the latest
  warnings from the Internet Archive, a gigantic public repository of a wide
  range of media, and are among the sternest yet.  Noting that even the
  current system is regularly abused by those seeking to silence speech, the
  Archive says that on a daily basis it receives wrongful takedowns for
  content that is in the public domain, is fair use, or is critical of the
  content owner. Therefore, further extending takedown rights could prove
  extremely problematic.  "We were very concerned to hear that the Copyright
  Office is strongly considering recommending changing the DMCA to mandate a
  'Notice and Staydown' regime. This is the language that the Copyright
  Office uses to talk about censoring the web," the Archive warns.


Internet greybeards and upstarts gather to redecentralize the Internet

Lauren Weinstein <lauren@vortex.com>
Thu, 9 Jun 2016 07:09:20 -0700
NNSquad
http://boingboing.net/2016/06/09/internet-greybeards-and-upstar.html#more-465741

  This week, the Internet Archive is hosting a three-day event (which
  finishes today) called The Decentralized Web Summit, whose goal is to
  figure out how to build a new Internet that is "locked open," an idea that
  emerged from Internet Archive founder Brewster Kahle's 2015 series of
  talks and articles about how technologists can build networks and
  protocols that are resistant to attempt to capture, monopolize and control
  them.  I attended the first two days, and the event was inspiring and
  brilliant. Speakers included Vint Cerf, one of the inventors of the core
  Internet technologies; and Tim Berners-Lee, who invented the Web.

Executive Summary: I don't view this concept as generally practical, for a
whole bunch of reasons, some of which are fairly obvious. There will likely
be limited niche situations where it can be successfully applied,
however. Foundational problems include relative centralization and
limited/oligarchical nature of ISPs and associated backbones (for technical,
financial, and "political" reasons), the real-world issues associated with
peering of high-volume traffic, and the infrastructure/operating costs
associated with maintaining reliable circuits and systems. Note the failures
of various community "mesh" environments to prove practical and reliable,
for example.  Protocols are not the fundamental problem in these contexts.


Parents are worried the Amazon Echo is conditioning their kids to be rude (Alice Truong)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 9 Jun 2016 16:04:59 -0600
* Quartz* June 09, 2016

Alexa will put up with just about anything. She has a remarkable tolerance
for annoying behavior, and she certainly doesn't care if you forget your
please and thank yous.

But while artificial intelligence technology can blow past such indignities,
parents are still irked by their kids' poor manners when interacting with
Alexa, the assistant that lives inside the Amazon Echo.

"I've found my kids pushing the virtual assistant further than they would
push a human.  [Alexa] never says `That was rude' or I'm tired of you asking
me the same question over and over again.' "  Avi Greengart, a tech analyst
and father of five who lives in Teaneck, New Jersey.

Perhaps she should, he thinks.

http://qz.com/701521/parents-are-worried-the-amazon-echo-is-conditioning-their-kids-to-be-rude/


Morocco bans reading newspapers in public

Lauren Weinstein <lauren@vortex.com>
Wed, 8 Jun 2016 09:32:41 -0700
  [Try not to fall off your chair laughing at this one!]

*The Telegraph* via NNSquad
http://www.telegraph.co.uk/news/2016/06/08/morocco-bans-reading-newspapers-in-public/

  But in Morocco, reading newspapers in public has been banned after editors
  claimed they were losing millions in revenue because people kept sharing
  them.

     [I suppose the next step would be to ban reading newspapers online,
     because the editors would be losing millions in revenue when people
     keep reading the papers—and did not even have to share!  But the
     next step after that would be to ban newspapers altogether, which has
     already been tried in other countries.  PGN]


Snooper's Charter, aka the Investigatory Powers Bill, UK law

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Jun 2016 14:47:34 -0700
http://betanews.com/2016/06/07/snoopers-charter-vote/

  The controversial Snooper's Charter—or the Investigatory Powers Bill as
  it is officially known—has been voted into law by UK MPs.  An
  overwhelming majority of politicians (444 to 69) voted in favor of the
  bill which has been roundly criticized by both the public and technology
  companies.  The Investigatory Powers Bill grants the UK government,
  security, and intelligence agencies greater powers for monitoring Internet
  usage, as well as permitting bulk data collection and remote hacking of
  smartphones. The law allows for the kind of mass surveillance that Edward
  Snowden warned about, and while the bill may have passed a majority vote,
  there are still those who fear not enough has been done to safeguard
  individuals' privacy.

Ultimately, an unintended big boost for end-to-end encryption.

  [SuperDuperSnooperPooperScooperLooper?  PGN]

    [See also
http://www.chicagotribune.com/news/sns-wp-blm-britain-encrypt-41ce0ee2-2ce5-11e6-b9d5-3c3063f8332c-20160607-story.html
    ]

    [Henry Baker noted further coverage on this item:

http://www.telegraph.co.uk/technology/2016/06/08/can-the-government-read-your-texts-how-the-snoopers-charter-will/

  Lord Hague has predicted that Western societies will enact laws and
  regulations against unbreakable encryption—while conceding that the
  technology has always existed.  "Let us spy on you or we'll choke off
  civil liberties."
http://www.theregister.co.uk/2016/06/08/william_hague_infosec_keynote_speech/


Russian penetration of political networks (WashPo)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 14 Jun 2016 11:41:33 PDT
  [After hearing about the OMB fiasco and so many recent data-gathering
  breaches, why is this surprising?  PGN]

*The Washington Post* reports that Russian government agents have attacked
and penetrated the DNC (Democratic National Committee) network as well as
candidate networks, including those of Hillary Clinton and Donald Trump, and
some GOP PACs.

The intruders so thoroughly compromised the DNC's system that they also were
able to read all email and chat traffic, said DNC officials and the security
experts.

<https://www.washingtonpost.com/world/national-security/national-intelligence-director-hackers-have-tried-to-spy-on-2016-presidential-campaigns/2016/05/18/2b1745c0-1d0d-11e6-b6e0-c53b7ef63b45_story.html>.
https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html


"Let's Encrypt" exposes almost 8K user email addresses

Lauren Weinstein <lauren@vortex.com>
Fri, 10 Jun 2016 22:19:46 -0700
NNSquad
https://community.letsencrypt.org/t/email-address-disclosures-preliminary-report-june-11-2016/16867

  The result was that recipients could see the email addresses of other
  recipients. The problem was noticed and the system was stopped after 7,618
  out of approximately 383,000 emails (1.9%) were sent. Each email
  mistakenly contained the email addresses from the emails sent prior to it.

This kind of rudimentary error goes all the way back to early ARPANET
days. It really inspires confidence in the Let's Encrypt operation - NOT!


"Let's Encrypt accidentally leaks user email data" (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 14 Jun 2016 11:05:39 -0700
Charlie Osborne for Zero Day | 14 Jun 2016
Thousands of emails were disclosed before the issue was noticed.
http://www.zdnet.com/article/lets-encrypt-accidentally-leaks-user-email-data/


"Hackers could have changed Facebook Messenger chat logs" (Peter Sayer)

Gene Wirchenko <genew@telus.net>
Wed, 08 Jun 2016 12:12:22 -0700
Peter Sayer, ComputerWorld, 8 Jun 2016
Attackers could have rewritten logs of their Facebook Messenger chats
with you to introduce falsehoods and malicious links
http://www.computerworld.com/article/3080949/security/hackers-could-have-changed-facebook-messenger-chat-logs.html

selected text:

Roman Zaikin of Check Point Software Technologies discovered a flaw in
Facebook's chat system that made it possible for an attacker to modify or
remove any sent message, photo, file or link in a conversation they were
part of.

He demonstrated in a video how he could change an earlier message from an
innocent "Hi!" to what could be a link to ransomware attack.

But the chat logs could just as easily have been modified to create (or
suppress) evidence of a spouse's unreasonable behavior in child custody
battles, or any number of other scenarios.

"These chats can be admitted as evidence in legal investigations and this
vulnerability opens the door for an attacker to hide evidence of a crime or
even incriminate an innocent person," Check Point researchers wrote Tuesday,
in a blog post describing the flaw.


One of the World's Largest Botnets Has Vanished (Joseph Cox)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 8 Jun 2016 14:30:43 -0600
Joseph Cox, Motherboard, 8 Jun 2016

With no warning, one of the world's largest criminal botnets—a massive
collection of computers used to launch attacks—has disappeared.
Researchers have reported huge drops in traffic for two of the most popular
pieces of malware which rely on it.

“We can only tell that the Dridex and Locky spam campaigns stopped since
June 1 in our observation. We cannot confirm how the botnet was brought down
yet,'' Joonho Sa, a researcher for cybersecurity company FireEye, told
Motherboard in an email.

Dridex is a piece of malware typically used to empty bank accounts, while
Locky is a particularly widespread form of ransomware, which encrypts a
victim's files until they pay a hefty bounty in bitcoin.  The two campaigns
have been linked in the past.

It's not clear what exactly will happen to Locky victims now that its
infrastructure has seemingly gone offline. There's a chance that those
infected with the ransomware may be unable to successfully pay the criminals
and have their files unlocked.

http://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished


"Empty DDoS threats earn extortion group over $100,000" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Wed, 08 Jun 2016 11:49:33 -0700
Nice list you have here.  Be a real shame if something were to happen to it.
For a mere $10,000, you can buy peace of mind from Gene's Protection
Service.  For protection at a price, you can't afford to refuse.

Lucian Constantin, IDG News Service, 26 Apr 2016
There's no evidence that companies that declined to pay extortion
fees to the Armada Collective were attacked, researchers say
http://www.csoonline.com/article/3061411/security/empty-ddos-threats-earn-extortion-group-over-100-000.html

selected text:

Extorting money from companies under the threat of launching distributed
denial-of-service attacks (DDoS) against their online properties has proven
lucrative for cybercriminals. So much so that one group has managed to earn
over $100,000 without any evidence that it's even capable of mounting
attacks.

Companies should be prepared to handle DDoS attacks, but giving into
extortion is never recommended, because it encourages more cybercriminals to
engage in this type of activity. And there's no guarantee that once you pay
one group, another one won't come knocking.


EU Exploring Idea of Using Government ID Cards as Mandatory Online Logins (Softpedia)

Lauren Weinstein <lauren@vortex.com>
Wed, 8 Jun 2016 19:07:44 -0700
http://news.softpedia.com/news/eu-exploring-idea-of-using-government-id-cards-as-mandatory-online-logins-505026.shtml

  According to this document, dated to May 25, 2016, the European Commission
  is exploring the theoretical possibilities of forcing online platforms and
  EU citizens into using government IDs as online identities.


Local stations' commercial break shorter than national's

Dan Jacobson <jidanni@jidanni.org>
Thu, 09 Jun 2016 10:51:41 +0800
A national radio network might have each local station broadcast its own
commercial break for two minutes before returning to the national jingle and
program.

But what if some local stations' commercials only last 1:59?

They end up switching back too early, sending the final one second of the
capital city's commercials into the ears of local listeners, unbeknownst
to engineers in the capital city. (Until I told them (BCC, Taiwan.)


Re: This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip (Andy Greenberg)

Jeff Jonas <jeffj@panix.com>
Mon, 13 Jun 2016 00:29:56 -0400 (EDT)
> researchers at the University of Michigan haven't just imagined
> that computer security nightmare; they've built and proved it works.
> ...  they detailed the creation of an insidious, microscopic
> hardware backdoor proof-of-concept.

Ken Thompson's Turing award lecture "Reflections on Trusting Trust"
describes creating a similar situation back in 1984.  He modded the C
compiler to insert a backdoor into the LOGIN code, and to insert that
backdoor generator when the "C" compiler was recompiled, so there was no
source code for the infiltration.

     http://cm.bell-labs.com/who/ken/trust.html

I'd guess the chip layout toolset could be similarly infiltrated,
particularly if it's binary only.  It could even propagate forward if the
update & upgrade systems collaborate.


Re: App to get PII from CAC card (Epstein, RISKS-29.55)

Dan Pritts <danno@dogcheese.net>
Tue, 7 Jun 2016 18:13:47 -0400
You're certainly right that this doesn't solve the main problem.  Still,
it's plausible that the app creator is the data read from the cards.  The
linked article doesn't mention this nuance, but telling folks users not to
install it isn't completely ridiculous.  The barn door has been left open,
please don't send photos of the cow to 4chan.


Re: Another Risk of Self-Driving Cars; Clogged Highways?!?

Jeff Jonas <jeffj@panix.com>
Mon, 13 Jun 2016 00:12:57 -0400 (EDT)
Back in the 1980s, Sperry installed a centralized traffic system along Long
Island (NY)'s major highways (Long Island Expressway, Northern State ...)
their service roads and local streets.  The only visible part is the
highway's informational signs and road sensors.  When I toured the main
facility, it was explained that it linked to side-street traffic lights to
help shunt traffic around congestion.

That was before GPS and smart phones with real time traffic updates.
Perhaps there's some data awareness or sharing for better situational
awareness and response.

A friend in the fire dept told me that they have a device to get all green
lights, but the feature is enabled ONLY AS REQUIRED ON A PER-USE BASIS.
Abuse is not tolerated. It is monitored and audited.  Just in case you
wanted to create your own express "Lexus-lane", please do not.

-- Jeffrey S Jonas


Isodarco 2017: ADVANCED AND CYBER WEAPONS SYSTEMS: TECHNOLOGY AND ARMS CONTROL

isodarco <isodarco@gmail.com>
Sun, 12 Jun 2016 10:37:31 +0200
Enclosed and attached is the information relative to the 30th Isodarco
Winter Course (www.isodarco.it). We hope that you will find this information
of interest and you will join us in this intellectually challenging
experience. We also hope that you will pass this information to your friends
and colleagues and forward it to your mailing list. Attached is a pdf poster
that you can print on European or American standard paper sizes, we hope
that you will kindly post it on your bulletin board.

Thank you for your collaboration and best personal regards.

Carlo Schaerf

*ISODARCO* <http://www.isodarco.it/>
INTERNATIONAL SCHOOL ON DISARMAMENT AND RESEARCH ON CONFLICTS
/since 1966-Italian Pugwash Group/

30th Winter Course

*ADVANCED AND CYBER WEAPONS SYSTEMS:*
*TECHNOLOGY AND ARMS CONTROL*
*ANDALO (TRENTO) – ITALY,8-15 JANUARY 2017*

***Director of the School:Carlo Schaerf*(ISODARCO, Rome, Italy).

*Directors of the Course:**Giampiero Giacomello*(Department of Political
Sciences SPS, University of Bologna, Italy); *Riccardo Antonini*(Technical
Scientific Expert, Presidency of the Italian Council of Ministers, Rome,
Italy).

The search for the ultimate weapon has always motivated military planners
and engineers to exploit for military purposes new scientific discoveries
and technological advances, thereby causing qualitative arms races. The
breadth and pace of development in computers, networks, robotics and
artificial intelligence suggests the emergence of new generations of
weapons, in cyberspace and in the physical world, that will be compact,
unmanned and, perhaps, with independent decision-making capability. Could
the speed of action-reaction in future conflicts require to put humans
"out-of-the-loop". This conclusion would be quite dangerous, because
autonomous weapon systems, in cyber and real space, will inevitably be prone
to serious hardware limitations and unreliability, design and programming
errors, deception, tampering or, simply, hacking. This ISODARCO Course aims
at understanding modern autonomous weapons technology as well as the
possibilities and prospects of related arms control limitations.

Long list of Principal Lecturers, more info, and online application
available at http://www.isodarco.it/>www.isodarco.it  .   [PGN-ed]

Please report problems with the web pages to the maintainer

x
Top