The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 63

Thursday 21 July 2016

Contents

More on Web-Impac's voter software
PGN
EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment
EFF
Laugh of the Day: Snowden Designs a Device to Warn If Your iPhone's Radios Are Snitching
*WiReD* via NNSquad
MIT Says Their Anonymity Network Is More Secure Than Tor
PC-Magazine
US government declares ransomware a breach by default
Kevin Fu
"Apple patent could prevent 'illegal' iPhone recording"
Zach Whittaker
M&S: an unacceptable extremely unfortunate error
Mark Vandevelde
"This Android Trojan blocks victims from alerting banks"
Michael Kan
"Salesforce1 update will leave many mobile devices out in the cold"
Katherine Noyes
Security Researcher Publishes How-To Guide To Crack Android Full Disk Encryption
SlashDot
"Here's how secret voice commands in YouTube videos could hijack your smartphone"
Michael Kan
Study: 98% of us will sign away our firstborn because we don't read the terms of service
Consumerist via Gabe Goldberg
Password Reuse Tool "Shard" Makes It Easy To ID Vulnerable Accounts On Other Sites
Dan Goodin
You've been punked: Company boasts of experimenting on us with fake videos
Gabe Goldberg
Bloomberg: Do You Own Your Own Fingerprints?
Gabe Goldberg
Critical bug threatens to bite mobile phones and networks
Ars
Study: 78% of Resold Drives Still Contain Readable Personal or Business Data
SlashDot
"Oracle issues largest patch bundle ever, fixing 276 security flaws"
Lucian Constantin
How Oracle's business as usual is threatening to kill Java
Ars
Lenovo Scrambling To Get a Fix For BIOS Vulnerability
Richard Chirgwin
A New Corporate AI Can Read Your Emails - and Your Mind
Fortune
Steam Warns Users Against Gambling Site After YouTube Stars Discovered As Owners
EuroGamer
"Amazon isn't saying if Echo has been wiretapped"
Zach Whittaker
Security researcher gets threats over Amazon review
TechCrunch
"Hidden 'backdoor' in Dell security software gives hackers full access"
Zack Whittaker
Apple Patents Technology To Disable iPhone Cameras At Concerts
Stereogum via Gabe Goldberg
Congressman Wants Ransomware Attacks To Trigger Breach Notifications
BeauJD
The midnight rollover problem—solved
Paul Robinson
Google's My Activity Reveals How Much It Knows About You
SlashDot
Europe's 'Net Neutrality' Rules Fail to Ban Throttling
SlashDot
"How Ancient Monopolies Keep You from Getting Decent Internet Service"
LW
UN Council: Seriously, Nations, Stop Switching Off the Internet!
The Register
For Facebook, violating users' privacy is going to backfire someday
Evan Schuman
The Man Who Nailed Jello to the Wall
Foreign Policy via Suzanne Johnson
How China Took Control of Bitcoin
NYTimes
"Even in remotest Africa, Windows 10 nagware ruins your day: Update burns satellite link cash"
Iain Thomson
"Win7 and 8.1 patch KB 3173040 throws full-screen Win10 upgrade warning"
InfoWorld
"Dell stops selling Android devices, won't deliver patches"
Agam Shah
"Why CIOs should care about click fraud"
Paul Rubens
Ashley Madison Admits It Lured Customers With 70,000 Fake 'Fembots'
Ars Technica
Risk of being sent to house address 404 if Page Not Found
Dan Jacobson
chmod 0
Dan Jacobson
Re: Stanford Mall robot runs over small child
Ian Macky
Re: Self-driving cars, accepting the moral dilemma
David Mitchell
Re: UK bill introduces 10 year prison sentence for online pirates
Keith Medcalf
Re: Faulty image analysis software may invalidate 40,000 fMRI studies
Amos Shapir
Re: Dallas Shooter Killed By Bomb Robot In Policing First
Gary Barnes
Amos Shapir
Info on RISKS (comp.risks)

More on Web-Impac's voter software (RISKS-29.60)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 21 Jul 2016 10:44:59 PDT
  We noted previously that Web-Impac's software allows voters to cast
  arbitrarily many votes, in a variety of ways.  Here's a little more on how
  that can be done.  As it is implemented, this system is some combination
  of ridiculous, incredible, stupid, absurd, insane, bad joke, and more.
  PGN

If you would like to configure your browser to vote automatically for
Hillary or Donald, go to the URL
  http://www.widgetmgr.com/ThisOrThat/WorldVotes2016narrow.php
then open "view -> developer -> JavaScript console" (or the equivalent) on
your browser.

Cut and paste the following into the JavaScript console:

function saveClick(vote){
var button_id = "";
var button_number = vote;
var url = "scripts/AJAXprocessor_totvote.php";
$.ajax({
type: "POST",
async: true,
url:url,
data: {actiontype: "process_vote", button_id: button_id, button_number:
button_number, rand: rand()},
beforeSend: function (request) {
},
success: function(jsonresult){
try {
   var result = JSON.parse(jsonresult);
   document.getElementById("result1").innerHTML =
result[1]["clinton_votes"];
   document.getElementById("result2").innerHTML = result[1]["trump_votes"];
} catch(err) {
}
},
error: function(XMLHttpRequest, textStatus, errorThrown) {
saveClick(1);
}
}); //ajax
}

function sleep(ms) {
  var start = new Date().getTime();
  for (var i = 0; i < 1e7; i++) {
    if ((new Date().getTime() - start) > ms){
      break;
    }
  }
}

for (var i=1; i<10000; i++) {
   try{
      saveClick(1);  // This votes for Clinton. To vote for Trump,
substitute saveClick(2)
    } catch(err){
     sleep(500);
    }
}

If you want to vote for Trump instead of Clinton, substitute saveClick(2)
in place of saveClick(1).
If you want to vote randomly, substitute
saveClick(1+Math.floor(rand()/50000)).

This will cast about 10,000 votes for the candidate of your choice, one vote
every few seconds.


EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

*EFF Press* <press@eff.org>
Thursday, July 21, 2016
Contact: Kit Walsh, Staff Attorney, kit@eff.org    +1 415-436-9333 x162
Adam Schwartz, Senior Staff Attorney, adam@eff.org +1 415-436-9333 x176
Corynne McSherry, Legal Director, corynne@eff.org  +1 415-436-9333 x122

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions
Violate the First Amendment Future of Technology and How It's Used Is At
Stake

The Electronic Frontier Foundation (EFF) sued the U.S. government today on
behalf of technology creators and researchers to overturn onerous provisions
of copyright law that violate the First Amendment.

EFF's lawsuit <https://www.eff.org/document/1201-complaint>, filed with
co-counsel Brian Willen, Stephen Gikow, and Lauren Gallo White of Wilson
Sonsini Goodrich & Rosati, challenges the anti-circumvention
<https://www.eff.org/issues/drm> and anti-trafficking provisions of the
18-year-old Digital Millennium Copyright Act
<https://www.eff.org/issues/dmca> (DMCA
<https://www.eff.org/issues/dmca-rulemaking>). These provisions—contained
in Section 1201 of the DMCA—make it unlawful for people to get around the
software that restricts access to lawfully-purchased copyrighted material,
such as films, songs, and the computer code that controls vehicles,
devices, and appliances. This ban applies even where people want to make
noninfringing fair uses of the materials they are accessing.

Ostensibly enacted to fight music and movie piracy, Section 1201 has long
served to restrict people's ability to access, use, and even speak out about
copyrighted materials—including the software that is increasingly
embedded in everyday things.

The law imposes a legal cloud over our rights to tinker with or repair the
devices we own, to convert videos so that they can play on multiple
platforms, remix a video, or conduct independent security research that
would reveal dangerous security flaws in our computers, cars.  It
criminalizes the creation of tools to let people access and use those
materials.

<https://www.eff.org/files/2014/09/16/unintendedconsequences2014.pdf>
<https://www.eff.org/deeplinks/2015/01/who-will-own-internet-things-hint-not-users>
<https://www.eff.org/deeplinks/2016/01/why-owning-your-stuff-means-owning-your-digital-freedom>
<https://www.eff.org/deeplinks/2015/11/new-dmca-ss1201-exemption-video-games-closer-look>
<https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research>,
and medical devices
<https://www.eff.org/deeplinks/2016/04/pacemakers-and-piracy-why-dmca-has-no-business-medical-implants>.

Copyright law is supposed to exist in harmony with the First Amendment. But
the prospect of costly legal battles or criminal prosecution stymies
creators, academics, inventors, and researchers. In the complaint filed
today in U.S. District Court in Washington D.C., EFF argues that this
violates their First Amendment right to freedom of expression.

EFF Staff Attorney Kit Walsh: "The creative process requires building on
what has come before, and the First Amendment preserves our right to
transform creative works to express a new message, and to research and talk
about the computer code that controls so much of our world.  Section 1201
threatens ordinary people with financial ruin or even a prison sentence for
exercising those freedoms, and that cannot stand."

EFF is representing plaintiff Andrew 'bunnie' Huang, a prominent computer
scientist and inventor, and his company Alphamax LLC, where he is developing
devices for editing digital video streams. Those products would enable
people to make innovative uses of their paid video content, such as
captioning a presidential debate with a running Twitter comment field or
enabling remixes of high-definition video. But using or offering this
technology could run afoul of Section 1201.
<http://www.bunniestudios.com/blog/>

Huang: "Section 1201 prevents the act of creation from being spontaneous,
Nascent 1201-free ecosystems outside the U.S. are leading indicators of how
far behind the next generations of Americans will be if we don't end this
DMCA censorship. I was born into a 1201-free world, and our future
generations deserve that same freedom of thought and expression."

EFF is also representing plaintiff Matthew Green, a computer security
researcher at Johns Hopkins University who wants to make sure that we all
can trust the devices that we count on to communicate, underpin our
financial transactions, and secure our most private medical information.
Despite this work being vital for all of our safety, Green had to seek an
exemption from the Library of Congress last year for his security research.
  <https://www.cs.jhu.edu/faculty/matthew-d-green/>,

Walsh: "The government cannot broadly ban protected speech and then grant a
government official excessive discretion to pick what speech will be
permitted, particularly when the rulemaking process is so onerous.  If
future generations are going to be able to understand and control their own
machines, and to participate fully in making rather than simply consuming
culture, Section 1201 has to go."

For the complaint:
https://www.eff.org/document/1201-complaint

For this release:
https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technology-restrictions-violate

Electronic Frontier Foundation, 815 Eddy Street, San Francisco, CA 94109
USA.
EFF appreciates your support and respects your privacy
<https://www.eff.org/policy>.


Laugh of the Day: Snowden Designs a Device to Warn If Your iPhone's Radios Are Snitching

Lauren Weinstein <lauren@vortex.com>
July 21, 2016 at 10:49:01 AM EDT
https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-snitches/

  On Thursday at the MIT Media Lab, Snowden and well-known hardware hacker
  Andrew "Bunnie" Huang plan to present designs for a case-like device that
  wires into your iPhone's guts to monitor the electrical signals sent to
  its internal antennas.  The aim of that add-on, Huang and Snowden say, is
  to offer a constant check on whether your phone's radios are transmitting.

If you know anything about RF leakage and analysis, you should be laughing
your butt off like I am right now. Talk about playing people for suckers.
One obvious flaw—"extraneous" transmissions" to leak data from phones
aren't even necessary. All you have to do is salt away the goodies in memory
and transmit them in the course of "routine" communications in bulk form
later.  Hell, I even noted this in my very first YouTube video "Is your cell
phone bugged?" (which, I just discovered, is still the top YouTube Search
result for that search, and now has more than a million views). I made that
thing back almost 10 years ago, long before most people had phones even
capable of running what we call malware now, when the odds of being bugged
that way were extremely low:

https://www.youtube.com/watch?v=ujosfSkHFrQ ("Is your cell phone bugged?")


MIT Says Their Anonymity Network Is More Secure Than Tor (PC-Magazine via SlashDot)

Werner <werneru@gmail.com>
Tue, 12 Jul 2016 19:17:26 +0200
<https://news.slashdot.org/story/16/07/11/2041203/mit-says-their-anonymity-network-is-more-secure-than-tor>

reporting on an article in PC Magazine:

Following the recent vulnerabilities in Tor,
<https://yro.slashdot.org/story/16/07/08/2034209/researchers-discover-over-100-tor-nodes-designed-to-spy-on-hidden-services>
...researchers at MIT's Computer Science and Artificial Intelligence
Laboratory and the Ecole Polytechnique Federale de Lausanne have been
working on a new anonymity network that they say is more secure than Tor.
<http://www.pcmag.com/news/345994/mit-researchers-devise-new-anonymity-network-following-tor-b>
While the researchers are planning to present their new system, dubbed
Riffle, at the Privacy Enhancing Technologies Symposium later this month,
<https://petsymposium.org/>
...they did say the system uses existing cryptographic techniques, but
in new ways. A series of servers are what make up Riffle, each of which
"permutes the order in which it receives messages before passing them on
to the next," according to a news release.
<http://news.mit.edu/2016/stay-anonymous-online-0711>
"For instance, messages from senders Alice, Bob, and Carol reach the
first server in the order A, B, C, that server would send them to the
second server in a different order—say C, B, A. The second server
would permute them before sending them to the third, and so on." Nobody
would know which was which by the time they exited the last server. Both
Tor and MIT's anonymity network use onion encryption. Riffle uses a
technique called verifiable shuffle in addition to onion encryption to
thwart tampering and prevent adversaries from infiltrating servers with
their own code. Last but not least, it uses authentication encryption to
verify the authenticity of an encrypted message. The researchers say
their system provides strong security while using bandwidth much more
efficiently than similar solutions.


US government declares ransomware a breach by default

Kevin Fu <kevinfu@umich.edu>
Wed, 20 Jul 2016 12:19:00 -0400
The high bit: hospitals can be fined if they are infected with ransomware
(or any malware).

The U.S. government quietly released a fact sheet on ransomware and patient
health information (PHI) last week. The Office of Civil Rights (OCR) at
Health and Human Services distributed a document that represents a sea
change in policy on breaches due to malware.  In particular, OCR explains
how malware that encrypts PHI (e.g., ransomware that breaks into a medical
device or clinical information system) is considered a breach because the
chain of custody was compromised.  Moreover, OCR artfully explains how
full-disk encryption alone is not sufficient to show a low probability of a
breach of PHI.  OCR offers tips on their expectations of forensics to show a
low probability of a breach (and therefore avoid fines).

More information at these two URLs:
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
http://go.virtalabs.com/ocr-ransomware


"Apple patent could prevent 'illegal' iPhone recording" (Zach Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 29 Jun 2016 09:15:59 -0700
Zack Whittaker for Zero Day, Jun 28 2016
The patent could prevent iPhone camera from being able to record concerts
and classified facilities. Could it be used to prevent recording of
protests?
http://www.zdnet.com/article/apple-granted-patent-allowing-iphone-camera-to-be-remotely-disabled/

selected text:

The patent ... allows an iPhone or iPad camera to receive infrared data that
can be used to transmit information about an object or a place—like
providing guided tours for a museum exhibit, or offering virtual coupons in
a store or retail outlet.

But on the flip side, the patent notes that the same system can be used
prevent capturing images or videos—such as "a concert or a classified
facility," by transmitting a signal that would disable a phone's recording
feature.

That means just as a singer or performer could prevent illegal pictures or
streams from being made, customs officials would be able to block anyone
taking photos at a port of entry or a border. What's to say that the
technology, if it ever makes it past the drawing board, won't be used by
police to prevent photos and videos from protests?

  [Earlier item from Gene:
John Ribeiro, InfoWorld, 21 Jul 2016
Apple recently got a patent for infrared technology that petitioners
fear could be used to censor political dissidents, activists, and
citizens who are recording police brutality]
http://www.infoworld.com/article/3098393/security/petition-urges-apple-not-to-release-technology-for-jamming-phone-cameras.html


M&S: an unacceptable extremely unfortunate error (Mark Vandevelde)

"Patrick O'Beirne" <pob@sysmod.com>
Thu, 14 Jul 2016 22:34:37 +0100
On the day of the Eusprig conference:
http://www.ft.com/cms/s/0/1fc57f26-4467-11e6-9b66-0712b3873ae1.html#axzz4E7KHOGtl

Mark Vandevelde, FT, 7 Jul 2016
Marks & Spencer takes back shop-soiled figures

"It is not good," Helen Weir, M&S's chief financial officer, told the
*Financial Times* after the error was discovered. She said she was *shocked*
when she found out that double-counting in a spreadsheet had led M&S to say
that sales had risen 1.3 per cent in the three months to July, when they had
actually fallen 0.4 per cent.

This is not just a spreadsheet error, this is a Marks & Spencer spreadsheet
error...

(Thanks to Simon Hurst for that line!)

Patrick O'Beirne, Systems Modelling Ltd, XLTest Spreadsheet Auditing
http://XLTest.com http://ie.linkedin.com/in/patrickobeirne mob:+353 86 835 2233


"This Android Trojan blocks victims from alerting banks" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Fri, 15 Jul 2016 10:46:02 -0700
Michael Kan, PC World, 15 Jul 2016
Symantec has noticed a "call-barring" function in a newer version of
Android malware
http://www.pcworld.com/article/3095965/security/this-android-trojan-blocks-the-victim-from-alerting-banks.html

selected text:

A new Trojan that can steal your payment data will also try to stymie you
from alerting your bank.

Security vendor Symantec has noticed a "call-barring" function within newer
versions of the Android.Fakebank.B malware family. By including this
function, a hacker can delay the user from canceling any payment cards that
have been compromised, the company said in a blog post.

If the customer service numbers of certain banks are dialed, the Trojan will
cancel the call, Symantec said. Instead, users will have to use email or
another phone to reach their banks.


"Salesforce1 update will leave many mobile devices out in the cold" (Katherine Noyes)

Gene Wirchenko <genew@telus.net>
Thu, 21 Jul 2016 10:03:08 -0700
Katherine Noyes, InfoWorld, 15 Jul 2016
Salesforce 'has to draw the line somewhere,' one analyst says
http://www.infoworld.com/article/3095833/cloud-computing/salesforce-update-will-leave-most-android-users-out-in-the-cold.html

selected text:

An upcoming update to the Salesforce1 mobile app will dramatically reduce
the number of supported devices and effectively leave users of all but the
latest and most popular devices out in the cold.

With its Winter '17 release, due to arrive this October, Salesforce is
dropping support for all Android phones except the Samsung Galaxy S5, S6,
and S7 along with the Samsung Galaxy Note 4, Google Nexus 5X, and Google
Nexus 6P.

Following the update, the Salesforce1 downloadable app and the mobile
browser app will continue to function as normal on the newly dropped
devices, giving users "time to upgrade to a Salesforce1-supported device,"
the announcement notes. But Salesforce will no longer provide technical
support, bug fixes or enhancements.

Essentially, Salesforce is focusing its mobile efforts on the latest and
most popular devices, it said. Among users of soon-to-be-excluded devices,
however, there are already signs on Twitter of some discontent.

  Holey crap. My brand new Android phone will no longer be supported on the
  @Salesforce 1 mobile app in a few months. Not cool Salesforce.  JodieM
  (@jodiem) 13 Jul 2016


Security Researcher Publishes How-To Guide To Crack Android Full Disk Encryption (SlashDot)

Lauren Weinstein <lauren@vortex.com>
Fri, 1 Jul 2016 17:59:01 -0700
https://news.slashdot.org/story/16/07/01/2337214/security-researcher-publishes-how-to-guide-to-crack-android-full-disk-encryption

  He published a step-by-step guide on how one can break down the encryption
  protections on Android devices powered by Qualcomm Snapdragon
  processors. The source of the exploit is posted on Github.  Android's disk
  encryption on devices with Qualcomm chips is based only on your
  password. However, Android uses your password to create a 2048-bit RSA key
  (KeyMaster) derived from it instead. Qualcomm specifically runs in the
  Snapdragon TrustZone to protect critical functions like encryption and
  biometric scanning, but Beniamini discovered that it's possible to exploit
  a security flaw and retrieve the keys from TrustZone. Qualcomm runs a
  small kernel in TrustZone to offer a Trusted Execution Environment known
  as Qualcomm Secure Execution Environment (QSEE), which allows small apps
  to run inside of QSEE away from the main Android OS. Beniamini has
  detailed a way for attackers to exploit an Android kernel security flaw to
  load their own QSEE app inside this secure environment, thereby exploiting
  privilege escalation flaw and hijacking of the complete QSEE space,
  including the keys generated for full disk encryption.

   Later item from LW, 7 Jul 2016::
   Android Keystore Encryption Scheme Broken, Researchers Say
https://threatpost.com/android-keystore-encryption-scheme-broken-researchers-say/119092/

  The default implementation for KeyStore, the system in Android designed to
  store user credentials and cryptographic keys, is broken, researchers
  say. In a an academic paper published this week, researchers argue that
  the particular encryption scheme that KeyStore uses fails to protect the
  integrity of keys and could be exploited to allow an attacker to modify
  stored keys through a forgery attack.


"Here's how secret voice commands in YouTube videos could hijack your smartphone" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Thu, 07 Jul 2016 11:12:52 -0700
Michael Kan, PC World, 7 Jul 2016
A muffled voice buried in a YouTube video can take over your phone,
researchers say
http://www.pcworld.com/article/3092493/security/heres-how-secret-voice-commands-could-hijack-your-smarthphone.html

opening text:

Kitten videos are harmless, right? Except when they take over your phone.

Researchers have found something new to worry about on the internet.
It turns out that a muffled voice hidden in an innocuous YouTube
video could issue commands to a nearby smartphone without you even knowing it.


Study: 98% of us will sign away our firstborn because we don't read the terms of service

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Jul 2016 15:24:00 -0400
https://consumerist.com/2016/07/13/study-98-of-us-will-sign-away-our-firstborn-because-we-dont-read-the-terms-of-service/

No surprise; of course companies assume/hope we won't read these. Even
though I've read tedious stuff—found error on page 99 of a corporate
merger document; lawyer remarked he's never seen a corporate officer read
one. Found errors in 100+ page refinance package; declined some UA program
because of egregious T&Cs—mostly sigh and click these without
reading. Hate doing that but who can spend the time parsing a thousand lines
of boilerplate blather—and you can't x out disliked material, so what's
the point other than forgoing almost everything online?

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Password Reuse Tool "Shard" Makes It Easy To ID Vulnerable Accounts On Other Sites (Dan Goodin)

Werner <werneru@gmail.com>
Tue, 12 Jul 2016 20:09:54 +0200
Dan Goodin, reported on Ars Technica
<https://it.slashdot.org/story/16/07/11/2041249/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites>

Over the past few months, a cluster of megabreaches has dumped account
credentials for a mind-boggling 642 million accounts into the public domain,
where they can then be used to compromise other accounts that are protected
by the same password. Now, there's software that can streamline this vicious
cycle by testing for reused passcodes on Facebook and other popular sites.
<http://arstechnica.com/security/2016/07/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites/>

Shard, as the command-line tool has been dubbed,
<https://github.com/philwantsfish/shard> ...is designed to allow end users
to test if a password they use for one site is also used on Facebook,
LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told
Ars. The security researcher said he developed the tool after discovering
that the randomly generated eight-character password protecting several of
his accounts was among the more than 177 million LinkedIn passwords that
were leaked in May. "I used that password as a general password for many
services," he wrote in an e-mail. "It was a pain to remember which sites it
was shared and to change them all. I use a password manager now."

[ reader "LieutenantLefse" commented on ArsTechnica's forum ...]

Mistrose wrote:
> Can we stop pushing that line "Readers are once again advised to use
> a password manager to store a unique, randomly generated password
> that's a minimum of 10 characters long and contains a mix of upper-
> and lower-case letters, numbers and special characters. Whenever
> possible, people should also used multi-factor authentication" ...
> Length is enough, as long as (a) dictionary words aren't used ...

You've called out one password misconception and perpetuated another.

You're right that it's easier to remember 14 random lowercase letters than
10 random keyboard chars (with upper/lower/numbers/punctuation).

But it's even easier to memorize 5 of the 10,000 most common dictionary
words, and that's more secure than either (of course the words must be
chosen randomly). Compare 26^14, 94^10, and 10000^5.

That said I only memorize a few key passphrases and use a password manager
for the rest - which has over 70 entries and growing.  (I couldn't memorize
them all if they were 1 char each.)


You've been punked: Company boasts of experimenting on us with fake viral videos

Gabe Goldberg <gabe@gabegold.com>
Tue, 12 Jul 2016 17:19:49 -0400
Here's another reminder that we shouldn't believe everything we watch on the
Internet.

You may remember the sensational viral video
<https://www.youtube.com/watch?v=-m3N_BnVdOI> from two years ago, in which a
man, after jumping off a cliff and into the Sydney Harbour, has a close call
with a great white shark. The footage, filmed with a GoPro, is gripping. The
man can be heard gurgling and screaming in the water as he fights off the
shark.

Or you may remember a video <https://www.youtube.com/watch?v=vT_PNKg3v7s>
from earlier this year, in which a girl, snowboarding down a slope in the
Japanese Alps, is chased by a great bear—but is totally oblivious to it
because she was singing Rihanna.

Or perhaps this video <https://www.youtube.com/watch?v=QuCiScr2tz8> of a
selfie stick fight aboard a boat between an American and Japanese tourist,
with the Japanese tourist throwing the American overboard.

These viral videos, along with five other viral videos, have been watched a
total of over 205 million times all over the world. They have also been
broadcast internationally on NBC, Fox, CBS, CNN, Sky News and ABC (US),
according to the Guardian.

<https://www.theguardian.com/technology/2016/jul/12/faking-it-headline-making-viral-video-hoaxes-were-funded-by-screen-australia>.

But here's the thing: the videos were all fake.


Bloomberg: Do You Own Your Own Fingerprints?

Gabe Goldberg <gabe@gabegold.com>
Thu, 7 Jul 2016 09:13:31 -0400
These days, many of us regularly feed pieces of ourselves into machines for
convenience and security. Our fingerprints unlock our smartphones, and
companies are experimenting with more novel biometric markers—voice,
heartbeat, grip—as ID for banking and other transactions. But there are
almost no laws in place to control how companies use such information.  Nor
is it clear what rights people have to protect scans of their retinas or the
contours of their face from cataloging by the private sector.

To read the entire article, go to http://bloom.bg/29jRkSG


Critical bug threatens to bite mobile phones and networks

Lauren Weinstein <lauren@vortex.com>
Tue, 19 Jul 2016 16:12:47 -0700
Ars via NNSquad
http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover/

  A newly disclosed vulnerability could allow attackers to seize control of
  mobile phones and key parts of the world's telecommunications
  infrastructure and make it possible to eavesdrop or disrupt entire
  networks, security experts warned Tuesday.  The bug resides in a code
  library used in a wide range of telecommunication products, including
  radios in cell towers, routers, and switches, as well as the baseband
  chips in individual phones. Although exploiting the heap overflow
  vulnerability would require great skill and resources, attackers who
  managed to succeed would have the ability to execute malicious code on
  virtually all of those devices. The code library was developed by
  Pennsylvania-based Objective Systems and is used to implement a telephony
  standard known as ASN.1, short for Abstract Syntax Notation One.


Study: 78% of Resold Drives Still Contain Readable Personal or Business Data (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 21:49:31 +0200
Study: 78% of Resold Drives Still Contain Readable Personal or Business Data
<https://hardware.slashdot.org/story/16/06/29/0320257/study-78-of-resold-drives-still-contain-readable-personal-or-business-data>
(Posted by BeauHD on Wednesday June 29, 2016)

itwbennett writes:

Blancco Technology Group, which specializes in data erasure, bought 200
secondhand PC storage drives (PDF)...
<https://consumermediallc.files.wordpress.com/2016/06/datastudy.pdf>
...from eBay and Craigslist to see if they could recover any of the old
data saved inside. Their findings: 78 percent of the drives contained
residual data that could be recovered,
<https://consumerist.com/2016/06/28/study-78-of-resold-drives-still-contain-readable-personal-or-business-data/>
...67 percent still held personal files, such as photos with location
indicators, resumes and financial data, and 11 percent of the drives
also contained company data, such as emails, spreadsheets and customer
information. Only 10 percent had all the data securely wiped, Blancco said.

The Consumerist points out that Blancco makes their money...
<http://www.blancco.com/en> ...from promising secure data erasure, so the
company has a "strong and vested interest in these results." As for why so
many of the drives contain unwanted information, the report says it has to
do with the difference between "deleting" data and "erasing" data. Your
files aren't actually deleted when you drag them to the Trash or Recycle
Bin, or by using the delete key—shocking, I know. You can format a drive
to erase the data, but you have to be careful of the format commands being
used. A quick format, which was used on 40% of the drives in the sample,
still leaves some residual data on the drive for someone to possibly
access. A full format, which was used on 14% of the drives, will do a better
job in removing unwanted files, but it too may still miss some crucial
information. The solution Blancco recommends: buy a tool to perform complete
data erasure.


"Oracle issues largest patch bundle ever, fixing 276 security flaws" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Wed, 20 Jul 2016 11:07:41 -0700
Lucian Constantin, 20 Jul 2016
The patches address flaws in more than 80 products
http://www.computerworld.com/article/3098024/security/oracle-issues-largest-patch-bundle-ever-fixing-276-security-flaws.html

opening text:

Oracle has released a new quarterly batch of security updates for more than
80 products from its software portfolio, fixing 276 vulnerabilities.

This is the largest Oracle Critical Patch Update (CPU) to date. The average
number of flaws fixed per Oracle update last year was 161, according to
security vendor Qualys. Furthermore, out of the 276 security flaws fixed in
this update, 159 can be exploited remotely without authentication.

At the top of the priority list should be the Java patches, which address 13
new vulnerabilities. That's because Java is used in a lot of applications
and is installed on a large number of systems.


How Oracle's business as usual is threatening to kill Java (Ars)

Lauren Weinstein <lauren@vortex.com>
Sat, 2 Jul 2016 12:17:33 -0700
http://arstechnica.com/information-technology/2016/07/how-oracles-business-as-usual-is-threatening-to-kill-java/

  Oracle employees that worked on Java EE have told others in the community
  that they have been ordered to work on other things. There has also been
  open talk of some Java EE developers "forking" the Java platform, breaking
  off with their own implementation and abandoning compatibility with the
  20-year-old software platform acquired by Oracle with the takeover of Sun
  Microsystems six years ago. Yet Oracle remains silent about its plans for
  Java EE even as members of the governing body overseeing the Java standard
  have demanded a statement from the company.  "It's a dangerous game
  they're playing," Geir Magnusson, an independently elected member of the
  Java Community Process Executive Committee, told Ars.  "It's
  amazing--there's a company here that's making us miss Sun."

Frankly, the sooner we can get out from under Java for both client and
server apps, the better.


Lenovo Scrambling To Get a Fix For BIOS Vulnerability (Richard Chirgwin)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 23:40:49 +0200
Richard Chirgwin, *The Register* via SlashDot
  (Posted by manishs on Monday July 04, 2016)
<https://it.slashdot.org/story/16/07/04/1918235/lenovo-scrambling-to-get-a-fix-for-bios-vulnerability>

Lenovo, and possibly other PC vendors, are exposed to a UEFI bug that
can be exploited to disable firmware write-protection.
<http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln/>

If the claims made by Dmytro Oleksiuk at Github are correct, an attacker
can "disable flash write protection and infect platform firmware,
disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard,
etc.) on Windows 10 Enterprise." The reason Oleksiuk believes other
vendors are also vulnerable is that the buggy code is inherited from Intel.
<http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln/>

He writes that the SystemSmmRuntimeRt was copied from Intel reference
code. Lenovo complains in its advisory that it tried to make contact
with Oleksiuk before he published the vulnerability. The company says
the vulnerable System Management Mode software came from an upstream
BIOS vendor—making it likely that other vendors getting BIOS software
from the same outlet will also be vulnerable. There's also a hint that
Lenovo agrees with a speculation by Oleksiuk, that the code may be an
intentional backdoor: "Lenovo is engaging all of its IBVs as well as
Intel to identify or rule out any additional instances of the
vulnerability's presence in the BIOS provided to Lenovo by other IBVs,
as well as the original purpose of the vulnerable code."


A New Corporate AI Can Read Your Emails - and Your Mind (Fortune via SlashDot)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 17:02:34 +0200
[ The Thought-Police is alive ... and busier than ever ]

<https://yro.slashdot.org/story/16/07/03/1731226/a-new-corporate-ai-can-read-your-emails---and-your-mind>
(Posted by EditorDavid on Sunday July 03, 2016)

"Okay, as of last night, who were the people who were most
disgruntled...? Show me the top 10."

An anonymous Slashdot reader shares their report on a fascinating
Fortune magazine article:

"One company says it can spot 'insider threats' before they happen—by
reading all your workers' email." Working with a former CIA consultant,
Stroz Friedberg developed a software that "combs through an
organization's emails and text messages...
<http://fortune.com/insider-threats-email-scout/>
-- millions a day, the company says—looking for high usage of words
and phrases that language psychologists associate with certain mental
states and personality profiles...

"Many companies already have the ability to run keyword searches of
employees' emails, looking for worrisome words and phrases like
'embezzle' and 'I loathe this job'. But the Stroz Friedberg software,
called Scout, aspires to go a giant step further, detecting indirectly,
through unconscious syntactic and grammatical clues, workers' anger,
financial or personal stress, and other tip-offs that an employee might
be about to lose it... It uses an algorithm based on linguistic tells
found to connote feelings of victimization, anger, and blame."

The article reports that 27% of cyber-attacks "come from within," according
to a study of 562 org.


Steam Warns Users Against Gambling Site After YouTube Stars Discovered As Owners (EuroGamer via SlashDot)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 23:29:10 +0200
<https://games.slashdot.org/story/16/07/04/170259/steam-warns-users-against-gambling-site-after-youtube-stars-discovered-as-owners>
(Posted by manishs on Monday July 04, 2016)

Tom Phillips, reporting for EuroGamer:

Steam has begun warning users not to use a high-profile Counter-Strike:
GO gambling website after its ownership turned out to be two YouTube stars
<http://www.eurogamer.net/articles/2016-07-04-youtube-stars-criticised-after-it-emerges-they-owned-gambling-site-they-promoted>
-- who were also using YouTube to promote the site. Trevor "TmarTn"
Martin and Tom "Syndicate" Cassell are listed in newly-uncovered
business records as the president and vice-president, respectively, of
online gambling site CS:GO Lotto. The news of CS:GO Lotto's ownership
came as a surprise to viewers who have watched the pair promote the site
on their channels, where both YouTube stars can be seen gambling—and
winning big money—while using it. Neither had publicly disclosed
their full roles in the site. TmarTn had not even disclosed his videos
as being promotional tools. Attempt to log in to CS:GO Lotto now and you
are greeted with the following warning message: "The URL you are
attempting to log in to has been blocked by our moderators and staff.
This site may be engaged in phishing, scamming, spamming, or delivering
malware."


"Amazon isn't saying if Echo has been wiretapped" (Zach Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 20 Jul 2016 12:24:24 -0700
Zack Whittaker for Zero Day, ZDNet, 19 Jul 2016
Its transparency reports only includes data demands to its cloud-stored data.
http://www.zdnet.com/article/alexa-have-you-been-wiretapped-by-the-fbi/

selected text:

Earlier this year, Gizmodo filed a freedom of information (FOIA) request
with the FBI to see if the agency had wiretapped an Echo as part of a
criminal investigation.

The FBI neither confirmed nor denied whether it tapped the Echo.


Security researcher gets threats over Amazon review (TechCrunch)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 1 Jul 2016 16:46:43 -0600
https://techcrunch.com/2016/07/01/security-researcher-gets-threats-over-amazon-review/

  Amazon retailers sometimes go to extreme lengths to guarantee good
  reviews, as security developer Matthew Garrett recently discovered when he
  wrote a one-star review of an internet-connected electric socket. When
  Garrett politely pointed out that the socket in question was woefully
  insecure, he received emails from the manufacturer claiming that the
  review would get employees fired and that other reviewers were campaigning
  to get Garrett's review taken down.

  The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets
  you turn the power from a wall outlet on and off using your phone. It's a
  nice way to turn your lights on and off if you don't want to invest in
  smart bulbs, or to turn other plugged-in devices on and off. The AuYou
  Switch works whether or not you're home—so you can switch your lights
  on in your apartment while you're still in your office.

  But like so many Internet of Things devices, the AuYou switch seems to
  have a serious security flaw. As Garrett explains in his review, if your
  phone is connected to your home Wi-Fi, it sends the on/off command to the
  socket directly. But if you're not home, your phone sends the command to a
  server in China, which then passes the command along to the socket.

  "The command packets look like they're encrypted, but in reality there's
  no real cryptography here at all," Garrett explained in his review.


"Hidden 'backdoor' in Dell security software gives hackers full access" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 20 Jul 2016 12:34:47 -0700
Zack Whittaker for Zero Day, ZDNet, 20 Jul 2016
The critical flaw gives an attacker 'full control' of all connected devices.
http://www.zdnet.com/article/hidden-backdoor-account-found-in-dell-network-security-software/


Apple Patents Technology To Disable iPhone Cameras At Concerts

Gabe Goldberg <gabe@gabegold.com>
Fri, 15 Jul 2016 16:22:44 -0400
Imagine you've arrived at a concert venue and staked out the optimal
spot. You think you're all set until the person in front of you whips out
their phone when the show starts to record video and take pictures through
the whole damn show, and now it's too crowded for you to move.  It's
probably something you've experienced at least once given you're here at
Stereogum reading about music. Not even tall folks (excluding our own Tom
Breihan) are exempt from the Statue Of Liberty phone hold.  But Apple has
finally obtained a patent after five years that may prevent that from
happening in the future. ...

So that might be OK—assuming the technology is used /only/ at concerts
and doesn't extend to, like, disabling phone cameras during instances of
police brutality and/or sociopolitical/religious unrest. If my concert
experience has to suck in order to see and hopefully prevent the next Oscar
Grant, Eric Garner, or Walter Scott from being killed in the future, then so
be it.

http://www.stereogum.com/1885570/apple-patents-technology-to-disable-iphone-cameras-at-concerts/news/
<https://www.youtube.com/watch?v=Q2LDw5l_yMI>
<https://www.theguardian.com/us-news/video/2014/dec/04/i-cant-breathe-eric-garner-chokehold-death-video>,
<http://www.nbcnews.com/storyline/walter-scott-shooting/man-who-recorded-walter-scott-being-shot-speaks-out-n338126>


Congressman Wants Ransomware Attacks To Trigger Breach Notifications (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 16:30:12 +0200
  (Posted by BeauHD on Thursday June 30, 2016)
<https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications>
Trailrunner7 quotes a report from On the Wire:

A powerful California congressman is pushing the federal government to treat
ransomware attacks on medical facilities as data breaches...
<https://www.onthewire.io/ransomware-attacks-may-trigger-breach-notifications/>
...and require notifications of patients. The pressure is coming from
Rep. Ted Lieu (D-Calif.) and follows comments from officials at the
Department of Health and Human Services about the department's plan to issue
guidance to health care organizations about ransomware attacks.  The Office
for Civil Rights section of HHS, which has responsibility for health
information privacy, will provide guidance on how to handle ransomware
attacks, and Lieu is eager to ensure that the guidance specifically
addresses how ransomware attacks relate to data breach regulations.

"I welcome the news of HHS providing guidance to health providers on a
matter that threatens so many hospital IT systems. However, we need to make
clear that ransomware is not the same as conventional breaches. The threat
to patients from ransomware is typically due to the denial of access to
their medical records and medical services. Not only could this be a threat
to privacy, but it could result in medical complications and deaths if
hospitals can't access patient information," Lieu said in a statement. He
sent a letter...
<https://lieu.house.gov/sites/lieu.house.gov/files/LIEU%20HURD%20HHS%20RANSOMWARE.pdf>
...to the deputy director for health information privacy in the Office of
Civil Rights at HHS, Deven McGraw, asking him to instruct health
organizations and providers to notify patients of an attack if it results in
a denial of access to a medical record or a loss of functionality thats
necessary to provide patient care. In the past, Lieu has called for a full
congressional investigation...
<http://www.dailydot.com/layer8/ted-lieu-oversight-vulnerability-disclosure/>
...into the aforementioned widespread flaw in global phone networks that
allows hackers to track anyone's location and spy on their phone calls and
text messages. He was also one of the first lawmakers to publicly express
his pro-encryption view...
<https://yro.slashdot.org/story/16/02/17/1347207/congressman-court-order-to-decrypt-iphone-has-far-reaching-implications>
...after a federal judge ordered Apple to help the FBI break into the San
Bernardino shooter's iPhone, saying it effectively "forces private-sector
companies like Apple to be used as an arm of law enforcement."


The midnight rollover problem - solved

Paul Robinson <paul@paul-robinson.us>
Thu, 30 Jun 2016 21:04:41 +0000 (UTC)
Eleven years ago [1] I replied to an item here about the problem of having a
nonsynchronized date and time if the date and time call is not atomic,
i.e., the date and time are not obtained in a single operation, with the
possibility that midnight could roll over between the date request and the
time request, which could lead to embarrassing results - or worse - where
someone receives a report with today's date but the time of the report is
near midnight.

Well, first, that probability is very low. In the original article I posted
here, writing a simple program using GWBasic under DOS (Windows 95 wouldn't
even exist for another six months), and using an ordinary 386/40 processor
on interpreted Basic, it could make 3,023 date and time requests, and using
Turbo Pascal (which is compiled) the worst count was 6,200 requests,
indicating for a program run every day, the probability it might happen is
once in 16.9 years.

Second, today I tried the same kind of loop using an old program, Visual
Basic 6, and an old computer, a 3.1 ghz 64-bit quadcore processor I bought
used about 4 years ago, and for doing date-time non-atomic requests, the
number of request pairs I could do in one second ranged from a low of just
over 547,000 to about 551,500.

So the probability is even lower these days. But, it's still not nil. Is
there a simple way to guarantee it cannot happen? And as it turns out, there
is.

So there is a simple way to solve the problem no matter what speed the
computer runs at, and it requires three operations in a certain order.

1. Collect the date2. Collect the time3. Collect the date again Now, if the
hour is 1 to 23, it can't have rolled over between events 1 and 2, so use
the first date value. If the hour is 0, i.e., midnight or later, it might
have rolled over, use the second date value as a precaution.

Or simply, test for the hour being zero, if so, use date 2, else use date 1.

The nice thing about this is all you have to look at is the hour, you don't
have to compute or calculate anything, and you don't have to worry whether
or not the date rolled over, whether it has or not is completely irrelevant.

[1] "Date and Time Not Matching in COBOL", RISKS-16.70, 3 Jan 1995

Paul Robinson <paul@paul-robinson.us> - http://paul-robinson.us (My blog)


Google's My Activity Reveals How Much It Knows About You (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 17:05:51 +0200
<https://news.slashdot.org/story/16/06/29/2038257/googles-my-activity-reveals-how-much-it-knows-about-you>
(Posted by BeauHD on Wednesday June 29, 2016)

Google has released a new section to Google's account settings, called
My Activity,
<https://myactivity.google.com/myactivity
...which lets users review everything that Google has tracked about
their online behavior
<https://www.theguardian.com/technology/2016/jun/29/google-reveals-information-it-knows-about-you-my-activity>
-- search, YouTube, Chrome, Android, and every other Google service.
Best of all, users can edit or delete their tracked behaviors. In
addition, the My Activity tools come with new ad preferences.
<https://www.google.com/settings/u/0/ads/authenticated>
Google is now offering to use its behavioral information to tailer ads
shown across the wider non-Google internet and Google's search pages,
which until now was purely done through the use of cookies. The
difference between Google and other companies that offer ads like
Facebook is that Google is making this interest-based advertising
extension optional,
<https://www.google.com/settings/u/0/ads/anonymous?sig=ACi0TCiEU2Ol6tG17R-UvB_mhTvmWpQbgGUARs72IMgjOdo-ggvD0rEGS7ZSKr2YuNjee78ZkuCIbxJC_MOEs09hPz_Tyb6WrgkuTY3YqkVjMJedDzOoVoE&hl=en>
...or opt-in, not opt-out. There are two separate behavioral advertising
settings for users to switch on or off: signed in ads and signed out
ads. Signed in ads are those on Google services, and signed out ads are
those served by Google on third-party sites. However, if you're
conscious about your privacy, you'll probably want to stay opted out.


Europe's 'Net Neutrality' Rules Fail to Ban Throttling (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 21:49:21 +0200
<https://yro.slashdot.org/story/16/06/29/0834221/europes-net-neutrality-rules-fail-to-ban-bittorrent-throttling>
(Posted by manishs on Wednesday June 29, 2016)

Europe has finally agreed on a set of net neutrality rules. According to a
report on TorrentFreak, these rules offer improvements for some individual
members states, various activist groups and experts. But the current
language would also allow ISPs to throttle BitTorrent traffic permanently if
that would optimize overall "transmission quality."
<https://torrentfreak.com/europes-net-neutrality-rules-dont-ban-bittorrent-throttling-160628/>

>From the report (edited):

"Europe's new net-neutrality rules should ban throttling BitTorrent, but
they don't. They leave ISPs a loophole," said Holmes Wilson of Fight for the
Future (FFTF), one of the driving forces behind the Save Net Neutrality
campaign. "ISPs can say they're doing it for 'traffic management' purposes
-- even when their networks aren't clogged, because the rules say they can
throttle to 'prevent impending network congestion,'" he adds. In addition to
file-sharing traffic, the proposed rules also allow Internet providers to
interfere with encrypted traffic including VPN connections. Since encrypted
traffic can't be classified through deep packet inspection, ISPs may choose
to de-prioritize it altogether. In theory, ISPs may choose to throttle any
type of traffic they want, as long as they frame it as a network congestion
risk. "So if your ISP is lazy, or wants to cut corners and save money, they
can throttle BitTorrent, or VPNs, or Bitcoin, or Tor, or any class of
traffic they can identify," Wilson says.


Lauren's Blog: "How Ancient Monopolies Keep You from Getting Decent Internet Service"

Lauren Weinstein <lauren@vortex.com>
Mon, 4 Jul 2016 21:15:51 -0700
http://lauren.vortex.com/2016/07/ancient-monopolies-keep-you-from-decent-internet-service

Many of us tend to assume that here in U.S. we have the most advanced
technologies on the planet. So it may be startling to learn that by global
Internet standards, numerous experts consider us to be living in something
of a Stone Age Internet nation.

The reality is stark. Many countries in the world pay far less for their
Internet services than we do, and get much faster and more reliable services
in the bargain. While many countries have set a national goal of fiber
optics directly connecting every home and business, here in the United
States phone companies still are arguing that snail's pace Net connections
should qualify as broadband.  [...]

  [Long blog item pruned for RISKS.  Please read the full version.  PGN]


UN Council: Seriously, Nations, Stop Switching Off the Internet! (The Register via SlashDot)

Werner <werneru@gmail.com>
Tue, 5 Jul 2016 00:21:30 +0200
  (Posted by EditorDavid on Sunday July 03, 2016)
<https://yro.slashdot.org/story/16/07/03/0340234/un-council-seriously-nations-stop-switching-off-the-internet>

An anonymous reader writes:

"The United Nations officially condemned the practice of countries
shutting down access to the internet
<http://www.theregister.co.uk/2016/07/01/un_officially_condemns_internet_shutdowns/>
...at a meeting of the Human Rights Council on Friday," reports the
Register newspaper, saying Friday's resolution "effectively extends
human rights held offline to the internet," including freedom of
expression. "The resolution is a much-needed response to increased
pressure on freedom of expression online in all parts of the world,"
<https://www.article19.org/resources.php/resource/38429/en/unhrc:-significant-resolution-reaffirming-human-rights-online-adopted>
...said Thomas Hughes, Executive Director of Article 19, a long-standing
British human rights group which had pushed for the resolution. "From
impunity for the killings of bloggers to laws criminalizing legitimate
dissent on social media, basic human rights principles are being
disregarded to impose greater controls over the information we see and
share online."

Thirteen countries, including Russia and China, had unsuccessfully urged
the deletion of the text guaranteeing internet access, and Article 19
says the new resolution even commits states to address "security
concerns on the Internet in accordance with their obligations to protect
freedom of expression, privacy and other human rights online." But they
also called the resolution a missed opportunity to urge states to
strengthen protections on anonymity and encryption, and to clarify the
boundaries between state and private ICT actors.


For Facebook, violating users' privacy is going to backfire someday (Evan Schuman)

Gene Wirchenko <genew@telus.net>
Wed, 06 Jul 2016 10:05:14 -0700
Evan Schuman, Computerworld, 6 Jul 2016
Eroding trust is a lot easier than restoring it
http://www.computerworld.com/article/3091763/data-privacy/for-facebook-violating-users-privacy-is-going-to-backfire-someday.html

selected text [>>> <<< added to highlight one sentence]:

A settings change at Facebook has once again put the social site in a
negative light concerning users' privacy. Someday, users just might decide
that they have had enough.

The change happened in October but was only recently noticed, according to
The Guardian: Facebook rolled out an update to its internal search engine,
letting users search the entire network for the first time. All public posts
became searchable for everyone, but private posts weren't affected. >>> When
it made the change, though, the social network also removed a privacy
setting entirely: it's now not possible to choose to hide your profile from
strangers.  <<< Every profile on Facebook now shows up when users search for
it by name, even those, like mine, with the tightest possible settings, no
friends in common, no profile picture, and no content posted. Worse, if you
then click on the profile, a large amount of information is still public:
any page I've liked, any group I've joined, and, if I had any, every friend
I have on the site.  And although I can't be added as a friend by strangers
-- thanks to the requirement that they be a friend of a friend—I can be
followed by them, letting them be notified of any future posts. That's
because, helpfully, the ability to turn off that feature isn't under privacy
but under a different tab, Followers.


The Man Who Nailed Jello to the Wall (via Dave Farber's IP)

Suzanne Johnson <fuhn@pobox.com>
Thursday, June 30, 2016
Westerners said the web could never be controlled. Lu Wei, China's departing
Internet czar, proved them all wrong.

https://foreignpolicy.com/2016/06/29/the-man-who-nailed-jello-to-the-wall-lu-wei-china-internet-czar-learns-how-to-tame-the-web/


How China Took Control of Bitcoin (NYT via SlashDot)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 19:09:27 +0200
[ Virtually Anybody (who is 'SomeBody') is after "Virtual Money" (and
all other virtual values) these days... ]

How China Took Control of Bitcoin
<https://news.slashdot.org/story/16/07/03/205202/how-china-took-control-of-bitcoin>
(Slashdot reader Rick Zeman quotes the New York Times)

In its early conception, Bitcoin was to exist beyond the control of any
single government or country. It would be based everywhere and
nowhere... Yet despite the talk of a borderless currency, a handful of
Chinese companies have effectively assumed majority control of the
Bitcoin network.
<http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-china.html>

They have done so through canny investments and vast farms of computer
servers dispersed around the country...there are fears that China's
government could decide, at some point, to pressure miners in the
country to use their influence to alter the rules of the Bitcoin
network. The government's intervention in 2013 suggests that Bitcoin is
not too small to escape notice.


"Even in remotest Africa, Windows 10 nagware ruins your day: Update burns satellite link cash"

Gene Wirchenko <genew@telus.net>
Wed, 06 Jul 2016 09:05:30 -0700
Iain Thomson, *The Register*, 3 Jun 2016

Lives could have been put at risk by pushy upgrade
ttp://www.theregister.co.uk/2016/06/03/windows_10_upgrade_satellite_link/

opening text:

When you're stuck in the middle of the Central African Republic (CAR) trying
to protect the wildlife from armed poachers and the Lord's Resistance Army,
then life's pretty tough. And now Microsoft has made it tougher with Windows
10 upgrades.

The Chinko Project manages roughly 17,600 square kilometres (6,795 square
miles) of rainforest and savannah in the east of the CAR, near the border
with South Sudan. Money is tight, and so is internet bandwidth. So the staff
was more than a little displeased when one of the donated laptops the team
uses began upgrading to Windows 10 automatically, pulling in gigabytes of
data over a radio link.

And it's not just bandwidth bills they have to worry about.

"If a forced upgrade happened and crashed our PCs while in the middle of
coordinating rangers under fire from armed militarized poachers, blood could
literally be on Microsoft's hands," said one member of the team.


"Win7 and 8.1 patch KB 3173040 throws full-screen Win10 upgrade warning"

Gene Wirchenko <genew@telus.net>
Fri, 01 Jul 2016 10:12:07 -0700
http://www.infoworld.com/article/3090508/microsoft-windows/win7-and-81-patch-kb-3173040-throws-full-screen-win10-upgrade-warning.html
Win7 and 8.1 patch KB 3173040 throws full-screen Win10 upgrade warning
Sorry to interrupt, but this is important ... or so says Microsoft
Woody on Windows
By Woody Leonhard
InfoWorld | Jun 30, 2016

selected text:

Microsoft just released yet another Win10 upgrade nag system, disguised as a
"Recommended" patch for Windows 7 SP1 and Windows 8.1 systems.

According to the KB 3173040 article, if you have Windows set to
automatically install updates, and have the Windows Update "Check for
updates but let me choose whether to download and install them" box checked,
your machine will suddenly sprout a full-screen purple message that says ...

No, I don't make this stuff up. You have to wonder how many TV weather
announcers, how many broadcasting game players, and how many unattended
kiosks will suddenly find themselves festooned in Microsoft upgrade
purple. I predict a field day in the mainstream press by tomorrow.


"Dell stops selling Android devices, won't deliver patches" (Agam Shah)

Gene Wirchenko <genew@telus.net>
Fri, 01 Jul 2016 10:19:44 -0700
Agam Shah, InfoWorld, 30 Jun 2016
Dell has discontinued Venue tablets with Android, and won't push out
OS upgrades to current customers
http://www.infoworld.com/article/3090544/android/dell-stops-selling-android-devices.html

Dell has stopped selling Android devices as it steps away from slate-style
tablets to focus on Windows 2-in-1 tablets.

Dell won't be offering OS upgrades to Android-based Venue tablets already
being used by customers. "For customers who own Android-based Venue
products, Dell will continue to support currently active warranty and
service contracts until they expire, but we will not be pushing out future
OS upgrades," the spokesman said.

  [Actually, maybe, the risk is not that high.  Dell makes a quality
  product.  What kind of quality?  I had a Dell desktop system, and the
  computer and laser printer packed it in within a few months of each other.
  OK, I admit I had abused the printer with high-volume printing and in the
  about 1 1/2 years I had it, I was already into my second toner cartridge.]


"Why CIOs should care about click fraud" (Paul Rubens)

Gene Wirchenko <genew@telus.net>
Tue, 05 Jul 2016 11:52:16 -0700
Paul Rubens, CIO, 4 Jul 2016
Click fraud is more than just a marketing problem—it presents a
real security risk to your organization, experts say
http://www.infoworld.com/article/3089881/malware/why-cios-should-care-about-click-fraud.html


Ashley Madison Admits It Lured Customers With 70,000 Fake 'Fembots' (Ars Technica via SlashDot)

Werner <werneru@gmail.com>
Sun, 10 Jul 2016 17:06:06 +0200
[TANSTAFS - one more TANSTAFL corollary (this S is just a 3-letter word) ;-]

 Ashley Madison Admits It Lured Customers With 70,000 Fake 'Fembots'
<https://yro.slashdot.org/story/16/07/09/1245248/ashley-madison-admits-it-lured-customers-with-70000-fake-fembots>
(Posted by EditorDavid on Saturday July 09, 2016)

America's Federal Trade Commission is now investigating the "infidelity
hookup site" Ashley Madison.

In a possibly-related development, an anonymous reader writes:

Ashley Madison's new executive team "admits that it used fembots to lure
men into paying to join the site," reports Arts Technica.
<http://arstechnica.com/tech-policy/2016/07/ashley-madison-admits-using-fembots-to-lure-men-into-spending-money/>
More than 75% of the site's customers were convinced to join by an army
of 70,000 fembot accounts, "created in dozens of languages by data entry
workers...told to populate these accounts with fake information and real
photos posted by women who had shut down their accounts on Ashley
Madison or other properties owned by Ashley Madison's parent company,
Avid Life Media... In reality, that lady was a few lines of PHP...
<https://tech.slashdot.org/story/15/09/02/032213/ashley-madison-source-code-shows-evidence-they-created-bots-to-message-men>
In internal company e-mails, executives discussed openly that only about
five percent of the site's members were real females."

EditorDavid comments:

The company only abandoned the practice in 2015,
<http://media.ashleymadison.com/avid-life-media-breaks-its-silence/>
...and CNN also reports that for years, if the site's male customers
complained, Ashley Madison "threatened to send paperwork to users' homes
<http://money.cnn.com/2016/07/08/technology/ashley-madison-dispute-bill/>
...if they disputed their bills—potentially revealing cheaters to
their spouses," while one user complained that the site also
automatically signed up customers for recurring billing. "We are not
threatening you. We are laying the facts to you..." one e-mail read,
while another warned that "We do fight all charge backs."


Risk of being sent to house address 404 if Page Not Found

Dan Jacobson <jidanni@jidanni.org>
Wed, 29 Jun 2016 11:00:04 +0800
  http://www.directionsmag.com/files/view/distmark-51zip/138895

  [You have to click on that URL to understand Dan's humor.  The resulting
  "404.  Not Found" error message automagically takes you to a map arrow
  pointing to 404 Fremont Blvd in Monterey CA.  PGN]


chmod 0

Dan Jacobson <jidanni@jidanni.org>
Sat, 02 Jul 2016 04:12:50 +0800
Kinda bored today on my Linux machine.
How about a little self-inflicted
https://en.wikipedia.org/wiki/Predicament_bondage ?
  $ chmod 0 .
OK that was fun. But now lunchtime is over, and
  $ chmod 700 .
chmod: cannot access '.': Permission denied
Uh oh.
  $ chmod 700 $PWD
Phew.


Re: Stanford Mall robot runs over small child (RISKS-29.60)

Ian Macky <ian@macky.net>
Thu, 14 Jul 2016 18:36:49 -0700 (PDT)
> Jen Nowell, *Palo Alto Daily Post*, front page story, 13 Jun 2016 [PGN-ed]
> A 16-month boy was knocked over by a security robot at Stanford Shopping
> Center in Palo Alto, which then ran over him, leaving him bruised and
> scared.  The 5-foot 300-pound Knightscope K5 Robot failed to stop as it
> approached Harwin Cheng, hit him in the head, knocked him to the ground,
> and then ran over his right foot.  His mother pulled him away just as the
> robot was about to run over his left foot.

At least, that is what the parents claim, which is presented as fact.  For
balance, here is [part of] the manufacturer's response (from the *LA Times*):

  The company said the child ran toward the robot, which veered to avoid him
  as it was patrolling, and the toddler then ran backward and directly into
  the robot.  When the robot stopped, the boy fell to the ground.

  "The machine's sensors registered no vibration alert, and the machine
  motors did not fault as they would when encountering an obstacle," the
  company said in a statement.

A *Wall Street Journal* article adds:

  "Knightscope says their unit would have registered a vibration if it had
  run over his foot. Each robot has nearly 30 sensors, including lasers and
  sonar sensors, Knightscope said."

  In response to the accident, Knightscope issued its first field incident
  report in its robots' 25,000 miles of travel.  The statement says the
  machine veered to the left to avoid Harwin, but the child ran backward
  "directly" into the machine.  The machine then stopped and the child fell,
  the statement said.

Hmm.  Not so clear-cut after all.

  Thanks for the other side.  However, perhaps removing from service all
  robots of that type was overreacting?  or CYA? PGN]


Re: Self-driving cars, accepting the moral dilemma

David Mitchell <david.robot.mitchell@gmail.com>
Fri, 15 Jul 2016 10:04:09 +0100
It occurs to me that absent a societal consensus or the correct way to
handle the moral issues arising from self-driving cars, we could make it
choice available to the driver.

Obviously, it's more complex than this in practice, but some kind of
"selfish/altruistic" switch could be either configurable per driver or
selected from the dashboard.

So, if one were driving the family, the driver could select "protect me at
all cost", and if alone, could choose "sacrifice me if there would be more
than one pedestrian casualty".

We could then judge people, morally and legally, by the choices they would
make, should it come to that.


Re: UK bill introduces 10 year prison sentence for online pirates

"Keith Medcalf" <kmedcalf@dessus.com>
Tue, 19 Jul 2016 18:53:31 -0600
  Private Interest -vs- Public Interest

This is to be expected: The private backers of the Digital Economy Bill (aka
those companies that purchased its introduction and presumably have
pre-arranged payment for its passage) have lined the Politicians pockets
with more money than Oscar Pistorius' girlfriend.

Just proves the old adage:  you get what you pay for.

As long as we continue to allow politicians to enrich themselves though
private interest contributions to their pocketbooks, they will continue to
prefer and promulgate that which causes the largest padding of their
pocketbooks.

This is not really a risk—it is just basic human nature at work and,
where such practices are permitted, it is a certain result.


Re: Faulty image analysis software may invalidate 40,000 fMRI studies (RISKS-29.60)

Amos Shapir <amos083@gmail.com>
Fri, 15 Jul 2016 13:40:39 +0300
Like many other news items about scientific research, this article reminds
me of these immortal lines by Dorothy Parker:

  "But scientists, who ought to know,
  Assure us that it must be so.
  So let us never never doubt
  What nobody is sure about"


Re: Dallas Shooter Killed By Bomb Robot In Policing First (RISKS-29.60)

Gary Barnes <gkb@adminspotting.org>
Thu, 14 Jul 2016 23:28:46 +0100
> Bomb disposal robots (properly termed Explosive Ordnance Disposal robots)
> have been in use since 1972, when the U.S. military pioneered the
> technology.

In point of fact, their use was pioneered by British Army bomb disposal
teams in 1972, in Northern Ireland.

https://en.wikipedia.org/wiki/Wheelbarrow_(robot)


Re: Dallas Shooter Killed By Bomb Robot In Policing First (RISKS-29.60)

Amos Shapir <amos083@gmail.com>
Fri, 15 Jul 2016 13:46:25 +0300
Strictly speaking, this was not a robot but a ROV.  I'm pretty sure it was
a human operator who had pulled the trigger, just like those who operate
drones over Afghanistan.

Despite the availability of technology, it seems no one had dared (yet) to
let a real autonomous robot to make the decision whom to shoot and when.

Please report problems with the web pages to the maintainer

Top