The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 68

Thursday 11 August 2016

Contents

DoJ Official Tells 100 Fed Judges to Use Tor
Joseph Cox
Delta Struggles to Take Flight After Global System Outage
ABC
El Faro Cargo Ship VDR recovered
Al Mac
Australia GPS coordinates moving—for driverless cars
ABC Australia
Millions of VW cars at risk: Wireless hack lets crooks clone Volkswagen keys
Liam Tung
Tesla Tampering
DefCon
A New Hack Can Unlock 100 Million Volkswagens
Andy Greenberg
Hack of Democrats' Accounts Was Wider Than Believed, Officials Say
NYT
More on the DNC e-mail and WikiLeaks
PGN
"Emailgate: How media mistakes created Hillary Clinton's fake, fake identity"
David Gewirtz
MICROS POS Breach
Krebs
Monitors Are Vulnerable to Hijacking and Spying
Motherboad
Irish Police systems hacked
Patrick O'Beirne
Now even your sex toys are spying on you
Zack Whittaker
Flawed Designs
ProPublica
Susan Crawford on wireless vis-a-vis cable
BackChannel
U.S. broadband: Still no ISP choice for many, especially at higher speeds
Ars Technica
Encryption's Quantum Leap: The Race to Stop the Hackers of Tomorrow
Steve Ranger
Samsung is all talk, no fix after researcher finds Pay flaw
Zach Whittaker
New Nigerian Fraud Scheme Revealed—by Self-Infection
IEEE Spectrum
Facebook will bypass web adblockers, but offer ad targeting opt-outs
TechCrunch
"Secure Boot proves insecurity of backdoors"
Fahmida Y. Rashid
Microsoft's giving you just 10 days now, not 31, to change your mind about Windows 10
Mark Hachman
Microsoft researchers enable secure data exchange in the cloud
LW
Once Taunted by Steve Jobs, Companies Are Now Big Customers of Apple
NYT
"The Internet" vs "internet" and other sundry thoughts
PGN
Re: How to hack an election in seven minutes
Ben Wofford
Re: 8-inch floppies
Dimitri Maziuk
Info on RISKS (comp.risks)

DoJ Official Tells 100 Fed Judges to Use Tor (Joseph Cox)

Henry Baker <hbaker1@pipeline.com>
Mon, 08 Aug 2016 07:26:47 -0700
FYI—Particularly important for judges [who are hiding something]

Joseph Cox, Motherboard, 6 Aug 2016
Department of Justice Official Tells Hundred Federal Judges to Use Tor
https://motherboard.vice.com/read/department-of-justice-official-tells-hundred-federal-judges-to-use-tor

The US government has a complicated relationship with Tor.  While the US is
the biggest funder of the non-profit that maintains the software, law
enforcement bodies such as the FBI are exploiting Tor browser
vulnerabilities on a huge scale to identify criminal suspects.

To add to that messy, nuanced mix, one Department of Justice official
recently personally recommended Tor to a room of over a hundred federal
judges.

Ovie Carroll, director for the Cybercrime Lab at the Department of Justice,
urged the judges to "use the TOR [sic] network to protect their personal
information on their computers, like work or home computers, against data
breaches, and the like," Judge Robert J. Bryan said in July, according to a
hearing transcript released on Friday.

"I was surprised to hear him urge the federal judges present," Bryan said.
Bryan was talking during a hearing on two motions to withdraw guilty pleas
in the FBI's recent mass hacking campaign.  In February 2015, the FBI took
over a dark web child pornography site called Playpen, and deployed malware
in an attempt to identify the site's visitors.  Bryan has resided over
several resulting cases from that investigation.

"I almost felt like saying, 'That's not a good way to protect your stuff,
because the FBI can go through it like eggshells,'" Bryan continues.  Of
course, this isn't really true: although the FBI has had some notable
successes at identifying criminal suspects on the dark web with
technological means, it is not the norm.

It's worth remembering Carroll is not the only Justice Department or US law
enforcement official to endorse Tor.  According to emails obtained by
Motherboard, one FBI agent was also an advocate of Tor.

Indeed, it would be exceptionally foolish to assume that every law
enforcement or justice official would automatically be antagonistic towards
Tor.  By its very nature, Tor is a dual-use technology; it can be used to
protect individual privacy, circumvent censorship, and obfuscate metadata.
But it can also be used by some pedophiles to remain one step ahead of the
cops.

Also, if Judge Bryan's comments are accurate, Carroll's advice may not have
been that robust anyway.  Tor is not really useful for protecting personal
information on computers, or necessarily mitigating the damage from data
breaches: those just aren't the sort of things that Tor protects against.

Regardless, it's still noteworthy to see this advice coming from a
Department of Justice official.


Delta Struggles to Take Flight After Global System Outage (ABC)

Lauren Weinstein <lauren@vortex.com>
Mon, 8 Aug 2016 07:33:59 -0700
http://abcnews.go.com/Health/wireStory/delta-grounds-flights-due-systems-problems-41198955

  Delta Air Lines delayed or canceled hundreds of flights Monday after its
  computer systems crashed, stranding thousands of passengers on a busy
  travel day.  About six hours into the outage, the airline said that
  limited flights were resuming but that were delays and cancelations were
  continuing.  The Atlanta-based airline said that a power outage at a
  facility in Atlanta at around 2:30 a.m. Eastern started the cascading
  meltdown.

[Also:
Delta Air Lines Computer Failure Hobbles Service]
http://www.nytimes.com/2016/08/09/business/delta-air-lines-delays-computer-failure.html


El Faro Cargo Ship VDR recovered

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 9 Aug 2016 14:53:49 -0500
Remember the cargo ship that sank off US east coast Oct 2015 during
Hurricane Joaquin?  The operators knew this bad weather was in the forecast,
and that the ship was experiencing engine troubles, not yet fixed, but they
deliberately gambled, sending the ship into harm's way, at risk of engine
failure during the worst kind of storm imaginable, according to news media
stories at the time.

A series of efforts to recover the ship's black box, called a Voyage Data
Recorder (VDR) from wreckage over 15,000 feet down on ocean floor, finally
paid off.  US efforts included: NTSB; US Navy; US Coast Guard; Woods Hole
Oceanographic Institute; National Science Foundation (NSF); University of
Rhode Island; and Phoenix International.

More info, found so far, on NTSB web page about the El Faro continuing
investigation:

http://www.ntsb.gov/investigations/Pages/2015_elfaro_jax.aspx


Australia GPS coordinates moving—for driverless cars

Mark Thorson <eee@sonic.net>
Tue, 9 Aug 2016 17:46:27 -0700
GPS coordinates for Australia need to be updated so applications like
driverless cars can work.

http://www.abc.net.au/news/2016-07-28/why-it-matters-that-australias-coordinates-are-moving/7668014


Millions of VW cars at risk: Wireless hack lets crooks clone Volkswagen keys

Gene Wirchenko <genew@telus.net>
Thu, 11 Aug 2016 10:27:24 -0700
Liam Tung, ZDNet,  11 Aug 2016
Researchers find flaws in the keyless entry system used in around 100
million vehicles from the Volkswagen Group.
http://www.zdnet.com/article/millions-of-vw-cars-at-risk-wireless-hack-lets-crooks-clone-volkswagen-keys-at-100m/

selected text:

If you own a Volkswagen with keyless entry, it's likely to be vulnerable to
a remote-cloning attack, according to new research.

The researchers argue that, given their findings, insurance companies may
need to accept that cases that look like insurance fraud, such as a laptop
stolen from a locked car without any physical traces of a break-in, can
plausibly be an actual theft.


Tesla Tampering

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 10 Aug 2016 11:38:05 PDT
At DefCon, researchers demonstrated how they could hack the sensors to cause
a Tesla to hit an object it would otherwise avoid.  *Business Insider*
reported this, as noted in today's local *Daily Post*.


A New Hack Can Unlock 100 Million Volkswagens (Andy Greenberg)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 10 Aug 2016 14:52:36 -0600
Andy Greenberg, Wired, 08.10.16  4:29 pm.
https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/

  In 2013, when University of Birmingham computer scientist Flavio Garcia
  and a team of researchers were preparing to reveal a vulnerability that
  allowed them to start the ignition of millions of Volkswagen cars and
  drive them off without a key, they were hit with a lawsuit that delayed
  the publication of their research for two years. But that experience
  doesn't seem to have deterred Garcia and his colleagues from probing more
  of VW's flaws: Now, a year after that hack was finally publicized, Garcia
  and a new team of researchers are back with another paper that shows how
  Volkswagen left not only its ignition vulnerable but the keyless entry
  system that unlocks the vehicle's doors, too. And this time, they say, the
  flaw applies to practically every car Volkswagen has sold since 1995.


Hack of Democrats' Accounts Was Wider Than Believed, Officials Say

Monty Solomon <monty@roscom.com>
Thu, 11 Aug 2016 03:58:10 -0400
http://www.nytimes.com/2016/08/11/us/politics/democratic-party-russia-hack-cyberattack.html

A Russian cyberattack is now thought to have breached the private email
accounts of more than 100 party officials and groups.


More on the DNC e-mail leak

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 10 Aug 2016 11:31:59 PDT
Supplementing previous claims by "security experts" in U.S. intelligence
(and Democratic officials) that the Russians hacked the DNC e-mails, Julian
Assange is suggesting that the e-mails were leaked to WikiLeaks by Seth
Conrad Rich, a DNC staffer who was murdered in Washington DC on 8 Jul 2016.
A front-page blurb (with no further story inside) in today's *Daily Post* (a
free weekday paper for the Palo Alto area) notes that "Rich's death has been
explained away as a robbery, but his assailant left his watch, money, credit
cards and phone.  [PGN-ed]


"Emailgate: How media mistakes created Hillary Clinton's fake, fake identity" (David Gewirtz)

Gene Wirchenko <genew@telus.net>
Wed, 10 Aug 2016 10:22:24 -0700
   [With the Internet, you can make mistakes bigger and faster than ever!
   Or spread rumours.]

David Gewirtz for ZDNet Government, 5 Mar 2015
The media creates mythology. David Gewirtz looks at how the AP created a
new, completely false Hillary Clinton myth about a fake identity, how it's
sticking, and where it all went wrong.
http://www.zdnet.com/article/emailgate-how-media-mythology-created-hillary-clintons-fake-fake-identity/

opening text:

There is more to the Hillary Clinton personal email story than just Hillary
Clinton and her personal email use.

It's also a story about a trusted news establishment that broke a story in
the morning about the leading presumptive presidential candidate using a
fake identity, let it run through an entire day's news cycle, and then
changed that story in the same article later that evening—without ever
releasing an update or correction.

  [Reminder: the DNC e-mail hack and the Hillary e-mail hack are different
  cases, although they have the common genesis in poor system security.  PGN]


MICROS POS Breach (Krebs)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 9 Aug 2016 23:27:23 -0500
Krebs on Security reported a data breach with Oracle's MICROS Point of Sale
 System.  <http://krebsonsecurity.com/>
<http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-s ale-division/>

MICROS is very popular in the hospitality industry, hotels, food and
beverage sales.  In 2014 they had 330,000 sites in 180 nations.

Oracle has called on 100% of the sites to change 100% of their passwords,
for 100% of their accounts.


Monitors Are Vulnerable to Hijacking and Spying (Motherboad)

Werner U <werneru@gmail.com>
Mon, 8 Aug 2016 19:11:58 +0200
(Motherboard via  SlashDot)

[ ...time to return to pen and paper ?!! ]

One Billion Monitors Vulnerable to Hijacking and Spying
<https://hardware.slashdot.org/story/16/08/07/1546208/one-billion-monitors-vulnerable-to-hijacking-and-spying>

"We can now hack the monitor and you shouldn't have blind trust in those
pixels coming out of your monitor..." a security researcher tells
Motherboard.

"If you have a monitor, chances are your monitor is affected."

  A Slashdot reader quotes a Motherboard's article:

 > if a hacker can get you to visit a malicious website or click on a
 > phishing link, they can then target the monitor's embedded computer,
 > specifically its firmware... the computer that controls the menu to
 > change brightness and other simple settings on the monitor.
 > The hacker can then put an implant there programmed to wait... for
 > commands sent over by a blinking pixel, which could be included in
 > any video or a website.
 > Essentially, that pixel is uploading code to the monitor.

<https://slashdot.org/motherboard.vice.com/read/hackers-could-break-into-your-monitor-to-spy-on-you-and-manipulate-your-pixels>

 > At that point, the hacker can mess with your monitor...
 >
 > [T]his could be used to both spy on you, but also show you stuff
 > that's actually not there.  A scenario where that could dangerous
 > is if hackers mess with the monitor displaying controls for a power
 > plant, perhaps faking an emergency.  The researchers warn that this
 > is an issue that could potentially affect one billion monitors, given
 > that the most common brands all have processors that are vulnerable...

"We now live in a world where you can't trust your monitor," one researcher
told *Motherboard*, which added "we shouldn't consider monitors as
untouchable, unhackable things."


Irish Police systems hacked

"Patrick O'Beirne" <obeirne.p.r@gmail.com>
Tue, 9 Aug 2016 08:35:09 +0100
  (Translator's note: Garda = Civic Guard, i.e., police, plural Gardai)
  http://www.rte.ie/news/2016/0808/807804-garda-it-security/

Garda IT system restored following attempted hack.  Gardai revealed last
week that a new strain of malware had been found on their systems.  They
stressed that no data was compromised and that its main database, PULSE, and
the Garda website were not affected.  The Garda Computer Crime Unit is
continuing its investigation into the incident.

The malware involved was referred to as "zero day", meaning it was not
previously known.


"Now even your sex toys are spying on you" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Thu, 11 Aug 2016 10:32:28 -0700
  IoT meets Rule 34?

Zack Whittaker, ZDNet, Aug 2016
Is nothing sacred in this world?
http://www.zdnet.com/article/now-even-your-sex-toys-are-spying-on-you/

selected text:

Dubbed the "number one couple's vibrator," the We-Vibe 4 Plus is the latest
in Internet-connected sex toys. It connects wirelessly to a smartphone over
Bluetooth so a user or their partner can control the vibration intensity and
mode.  It also comes with Internet connectivity so that a long-distance
partner can control the device from anywhere.

The trouble is, it's spilling your sexual secrets to its manufacturer.
  [and presumably is easily hacked by someone who has also hacked the
  camera on your laptop?  PGN]


Flawed Designs

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 11 Aug 2016 01:11:38 -0500
https://www.propublica.org/article/looks-can-kill-the-deadly-results-of-flawed-design

I wear a hearing aid.

With it (working correctly), I hear my auto chiming, then I check visual
clues to figure out what it is complaining about.  Without the hearing aid,
all I have are the visual clues, which I might not notice as rapidly as I
would like.

If a hearing aid is not working correctly, we do not know it.  We might not
be hearing bird song, but there might not be any birds around sining.  A
mosquito makes a buzzing ound.  We might not hear that, but who knows
there's an insect around, unless it is prominent in our vision.  We only
hear rainfall, depending on which direction it is arriving.  So if a hearing
aid is down, that may not be immediately obvious.

When is a hearing aid not working correctly?  There are several possible
causes.  We may be overdue to change the battery.  We may be overdue to
clean the ear wax out of the tubes.  So is there a technology to alert a
hearing aid user: “Hey, your hearing aid is malfunctioning.''

When leaving home, push a button, hear some musical tinkle, or not—tell
us to do extra checking.

That design would not work effectively for me, as I have Tinitus, where
intermittently I am hearing some sound, which is a common sound in my life:

Air conditioner fan; alarm clock; door bell; phone ringing, etc. except that
sound is a hearing hallucination.

If the musical tone test was often played, it would get added to tinnitus
repertoire of intermittent surprises.

I do not know what association triggers a tinnitus episode.


Susan Crawford on wireless vis-a-vis cable

Lauren Weinstein <lauren@vortex.com>
Thu, 11 Aug 2016 08:52:06 -0700
BackChannel via NNSquad

The Next Generation of Wireless—"5G"—Is All Hype.
https://backchannel.com/the-next-generation-of-wireless-5g-is-all-hype-1790239b8ca8#.13g0n83nf

  The meaning seems obvious—our current communications system is 4G, so
  of course we must already have the next generation in line. Telecom
  executives play on this perception. Lowell McAdam, the CEO of Verizon,
  says 5G is "wireless fiber." (And I thought fiber was fiber.) SK Telecom
  says it will soon be able to transfer holograms and enable virtual reality
  over 5G networks that are 100 times faster than current 4G LTE
  connections. Noise about 5G is incessant and triumphant, a constant
  drumbeat of predictions crowing about the arrival any day now of seemingly
  costless, ubiquitous, instantaneous, unlimited connectivity.  The promises
  are as lofty as those made for cold fusion. But the science behind that
  "breakthrough" turned out to be a bust.  Likewise, the "5G" story is far
  more complex, calculated, and contingent than anyone in the carriers' PR
  departments wants you to know.


U.S. broadband: Still no ISP choice for many, especially at higher speeds

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Aug 2016 09:47:54 -0700
http://arstechnica.com/information-technology/2016/08/us-broadband-still-no-isp-choice-for-many-especially-at-higher-speeds/

  The latest Federal Communications Commission statistics show that
  Americans still have little choice of high-speed broadband providers.  On
  the surface, the numbers appear to show that the broadband market has
  gotten slightly less competitive since 2013. But what has really happened
  is the FCC is collecting more granular data that better illustrates the
  lack of choice for most Americans. Things are probably getting a little
  better as providers boost speeds and new entrants like Google Fiber and
  municipal ISPs offer service.  But the FCC's improved statistical analysis
  shows how far there is to go.


Encryption's Quantum Leap: The Race to Stop the Hackers of Tomorrow (Steve Ranger)

"ACM TechNews" <technews-editor@acm.org>
Mon, 8 Aug 2016 12:14:55 -0400 (EDT)
Steve Ranger, ZDNet, 2 Aug 2016 via ACM TechNews, Monday, August 8, 2016

Researchers are looking into the construction of new quantum-proof
cryptography in order to thwart quantum-based schemes that future hackers
could potentially use to crack sensitive data.  "If large-scale quantum
computers are ever built, they will be able to break many of the public-key
cryptosystems currently in use," warns the U.S. National Institute of
Standards and Technology (NIST).  "This would seriously compromise the
confidentiality and integrity of digital communications on the Internet and
elsewhere."  NIST is requesting comments on a new process to find and assess
public-key cryptographic algorithms that quantum computers cannot decrypt.
NIST's goal is to create systems that are resistant to both quantum and
classical computers, as well as interoperable with existing communications
protocols and networks.  The agency is investigating preliminary evaluation
criteria for quantum-resistant public-key cryptography standards, which is
slated for finalization by year's end.  NIST then will start accepting
proposals for such encryption, digital signatures, and key exchange
algorithms, with a deadline in late 2017, followed by three to five years of
public scrutiny before their acceptance as standards.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-10d12x2f8d0x073912&


"Samsung is all talk, no fix after researcher finds Pay flaw"

Gene Wirchenko <genew@telus.net>
Wed, 10 Aug 2016 09:58:37 -0700
Zack Whittaker for Zero Day, How secure is "secure enough"?, ZDNet, 9 Aug 2016
http://www.zdnet.com/article/all-talk-little-action-samsung-shows-how-not-to-do-security/

selected text:

In security, how a company responds to a potential flaw matters.  Samsung
may learn that lesson as it dueled on social media after a researcher
revealed a flaw in Samsung Pay.  Or as one security researcher told me this
afternoon, "it's a pity that Samsung's going for security-by-public-denial."


New Nigerian Fraud Scheme Revealed—by Self-Infection

Werner U <werneru@gmail.com>
Mon, 8 Aug 2016 18:15:21 +0200
 (IEEE Spectrum  via SlashDot)
<https://yro.slashdot.org/story/16/08/06/1634220/nigerian-scammers-infect-themselves-with-own-malware-reveal-new-fraud-scheme>

"A pair of security researchers recently uncovered a Nigerian scammer ring
that they say operates a new kind of attack...after a few of its members
accidentally infected themselves with their own malware," reports IEEE
Spectrum. "Over the past several months, they've watched from a virtual
front-row seat as members used this technique to steal hundreds of thousands
of dollars from small and medium-sized businesses worldwide." Wave723
writes:

 > Nigerian scammers are becoming more sophisticated, moving on from former
 > 'spoofing' attacks in which they impersonated a CEO's email from an
 > external account. Now, they've begun to infiltrate employee email
 > accounts to monitor financial transactions and slip in their own routing
 > and account info...The researchers estimate this particular ring of
 > criminals earns about US $3 million from the scheme.

After they infected their own system, the scammers' malware uploaded
screenshots and all of their keystrokes to an open web database, including
their training sessions for future scammers and the re-routing of a $400,000
payment. Yet the scammers actually "appear to be 'family men' in their late
20s to 40s who are well-respected, church-going figures in their
communities," according to the article. SecureWorks malware researcher Joe
Stewart says the scammers are "increasing the economic potential of the
region they're living in by doing this, and I think they feel somewhat of a
duty to do this."


Facebook will bypass web adblockers, but offer ad targeting opt-outs

Lauren Weinstein <lauren@vortex.com>
Tue, 9 Aug 2016 07:16:49 -0700
TechCrunch via NNSquad
https://techcrunch.com/2016/08/09/facebook-will-bypass-web-adblockers-but-offer-ad-targeting-opt-outs/

  Facebook is making the HTML of its web ads indistinguishable from organic
  content so it can slip by adblockers. But in exchange for taking away this
  option for controlling ads from people, its allowing them to opt-out of ad
  targeting categories and Custom Audience customer lists uploaded by
  advertisers. Today all desktop users will see an announcement atop the
  News Feed explaining that while web adblockers may no longer work, they
  can visit their Ad Preferences settings to block ads from particular
  businesses.

It should be noted that Google has *long* offered detailed controls to users
over both local and third-party ad targeting, at:
https://www.google.com/settings/ads


"Secure Boot proves insecurity of backdoors" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Thu, 11 Aug 2016 09:45:27 -0700
Fahmida Y. Rashid, InfoWorld, 11 Aug 2016

Microsoft's Secure Boot prevents unauthorized software from running
on Windows systems, but a leaked superpolicy bypasses those restrictions
http://www.infoworld.com/article/3106079/security/secure-boot-proves-insecurity-of-backdoors.html

selected text:

Microsoft's mistake with Secure Boot and its secret policy is a perfect
illustration of why it's too dangerous to create encryption systems with a
secure backdoor. Someone will inevitably make a mistake, and users are left
vulnerable while the company scrambles for a fix.

"This is a perfect real-world example about why your idea of backdooring
cryptosystems with a 'secure golden key' is very bad!"  the researchers said
in a pointed message to the FBI.

  [PGN notes other sources:]
http://appleinsider.com/articles/16/08/10/oops-microsoft-leaks-its-golden-key-unlocking-windows-secure-boot-and-exposing-the-danger-of-backdoors
http://arstechnica.co.uk/security/2016/08/microsoft-secure-boot-firmware-snafu-leaks-golden-key/


Microsoft's giving you just 10 days now, not 31, to change your mind about Windows 10 (Mark Hachman)

Gene Wirchenko <genew@telus.net>
Mon, 08 Aug 2016 09:55:39 -0700
Mark Hachman, Senior Editor, PCWorld, 5 Aug 2016
The new policy means that you have until August 12 to decide whether you
like Windows 10.
http://www.pcworld.com/article/3104919/windows/microsofts-giving-you-just-10-days-now-not-31-to-change-your-mind-about-windows-10.html

opening text:

Microsoft has hidden a new downgrade policy within the Windows 10
Anniversary Update: Once you've installed it, you'll only have 10 days to
downgrade to an earlier version or build, rather than the 31 days provided
before.

Historically, Microsoft had given users a full month to roll back any
updates, including upgrades to Windows 10. Supersite for Windows reported
this week, however, that it was unable to downgrade to an earlier build
after a 10-day limit had expired, though it wasn't exactly clear what builds
the limit applied to.

We asked Microsoft for clarification, and it boils down to this: Applying
the Anniversary Update triggers the new policy. According to Microsoft, it
doesn't matter whether you've upgraded to Windows 10 from Windows 8 or
Windows 7, or whether you simply updated your PC from an earlier version of
Windows 10. Once you've installed the Anniversary Update, you have 10 days
to back out, not 31, before the AU becomes "permanent."

"T]his new 10-day behavior is for all upgrades and updates to the
Anniversary Update," the representative said in an email.


Microsoft researchers enable secure data exchange in the cloud

Lauren Weinstein <lauren@vortex.com>
Tue, 9 Aug 2016 21:03:31 -0700
https://www.microsoft.com/en-us/research/microsoft-researchers-enable-secure-data-exchange-cloud/?tduid=(ab98ed1e001ac82e561d59468b39dda4)(256380)(2459594)(TnL5HPStwNw-9G8wAMniIj98.mEDeTS.3A)()

  In the future, machine learning algorithms may examine our genomes to
  determine our susceptibility to maladies such as heart disease and cancer.
  Between now and then, computer scientists need to train the algorithms on
  genetic data, bundles of which are increasingly stored encrypted and
  secure in the cloud along with financial records, vacation photos and
  other bits and bytes of digitized information.  And there the data sits,
  full of potential but ultimately of little use to anyone but its owner.
  That's because encrypted data must first be decrypted before it can be
  used.  But decrypted data is vulnerable to malicious attacks, which
  creates a tradeoff between data usability and security.  New research from
  Microsoft aims to unlock the full value of encrypted data by using the
  cloud itself to perform secure data trades between multiple willing
  parties in a way that provides users full control over how much
  information the exchange reveals.

    [Gnomes in the Genomes?  PGN]


Once Taunted by Steve Jobs, Companies Are Now Big Customers of Apple

Monty Solomon <monty@roscom.com>
Tue, 9 Aug 2016 08:18:23 -0400
Corporations are turning to Apple's products for their tight-knit hardware and software, advanced security and intuitive interfaces.
http://www.nytimes.com/2016/08/08/technology/once-taunted-by-steve-jobs-companies-are-now-big-customers-of-apple.html


"The Internet" vs "internet" and other sundry thoughts (Re: R 29 67)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 11 Aug 2016 9:33:19 PDT
I concede that my mini-editorial in RISKS-29.67 might have been a little
over the top.  I have certainly overgeneralized with respect to the British
usage, for I know Brits and others who agree with me that coined-word
acronyms composed of proper nouns and proper names deserve initial caps.
However, let's see what we might agree upon.  Here's my current thinking.
[Contributions of others are mostly indented.  Square brackets surround my
interspersed annotations.]

Regarding "The Internet", there is a big difference between The Internet
specifically and any one of a variety of possibly less comprehensive
internet(works) of networks.

Regarding initial capitalization of proper nouns and proper names, Lauren
Weinstein observes the difference between "The U.S. Congress" and just plain
"congress".  (However, perhaps we should refer to the former as the
U.S. congress, considering its "improper" recalcitrance as an impediment to
progress.)

Dictionary.com distinguishes among abbreviations (U.S.), acronyms (OPEC,
loran, snafu) that are pronounceable words, and initialisms (FBI, CIA) that
are not pronounceable.  However, an *initialism* may actually become an
acronym when the word becomes part of the language.  The difference lies in
how the literal string is pronounced (see below).

The word "acronym" seems to be defined in many different ways.  Here's one
that is not quite right:

* From WordNet (r) 3.0 (2006):

  acronym (n1):
  a word formed from the initial letters of the several words in the name

* Dictionary.com has this definition of "initialism":

  Initialism:
  a set of initials representing a name, organization, or the like, with
  each letter *pronounced separately*, as FBI for Federal Bureau of
  Investigation.

There are various quirks here.  Some acronyms use letters other than the
initial letters; also, it is not clear what constitutes a "name" or a "word"
-- and in what language.  Also, "initials" usually refers specifically to
the first letters of names, as in PGN, which leaves a question of whether to
omit particles in multi-word complex names that are often lower-cased (von,
de la, prepositions, and so on).

Here are two self-defining acronyms:

  ACRONYM—Abbreviated Coded Rendition Of Name Yielding Meaning (acronym)

  ACRONYM—Abbreviation by CROping Names that Yield Meaning (acronym
  if you ignore the "initial letter" restriction)

These are examples of "Backronyms"—in that the expansion has been
constructed from the word, rather than the other way around.

Then there are the issues with upper-case versus lower-case, which began
here with "The Internet" as a proper name, and considered further below.
Dictionary.com gives the example of "Wac" for the Women's Army Corps, rather
than "WAC" (as an acronym).  It would seem more logical that the case of a
letter in an acronym should reflect the case of each letter being
acronymized—as in WAC, the "CRO" in ACRONYM above, or "DoD" for the
Department of Defense).  Thus, "loran" and "snafu" seem natural as
all-lower-case acronyms because the expansion has all lower-case letters.

The same should be true of initialisms (e.g., DoD)!  Gee whiz, it seems
"DoD" could be an abbreviation, an acronym if you confusedly pronounced it
as "dod", but certainly an initialism (D.o.D).  Note that "US" would be an
acronym (although very confusing if pronounced "us" when it really refers to
those of *us* in the U.S. (which is why we prefer "U.S.").  It is also an
abbreviation—but should never be lower-cased!  In general, pronounceable
two-letter acronyms are terrible without the periods, but F.B.I. as an
initialism with periods would seems like overkill, because there is no
ambiguity with "FBI".  Pronounceable three-letter acronyms (TLAs) that are
lower-cased and words with a completely different meaning would also seem to
be very bad.  But the recursive acronym GNU is really lovely ("GNU is Not
Unix").

  Delightfully, Jay Ashworth <jra@baylink.com> recalls the following
  definition, probably from his high-school English: an acronym is
  "something that has been adopted as a full-fledged word into the parent
  language, which started life as an initialism."  Maybe that's useful, but
  not definitive—as there seem to be some corner cases.  Jay also offered
  this pithy thought: "The confusion comes because unpronounceable
  initialisms—those which must be pronounced as their component letters
 —nearly never get promoted to actual acronym words."

All of this reminds me (noted in RISKS-29.67) of the difference between ACL
(access-control list, generally pronounced "ackle" but not a word) and RNG
(random-number generator, generally pronounced "R.N.G."  Thus ACL and RNG
are both acronyms (if you were to pronounce the latter as "orange"), whereas
RNG is *also* more widely thought of as an initialism.  Thus, my pun about
"comparing ACLs and RNGs" is even more of type mismatch than it might seem.
Furthermore, certain acronyms may also be considered to be initialisms
depending on how they are (mis)pronounced.  Also, what about "gif" and "GIF"
for graphics interface format, pronounced as gif (respecting that the g in
graphics is hard, but nevertheless pronounceable) or jif (odlly, which
actually is a slang word), or G.I.F., according to your upbringing.  Thus,
"gif" could be an acronym, or an initialism, or both!

Here's an example of how pronunciation might make a difference:

  VERA, or V.E.R.A.—Virtual Entity of Relevant Acronyms (a pronounceable
  word/name as an acronym in some languages, or initialism, respectively)

Here are some further replies to my previous posting:

* Martyn Thomas <martyn@thomas-associates.co.uk> notes:

  *Hart's Rules* has "Internet" as the preferred spelling.
  I'd back OUP over AP as the arbiter.

* Peter Simpson <PSimpson@continuuminnovation.com>

  My son learned this in the Army: an Acronym is a pronounceable sequence of
  initial letters.  e.g.: NASA, vs an "Initialism"—which is not
  pronounceable. e.g.: NFPA.

[The military is of course very dependent on acronyms and initialisms, and
perhaps *could not exist* without them.  However, it is certainly curious
that I am devoting space in RISKS as a consequence of the dispute over "The
Internet" vs "the internet" (as opposed to the perfectly sensible "an
internet".  PGN]

* "Richard S. Russell" <RichardSRussell@tds.net>

  My own pet peeve about TLAs (three-letter abbreviations [actually
  a three-letter acronym and three initialisms in the present context.
  PGN]) involves redundancy [in the N, D, M, and P (albeit "plait" in
  French) to be explicit.  PGN]:

    *PIN* number, *GED* diploma", *ATM* machine, and *please RSVP*
    are all overkill—which hasn't seemed to slow anybody down any.

* Richard Russell also added:

  One additional trivium: The Bush/Cheney Administration had approved the
  name Operation Iraqi Liberation for its 2003 invasion of Iraq until
  someone pointed out what the acronym would be [OIL], whereupon it was
  changed to Operation Iraqi Freedom [OIF, an initialism!].

* Stephen-Payne@deshaw.com :

  I heartily agree that not capitalising acronyms is weird. It can stir up a
  lot of emotion, not least of all, in myself.

Stephen suggested and heartily "recommends this book for when one's blood
doth boil over abuse of the written word":

  Language Myths,   Laurie Bauer (Editor), Peter Trudgill (Editor),
  ISBN-13: 978-0140260236  ISBN-10: 0140260234

* "Wendy M. Grossman" <wendyg@pelicancrossing.net>

  ... I think ["the internet"] wrong, too.  But as a freelance, I note that
  just about every publication I write for wants "internet" and refusing to
  observe house style makes more work for copy editors, and you just make
  your work that bit less salable.

  ... But the reality if you are anyone writing for the media is that there
  are bigger battles to fight over what gets published, and this is not one
  worth fighting. Save it for when the AP style book comes up for review.

[Note: Wendy lives in England.]

* "Denning, Dorothy (CIV)" <dedennin@nps.edu>

  I always write "the Internet," but for the fun of it, I googled (or should
  I write "Googled"?) "define internet" (intentionally using lower case
  "i"). The top returns (including Dictionary.com, Merriam-Webster, Oxford)
  used *uppercase* "I," though Dictionary.com noted that "While the
  uppercase form Internet may still be preferred in formal writing, the
  lowercase form internet is regularly used in media, especially
  technology-related publications, and in most informal writing such as
  email and text messages."

* Peter Simpson <PSimpson@continuuminnovation.com>:

  The Internet should always be capitalized...if only because of this episode
  of The IT Crowd:
  https://www.youtube.com/watch?v=3Dxtke8aB0mxk

* "David Harley" <david.a.harley@gmail.com>:

  Like U.S. publishing bodies in general, let alone the AP, even show
  respect for British usage, let alone 'cave in' to it? And where did you
  get your curious notion of what British usage is?

  Strangely, despite having been a 'brit' for all of my 67 years, I agree
  that 'the Internet' is not only grammatically but logically correct. Nor
  can I find much love in my heart for the current trend towards lower-case
  brand names, or 'downcasing' of acronyms and initialisms, while N.S.A. and
  S.R.I. just look silly, as does Darpa. But why on earth are you blaming
  the British for it? In nearly fifty years of authoring and editing, I've
  had my share of battles with copy editors and copywriters who prioritized
  someone's view of 'readability' over 'real' English, but I've never had a
  publishing drone on either side of the Atlantic insist on nsa or nasa, let
  alone any horrible hybrids. And certainly none of the UK newspapers and
  magazines I read follow that usage.. Perhaps I read the wrong periodicals
  and books, though as far as I can see even the tabloids don't seem to go
  this route...

  As for Argentyne, there's an etymological justification for that
  pronunciation (not to mention rulings by Merriam-Webster), though
  personally I'd say Argentinian and restrict my use of argentine to its
  archaic meaning.  Hopefully you didn't mean to give the impression that we
  spell it like that.

* Jay Ashworth added this:

  Concerning Argent'y'ne, it's worth noting that the demonym for a people is
  actually a separate word from the name of their country, and is often
  different—sometimes wildly different—and that's even before we get
  to "which language are you saying it in?"]

* Continuing with David Harley's comments:

  Perhaps I'm missing some subtle satirical point here, but from my side of
  the Atlantic, this looks like irresponsible abuse of editorial privilege
  to air a gratuitous anti-British rant based on misinformation. For a
  minute there, I thought I was on Facebook.

Incidentally, my website <http://www.csl.sri.com/hyphen.html> has a rant on
hyphenation that began from noting the French word "email" and suggesting
that "e-mail" might be preferable for how you might be receiving RISKS,
because we have a slew of really ambiguous words when prefixed with an "e",
such as "I am e-numerate because I can enumerate."  [Yes, I can equip you
with an e-quip.]  (I clearly lost the battle on that rant.)

Indeed. as I said at the beginning of this message, I concede that my
mini-editorial in RISKS-29.67 was rather over the *top*.  So I am running
this follow-up near the *bottom* of RISKS-29.68.  Many thanks to all of you
who have responded.  It was educational for me, at least, in trying to make
some sense out of all this.  I hope this has not bored you—it actually
seems better than just pedantic.  However, if you wish, you may throw sundry
(sun-dry?) tomatoes at me.  PGN


Re: How to hack an election in seven minutes (Ben Wofford)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Wed, 10 Aug 2016 09:05:33 +0200
Several European countries have abandoned electronic voting in favor of
paper ballots exactly due to the concerns exposed in the article (and some
talk about Internet voting, but that's another story).

What's wrong with paper ballots, anyway?  I see two *wrongs* (!):

* There is no profit to be made by tech companies supplying equipment.
* The media will be unhappy having to wait a few more hours for the results.


Re: 8-inch floppies (Jacobson, RISKS-29.67)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 9 Aug 2016 12:30:08 -0500
One wonders how many North Korean Russian Iranian Chinese hackers even
know what a Series 1 is, much less how to hack into one.

Please report problems with the web pages to the maintainer

Top