The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 80

Monday 3 October 2016

Contents

The Deepwater Horizon movie and Boebert-Blossom book
PGN
A thought-provoking piece on collective creeping complacency
Richard Hesketh
Hoboken Train Crash
Al Mac
SpaceX fingers helium as cause of Falcon 9 rocket explosion
NewAtlas via geoff goodfellow
NTSB concludes 5 Mar 2015 Delta 1086 landing accident investigation
Al Mac
Make that traffic light green for me!
Debora Weber-Wulff
National Cyber Security Centre to shift UK to 'active' defence
The Register via Werner U
The Computer Voting Revolution Is Already Crappy, Buggy, and Obsolete
Bloomberg
Switzerland votes for meatier surveillance law by large margin
Ars Technica
Goodwill breach and more
PGN
Revealed: How one Amazon Kindle scam made millions of dollars
ZDnet
More than 400 malicious apps infiltrate Google Play
Ars Technica
BT's Wi-Fi Extender works great, at extending your password to hackers
Juhn Leyden
Criminals posing as bank customer service staff on social media
Alisha Rouse
"Microsoft finally fixes double-print bug, but more patching problems loom"
Woody Leonhard
"Armies of hacked IoT devices launch unprecedented DDoS attacks"
Lucian Constantin
Risks of using spammer URLs in posts
Keith F. Lynch
German Privacy Regulator Orders Facebook Stop Collecting German WhatsApp User Data
Werner U
"Yahoo's claim of 'state-sponsored' hackers meets with skepticism"
Michael Kan
"Yahoo says hack of 500 million users "state-sponsored", but a security firm calls bull****"
Lauren Weinstein
"Sort of gives 'driving safely' a whole new meaning"
ComputerWorld
The 15-Point Federal Checklist for Self-Driving Cars
The NYTimes
The psychological reasons behind risky password practices
Lab42
Robot Ransomware?
Robert Schaefer
Re: Krebs on Security hit by a huge DDoS attack
Peter Ludemann
Re: PC without OS
Michael Marking
Re: The risks of getting your email address wrong
DJC
Don Gingrich
Andrew Pam
Richard Bos
Info on RISKS (comp.risks)

The Deepwater Horizon movie and Boebert-Blossom book

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 1 Oct 2016 9:34:12 PDT
An interesting take on both the B-B book and the new movie:
  http://bit.ly/2dfHe8v

As I have noted here previously, the Boebert-Blossom book is extraordinarly
and carefully detailed.  However, the movie was not based on this book, but
rather on another.  And Hollywood generally has to oversimplify to reach
people to don't like or cannot deal with complexity.  Nevertheless, the
publication of the B-B book was held up for at least half a year because of
the movie—which has now opened.  The blockbuster is compelling, but
overly simplistic in that it stresses primarily only one of the major faults
-- the "seament" (underwater cement).

This URL considers both the book and the movie.


A thought-provoking piece on collective creeping complacency

<richard@hesketh.org.uk>
Sat, 1 Oct 2016 10:23:28 +0100
Blame BP for Deepwater Horizon.  But Direct Your Outrage to the Actual
Mistake.  It was years of cutting corners, not one careless mistake, that
caused the explosion.

http://www.slate.com/articles/health_and_science/science/2016/09/bp_is_to_blame_for_deepwater_horizon_but_its_mistake_was_actually_years.html

  [This is an excellent summary of the situation, especially if you are
  don't like to read books but might want to see the movie.  It is
  consistent with the detailed evidence provided by the Boebert-Blossom
  book, which suggests that assessing "blame" is the wrong way to approach
  the fiasco; the diversity of things that went wrong and were not properly
  addressed was huge, often with premeditation but sometimes in the heat of
  the moment as things progressed.  There was no one single thing that went
  wrong.  It was a collossal sequence of short-sightedensses.  See my
  previous item (above for those of you reading RISKS not undigestified).
  PGN]


Hoboken Train Crash

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 1 Oct 2016 22:54:49 -0500
One issue is how long the USA is going to continue to have serious rail
accidents, which can be prevented by technology, such as automatic braking?

According to US news media, the 29 Sep 2016 commuter train crash at New
Jersey's Hoboken Terminal, is just the latest in a series of US train
crashes which could be avoided by automatic braking.

Rescue efforts were complicated by the collapsed roof bringing live
electrical wires, and rainwater, into contact with the wreckage.  Automatic,
or more rapid cut-off, of electrical power in such a disaster, might be
another technology safety feature worth considering.

Hoboken is a major commuter transportation hub for the NYC area. In the
Hoboken crash, the train apparently arrived at the station at full speed,
instead of the usual 5-10 mph, demolishing part of the station, killing 1,
injuring 114 people, 8.45 am at height of morning commuter rush hours.
15,000 people use this station every weekday.

The train went airborne during the crash, which demolished half of the the
first car, bringing roof of car down to level of the seats.  We are lucky
the harm was not greater.

http://www.cnn.com/2016/09/29/us/new-jersey-hoboken-train-crash/

Relevant US authorities:
* NTSB: National Transportation Safety Board
  http://www.ntsb.gov/investigations/Pages/2016-hoboken-nj.aspx
* FRA: Federal Railroad Administration
  The FRA estimates that at least 300 people are injured and 10 killed
  every year 2003 to 2012 in train accidents, not counting people walking
  along the tracks, or collisions with road vehicles at highway crossings.
* State and local governments
* US Congress, and various gov agencies, have been urging for years, that
  the train industry install positive train control, to give trains
  automatic braking when conditions call for that.
* 2015 May Amtrak crash in Philadelphia killed 8 and injured 200.
* 2013 Dec, a Metro North Railroad crash killed 4 in NY.
* 2011 May there was another crash at Hoboken sending 30 passengers to
  hospitals & doing $ 352,617 damage.
* 2008 California head on collision killed 25 and injured 100.
* 1996 Feb head on collision between 2 commuter trains @ Secaucus, with
  400 passengers on the combined trains.

http://www.cnn.com/2016/09/29/us/us-commuter-train-wreck-history-trnd/
http://www.nbcnews.com/news/us-news/deadliest-train-crashes-u-s-over-past-25-years-n656826
https://en.wikipedia.org/wiki/Category:Railway_accidents_in_the_United_States

HOBOKEN, New Jersey—The National Transportation Safety Board issued an
investigative update Oct 1 about its investigation of Thursday's crash of NJ
Transit Pascack Valley Line train #1614 into the platform of the Hoboken
Terminal.

Updated information includes the following:

Investigators interviewed the accident train engineer. No interview
summaries will be provided until interviews are completed.

Environmental and structural issues still prevent removal of the train from
the station. Extensive debris removal must be completed before investigators
can access the train and then have the train removed.

With the assistance of NJ Transit, investigators obtained video from other
trains that were at the Hoboken Terminal, to see what those cameras captured
from the accident event.  The event recorder and camera from the controlling
cab of the accident train remain inaccessible to investigators.

The event recorder from the trailing locomotive #4214 has arrived at the
recorder manufacturer's facility in Kentucky and NTSB personnel are
supervising the attempted download.

There were no signal anomalies found on the tracks leading to the terminal.
A full signal study cannot yet be completed because the accident train
remains in the terminal.

Investigators completed the walking inspection of the track and found
nothing that would have affected the performance of the train.


SpaceX fingers helium as cause of Falcon 9 rocket explosion

geoff goodfellow <geoff@iconia.com>
Sun, 25 Sep 2016 10:11:12 -1000
A credible supposition as to the cause—explained in laymen's terms
-- in this article:
http://newatlas.com/spacex-falcon-9-explosion-helium/45594/


NTSB concludes 5 Mar 2015 Delta 1086 landing accident investigation

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 1 Oct 2016 21:26:13 -0500
The jet tried to land on a snow covered LaGuardia runway, but instead went
thru a fence, almost into Flushing Bay.

Rapid braking on a snow covered short runway can be challenging to the most
experienced pilots. This snow covered runway was more treacherous than as
described by other planes which landed 16 and 8 minutes earlier That can
happen when snow continues to fal, with ground crews struggling to catch up
with snow clearing.

Plane damage included communications systems, which contributed to incorrect
passenger count; delayed passenger evacuation; and delayed 1st responders.

The NTSB made 10 recommendations to the Federal Aviation Administration
<http://www.faa.gov/> , two to Boeing <http://www.boeing.com/> , one to the
U.S. operators of MD-80 series airplanes, and one to the Port Authority of
New York and New Jersey.  <http://www.panynj.gov/>

To view the accident investigation summary and resulting recommendations
visit: http://go.usa.gov/xBB9k.


Make that traffic light green for me!

weberwu <weberwu@htw-berlin.de>
Mon, 3 Oct 2016 11:11:56 +0200
The German IT news service Golem reports that the traffic lights from some
unnamed German company can be programmed remotely—by anyone, as there is
no encrypted communication.
http://www.golem.de/news/sicherheitsrisiko-baustellenampeln-gruene-welle-auf-knopfdruck-1609-123503.html

Philipp Schäfers and Sebastian Neef, both authors at Golem and IT
specialists, have been poking around and found security holes in unexpected
places such as utility companies and "uninterruptible power sources" that
were mining Bitcoins.
(http://www.golem.de/news/schwachstellen-aufgedeckt-der-leichtfertige-umgang-mit-kritischen-infrastrukturen-1607-122063.html)
http://www.golem.de/news/kritische-infrastrukturen-wenn-die-usv-kryptowaehrungen-schuerft-1608-122837.html

They found 23 traffic lights that were not secure and informed the company
that produces them. The company has to date done nothing, even though the
German federal office for IT security (BSI, Bundesamt für Sicherheit in der
Informationstechnik) has requested that they fix this pronto. The response
was just a nice thank you email, nothing more.

In Berlin we recently had the other side of the coin, the automatic traffic
speed sign system decided during rush hour that it was foggy outside, even
though we were enjoying bright sunlight. All the automatic traffic signs in
Berlin were turned down to 40 kmh (normally 80 kmh on the inner city
autobahns), causing an enormous traffic jam. I'm sure all of those stuck in
the jam wished they could make those traffic lights turn green for them as
soon as they left the highway....

Prof. Dr. Debora Weber-Wulff, HTW Berlin, Studiengang IMI, Treskowallee 8,
10313 Berlin   +49-30-5019-2320  http://www.f4.htw-berlin.de/people/weberwu/


National Cyber Security Centre to shift UK to 'active' defence

Werner U <werneru@gmail.com>
Sun, 25 Sep 2016 22:02:26 +0200
  (The Register, Sept 16)

  [ mmm... 'active' defense with 'offensive' weapons...  and the (virtual)
  Collateral Damages expected (considered and accepted) is what?!? ]

National Cyber Security Centre to shift UK to 'active' defence
Cyber chief calls for 'offensive' weapons*

16 Sep 2016 at 13:42, John Leyden <http://www.theregister.co.uk/Author/2578>

The head of the UK's new National Cyber Security Centre (NCSC) has detailed
plans to move the UK to "active cyber-defence", to better protect government
networks and improve the UK's overall security.

The strategy update by NCSC chief exec Ciaran Martin comes just weeks before
the new centre is due to open next month and days after the publication of a
damning report by the National Audit Office into the UK government's current
approach to digital security.
<https://www.cesg.gov.uk/news/new-approach-cyber-security-uk>
<http://www.theregister.co.uk/2016/09/14/cabinet_office_failing_to_coordinate_ukgovs_infosec_practices_says_national_audit_office/>

Martin called for the "development of lawful and carefully governed
offensive cyber capabilities to combat and deter the most aggressive
threats".

Active cyber defence means hacking back against attackers to disrupt
assaults, in US parlance at least. Martin defined the approach more narrowly
as "where the government takes specific action with industry to address
large-scale, non-sophisticated attacks".

During his speech at the Billington Cyber Security Summit in Washington DC,
NCSC's Martin also floated the idea of sharing government network security
tools such as DNS filters with private-sector ISPs, as previously reported
<http://www.theregister.co.uk/2016/09/14/great_british_blockoff/>.
[...]

The NCSC will act as a hub for sharing best practices in security between
public and private sectors as well as taking a lead role in national cyber
incident response. The organisation will report to GCHQ, the signals
intelligence agency.

Bootnote

The US's Cybersecurity Information Sharing Act was bitterly but ultimately
unsuccessfully opposed by privacy activists.
<http://www.theregister.co.uk/2015/12/16/congress_strips_out_privacy_protections_from_cisa_security_bill/>


The Computer Voting Revolution Is Already Crappy, Buggy, and Obsolete (Bloomberg)

Monty Solomon <monty@roscom.com>
Sat, 1 Oct 2016 22:12:57 -0400
The Computer Voting Revolution Is Already Crappy, Buggy, and Obsolete
https://www.bloomberg.com/features/2016-voting-technology/

Six days after Memphis voters went to the polls last October to elect a
mayor and other city officials, a local computer programmer named Bennie
Smith sat on his couch after work to catch up on e-mail.  The vote had gone
off about as well as elections usually do in Memphis, which means not well
at all.  The proceedings were full of the technical mishaps that have
plagued Shelby County, where Memphis is the seat, since officials switched
to electronic voting machines in 2006.  Servers froze, and the results were
hours late.  But experts at the county election commission assured both
candidates and voters that the problems were minor and the final tabulation
wasn't affected.  Shelby County uses a GEMS tabulator -” for Global Election
Management System -” which is a personal computer installed with Diebold
software that sits in a windowless room in the county's election
headquarters.  The tabulator is the brains of the system.  It monitors the
voting machines, sorts out which ma chines have delivered data and which
haven't, and tallies the results.  As voting machines check in and their
votes are included in the official count, each machine's status turns green
on the GEMS master panel.  A red light means the upload has failed.  At the
end of Memphis's election night in October 2015, there was no indication
from the technician running Shelby County's GEMS tabulator that any voting
machine hadn't checked in or that any votes had gone missing, according to
election commission e-mails obtained by Bloomberg Businessweek.  Yet as
county technicians followed up on the evidence from Smith’s poll-tape photo,
they discovered more votes that never made it into the election night count,
all from precincts with large concentrations of black voters.


Switzerland votes for meatier surveillance law by large margin (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Wed, 28 Sep 2016 12:07:31 -0700
via NNSquad
http://arstechnica.co.uk/tech-policy/2016/09/switzerland-votes-for-meatier-surveillance-law-by-large-margin/

  In total, 65.5 percent were in favour, and 34.5 percent against. Under the
  new law, Switzerland's intelligence agency, the Service de renseignement
  de la Confedration (SRC), will be allowed to break into computers and
  install malware, spy on phone and Internet communications, and place
  microphones and video cameras in private locations. "This is not
  generalised surveillance, it's letting the intelligence services do their
  job," said Swiss Christian Democratic party vice-president Yannick Buttet,
  according to the Guardian.  However, Swiss parliamentarian and leading
  member of the leftwing Social Democrats Jean Christophe Schwaab disagreed:
  "This law seeks to introduce mass observation and preventive surveillance.
  Both methods are not efficient and go against the basic rights of
  citizens."


Goodwill breach and more

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 28 Sep 2016 11:01:27 PDT
http://www.goodwill.org/press-releases/goodwill-provides-update-on-data-security-issue/
http://www.bizjournals.com/boston/blog/health-care/2016/06/mgh-says-patients-impacted-by-third-party-data.html
https://sharedassessments.org/2014/03/data-breaches-third-party-risk/

Trustwave Global Security Report: In a stinging condemnation of outsourced
system administration practices, reported that in 76% of the cases it
investigated a third party responsible for system support, development or
maintenance introduced the security deficiencies later exploited by
attackers."


Revealed: How one Amazon Kindle scam made millions of dollars (ZDnet)

Monty Solomon <monty@roscom.com>
Sun, 2 Oct 2016 10:49:19 -0400
For years, thousands were tricked into buying low-quality ebooks.
http://www.zdnet.com/article/exclusive-inside-a-million-dollar-amazon-kindle-catfishing-scam/


More than 400 malicious apps infiltrate Google Play (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 2 Oct 2016 10:51:55 -0400
http://arstechnica.com/security/2016/09/more-than-400-malicious-apps-infiltrate-google-play/


BT's Wi-Fi Extender works great, at extending your password to hackers (Juhn Leyden)

Werner U <werneru@gmail.com>
Mon, 26 Sep 2016 23:50:39 +0200
John Leyden, *The Register*, 21 Sep 2016
Got one of these gizmos? Patch its firmware ASAP
<http://www.theregister.co.uk/2016/09/21/bt_wifi_booster_fix/>

BT is urging folks to patch the firmware in its Wi-Fi Extender following the
discovery of multiple security flaws.

Security researchers at Pen Test Partners discovered vulnerabilities with
the consumer-grade kit, including cross-site scripting and the ability to
change a password without knowing it.
<https://www.amazon.co.uk/BT-Wi-Fi-Extender-300-Booster/dp/B00X7H36YA>

Pen Test Partners found it was possible to combine these flaws and exploit
them to snatch a victim's WPA wireless network passphrase after tricking
them into visiting a maliciously constructed webpage while connected to
their home network.  [...]

upgrading the firmware
<http://bt.custhelp.com/app/answers/detail/a_id/54345> of the Wi-Fi
Extender to version 1.1.8 resolves the problem.  [...]

The bugs—the latest in a long line of vulnerabilities in SOHOpeless
networking kit—is explained in a blog post by Pen Test Partners here.
<https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/>


Criminals posing as bank customer service staff on social media (Alisha Rouse)

Werner U <werneru@gmail.com>
Tue, 27 Sep 2016 00:08:36 +0200
Alisha Rouse, *Daily Mail* via *The Register*, 13 Sep 2016

<http://www.dailymail.co.uk/money/news/article-3787960/Watch-crooks-complain-Twitter-Criminals-posing-bank-customer-service-staff-social-media.html>
Watch out for crooks if you complain on Twitter

Crooks are posing as bank customer service staff on the social media website
to try to dupe customers into visiting a dodgy website or clicking a link so
the fraudster can steal their financial details.

Most banks have a dedicated account on Twitter for customers who need
instant help.

Those who have used the service often say it's an efficient way to get a
response to basic complaints as the bank must be seen to be acting swiftly
in public.

But fraudsters are setting up profiles that look almost identical to these
official bank help accounts. They are then swooping on customers who ask
for help from the official accounts and trying to lure them to dangerous
websites.

... All the major [British] banks say they've seen instances of fraud like
this.


"Microsoft finally fixes double-print bug, but more patching problems loom" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Tue, 27 Sep 2016 12:32:01 -0700
Woody Leonhard, InfoWorld, 23 Sep 2016
The convoluted method Microsoft used to fix the MS16-098 double-printing bug
is a harbinger of screw-ups to come with the new all-or-nothing approach to
patching

http://www.infoworld.com/article/3123670/microsoft-windows/microsoft-finally-fixes-double-print-bug-but-more-patching-problems-loom.html


"Armies of hacked IoT devices launch unprecedented DDoS attacks" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 27 Sep 2016 12:52:42 -0700
Lucian Constantin, 26 Sep 2016
DDoS attacks got a power boost thanks to hundreds of thousands of insecure
  IoT devices
http://www.infoworld.com/article/3124215/security/armies-of-hacked-iot-devices-launch-unprecedented-ddos-attacks.html

opening text:

Security researchers have been warning for years that poor security for
Internet-of-Things devices could have serious consequences. We're now seeing
those warnings come true, with botnets made up of compromised IoT devices
capable of launching distributed denial-of-service attacks of unprecedented
scale.

Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the
alarm on Twitter last week when his company was hit with two concurrent DDoS
attacks whose combined bandwidth reached almost 1 terabit per second. One of
the two attacks peaked at 799Gbps alone, making it the largest ever
reported.

According to Klaba, the attack targeted Minecraft servers hosted on OVH's
network, and the source of the junk traffic was a botnet made up of 145,607
hacked digital video recorders and IP cameras.

With the ability to generate traffic of 1Mbps to 30Mbps from every single
Internet Protocol (IP) address, this botnet is able to launch DDoS attacks
that exceed 1.5Tbps, Klaba warned.


Risks of using spammer URLs in posts

"Keith F. Lynch" <kfl@KeithLynch.net>
Sun, 25 Sep 2016 16:45:01 -0400 (EDT)
I noticed that my spam filters deleted RISKS-29.79.  I read it on Usenet,
and saw that it had been blocked because a post from "The CyberWire" with a
subject line of "Russian intelligence services seem responsible for hacking
German political groups" cited a URL on the notorious spam website c o n s t
a n t c o n t a c t . c o m.  I expect that lots of people didn't get the
digest for that reason, and that many of those who did, including me,
refused to click on that website since spam sites are likely to host
malware, or at least to be totally unreliable sources of information.


German Privacy Regulator Orders Facebook Stop Collecting German WhatsApp User Data (The Register)

Werner U <werneru@gmail.com>
Wed, 28 Sep 2016 18:22:03 +0200
Germany calls halt to Facebook's WhatsApp info slurp
http://www.theregister.co.uk/2016/09/27/germany_calls_halt_to_facebooks_whatsapp_info_slurp/

Privacy watchdog says nein
John Oates, 27 Sep 2016

A German privacy regulator has told Facebook to stop collecting user
information from WhatsApp.  Hamburg's Commissioner for Data Protection and
Freedom of Information issued an administrative order to immediately stop
the collection and storage of data from German WhatsApp users.  It also told
Zuckerberg's social media giant to delete all information it had already
collected from the messaging service.

Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of
Information, said in a statement: “This administrative order protects the
data of about 35 million WhatsApp users in Germany. It has to be their
decision, whether they want to connect their account with
Facebook. Therefore, Facebook has to ask for their permission in
advance. This has not happened.''

“In addition, there are many millions of people whose contact details were
uploaded to WhatsApp from the user's address books, although they might not
even have a connection to Facebook or WhatsApp. According to Facebook, this
gigantic amount of data has not yet been collected. Facebook's answer, that
this has merely not been done for the time being, is cause for concern that
the gravity of the data protection breach will have much a more severe
impact.''

Facebook altered WhatsApp terms and conditions to a default setting of
sharing data. Users were given time to change their settings if they wished
to but there has still been wide criticism of the move.

Facebook told Reuters it was willing to work with the regulator to resolve
their concerns.

There are ongoing legal challenges in Germany and in India to oppose the
move and US regulators are also examining the issue.

Facebook paid $19bn for WhatsApp two years ago
<http://www.theregister.co.uk/2014/02/19/facebook_acquires_whatsapp/>.


"Yahoo's claim of 'state-sponsored' hackers meets with skepticism" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Tue, 27 Sep 2016 12:59:33 -0700
Michael Kan, 27 Sep 2016
The company isn't saying how it arrived at the conclusion that its massive
  data breach was carried out by a state-sponsored actor
http://www.infoworld.com/article/3124406/security/yahoos-claim-of-state-sponsored-hackers-meets-with-skepticism.html

selected text:

Yahoo has blamed its massive data breach on a "state-sponsored actor."  But
the company isn't saying why it arrived at that conclusion.  Nor has it
provided any evidence.

The lingering questions are causing some security experts to wonder why
Yahoo isn't offering more details on a hack that stole account information
from 500 million users.

"If I want to cover my rear end and make it seem like I have plausible
deniability, I would say 'nation-state actor' in a heartbeat," said Chase
Cunningham, director of cyber operations at security provider A10 Networks.


"Yahoo says hack of 500 million users "state-sponsored", but a security firm calls bull****" (BoingBoing, Re: RISKS-29.78)

Lauren Weinstein <lauren@vortex.com>
Thu, 29 Sep 2016 08:46:47 -0700
via NNSquad
"Yahoo says hack of 500 million users "state-sponsored", but a security firm
calls bull****"
http://boingboing.net/2016/09/29/yahoo-says-huge-hack-was-sta.html

  So, that huge hack of 500 million Yahoo user accounts last week that Yahoo
  blamed on a "state-sponsored actor"? A private Internet security firm is
  calling bull**** on the "state-sponsored" part.  The hack of more than 500
  million account credentials was the work of an Eastern European criminal
  gang, claims InfoArmor.  The Arizona-based firm released a report
  Wednesday challenging Yahoo's claims that a nation-state actor was behind
  the data heist.


"Sort of gives 'driving safely' a whole new meaning"

Gene Wirchenko <genew@telus.net>
Fri, 30 Sep 2016 09:20:01 -0700
Computerworld | Sep 30, 2016 3:00 AM PT
http://www.computerworld.com/article/3124784/security/sort-of-gives-driving-safely-a-whole-new-meaning.html

selected text:

It seems someone driving near fish tried to pair his or her phone just as
they were alongside—fish figures the other driver must have the same
brand of GPS, and connected with fish's by mistake.

On the other hand, fish realizes he could have downloaded Pat's contacts,
listened to Pat's voice mail and likely grabbed all of Pat's text-message
history.


The 15-Point Federal Checklist for Self-Driving Cars (The NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 30 Sep 2016 04:15:28 -0400
http://www.nytimes.com/2016/09/21/technology/the-15-point-federal-checklist-for-self-driving-cars.html

Federal regulators urge automakers to prove that their semiautonomous and
driverless vehicles meet specific safety expectations.


The psychological reasons behind risky password practices

Lauren Weinstein <lauren@vortex.com>
Thu, 29 Sep 2016 19:01:40 -0700
  A Lab42 survey, which polled consumers across the United States, Germany,
  France, New Zealand, Australia and the United Kingdom, highlights the
  psychology around why consumers develop poor password habits despite
  understanding the obvious risk, and suggests that there is a level of
  cognitive dissonance around our online habits.

https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/
via NNSquad


Robot Ransomware?

Robert Schaefer <rps@haystack.mit.edu>
Thu, 29 Sep 2016 14:34:23 -0400
This question on twitter made me laugh:

  How long until robot ransomware?
  Send us 3BTC or you'll never get your
  Roomba out from under the couch.


Re: Krebs on Security hit by a huge DDoS attack (RISKS-29.79)

Peter Ludemann <peter.ludemann@gmail.com>
Mon, 26 Sep 2016 08:32:49 -0700
https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

Today, I am happy to report that the site is back up—this time under
Project Shield [https://jigsaw.google.com/projects/#project-shield], a free
program run by Google to help protect journalists from online censorship.
And make no mistake, DDoS attacks—particularly those the size of
the assault that hit my site this week—are uniquely effective
weapons for stomping on free speech, for reasons I'll explore in this post.


Re: PC without OS (Maziuk, RISKS-29.79)

Michael Marking <marking@tatanka.com>
Mon, 26 Sep 2016 23:13:18 +0000
In Risks 29.79, Dimitri Maziuk <dmaziuk@bmrb.wisc.edu> wrote:

> The ruling is that a business entity is not required to disclose
> the details of a deal it made with another business entity to anyone
> who bothers to ask. Obviously, you can't rule otherwise and have free
> market capitalism at the same time.

It's not obvious to me. Free markets do not require perfect information,
but, on the other hand, they can exist when perfect information is
required. ("Perfect information" is a term of art in economics, meaning,
roughly, that everyone in the market knows details of prices, which
aren't meaningful without terms, and even the details of production
methods and other information.) A perfect market (another term of art)
is characterized by perfect competition (yet another term of art), which
includes perfect information (go ahead, assume it). Perfect markets can
exist in capitalist, socialist, or other contexts. On the other hand,
these various contexts do not require perfect markets. The significance
of a perfect market is, in part, due to its tendency to reach a certain
kind of equilibrium, termed Pareto optimality. It is also related to the
kinds of profits which enterprises can yield, but that's another, though
related, topic.

So, capitalist markets can exist in the context of varying degrees of
disclosure. Note that the stock market, which is typically considered
more nearly perfect than, say, the real-estate market, is considered
quintessentially capitalist, despite government-required disclosures.
Anyone can learn a lot about publicly traded stocks, but real-estate
agents try to monopolize the information about their market, so that
market is less efficient.

Although this terminology is well established, the benefits and
detriments of the various decisions relating to the advisability of
these things are intensely debated. Politicians, as well as economists
making political statements, often gloss over the details, which can
be highly misleading. To be fair, the economist's definition of
perfect competition doesn't necessarily allow for economies of scale,
network effects, and some other things a non-rigorous definition
might ignore. However, ignoring these qualifications further fans
the flames of public debate. Few politicians offer opinions on
other sciences, but many render pronouncements on economics, although
arguably other sciences are equally relevant to the de facto (but
not necessarily appropriate) roles of government.

Despite Adam Smith's conjecture that markets pre-date government
intervention, there is little hard evidence that such markets were
(and are) not qualitatively extremely different from what an economist
calls a market. Intuition and conventional wisdom don't necessarily
suffice here. Moreover, governments are involved in all markets as
we normally understand the term; for example, they participate in the
enforcement of contracts. As such they make policy, which can directly
impact the operation of the market.

For instance, it's a matter of public policy that, in most jurisdiction,
much of certain kinds of drug dealing, prostitution, killing for hire,
and other "criminal" activities are discouraged. Therefore, the courts
will not enforce contracts based on such activities. You might imagine
a situation where a government would declare imperfect markets to
be undesirable, for some suitable choice of propinquity to perfection,
and refuse to enforce contracts where complete disclosure was not made.
Of course, this would require that the government itself would be
transparent, that the anonymity of corporate organization would be
prohibited, and so on. Picture, if you will, a government failing to
enforce patent rights when the plaintiff has concealed important market
information. (For instance, think of submarine patents.) This is not so
preposterous a suggestion as it might first seem, since the
justification for patents in the first place is based on the assumption
that disclosure will benefit the arts and sciences, and almost everyone
assumes that perfect competition (which requires perfect information)
usually is in everyone's best interests; indeed, it is often held
(incorrectly) that competition and free markets are the bedrock of
capitalism.

This is a deep rabbit hole, indeed.


Re: The risks of getting your email address wrong (Kumar, R-29.78)

DJC <djc@resiak.org>
Sun, 25 Sep 2016 09:53:58 +0200
As the first person to register for Google mail with my particular name, I
got it, with no digits or suffix tweaks. Now I get mail for lots of other
people with my name, probably because they forget to use their digits, or
someone copies it wrong. I've gotten other people's plane reservations,
copies of medical records, diplomatic documents, notifications of overdue
library books, auto maintenance reminders, confirmations of job interviews,
invitations to class reunions and other parties, detailed sales offers,
drafts of contracts, reminiscences of old love affairs, and Facebook
membership notices.

Sometimes it's possible to find and inform the actual person or sender,
often not—what's that e-mail address? And I've learned a lot about how
companies try to protect themselves from those pesky complaints by making
themselves impervious to contact, or through simple incompetence.

When contact is impractical, I try to take action. The airline company was
uncooperative, so I used their online system to cancel the reservations.
(To me that one smelled like credit card fraud anyhow.) The online system
was perfectly happy to "help" me reset the "lost" password using the e-mail
address it had for me, plus information on the confirmation itself. Hm.
What happened when that couple showed up at the airport? I know they didn't
get the mail confirming the cancellation - I did! Mail from that airline
stopped shortly thereafter.

I got into the the Facebook account and e-mailed some of the owner's
contacts to ask them to tell him his mail was falsely directed, without
effect. So I closed it. What did he think caused that?

There's also a certain amount of malicious misuse of my address by people
who aren't spammers or phishers, but apparently just think they're doing
something funny. Sometimes it's possible to fix that. Luckily most of that
stuff ends up in the spam folder anyway.


Re: The risks of getting your email address wrong (Levine)

Don Gingrich <gingrich@internode.on.net>
Tue, 27 Sep 2016 14:00:02 +1000
As happens, I can relate to John Levine's submission. I was an early adopter
of GMail, and coming from a Unix background of 8 character userids, I've
generally used my 8 character surname as my preferred email address.

I've received email that people thought was going to Newt Gingrich, I've
received loan documents and a lot of other misdirected messages.

And recently this has become more common. After some consideration I'd like
to put forward a possible mechanism.

I've noticed that when I use an iPad in particular, the automatic text
prediction will put a space after a full-stop. I would suggest that there
are number of addresses of the form foo.gingrich@gmail and that when foo
enters an address on whatever site, the text prediction adds a space and I
get the email.

When I am convinced that the sender is legitimate (following a good look at
full headers), I frequently respond to the sender telling them they've got
the wrong Gingrich. Or I simply unsubscribe if I can. But the problems of
unsubscribing an incorrectly entered email address is another completely
different and more complex problem.

Don Gingrich gingrich@internode.on.net gingrich@gmail.com gingrich@acm.org
don.gingrich@member.sage-au.org.au http://www.gingrich.id.au for web page


Re: The risks of getting your email address wrong

Andrew Pam <andrew@sericyb.com.au>
Mon, 26 Sep 2016 12:52:27 +1000
I also frequently get email intended for other people, and the main reason
is that the primary offenders are a lovely couple whose first names
("Andrew" and "Pam") happen to be the same as my full name.  Consequently
when they could not get andrew.pam at a globally popular mail provider, they
chose to settle for "andrew.pam2" as their account name.  The evidence shows
that this was not a good choice, as they frequently either mistype this
themselves or the address is corrupted in transcription, resulting in my
having to inform correspondents that they have reached the wrong person on
the wrong continent.

I would suggest that in order to mitigate the RISK of confusion and
unintentional exposure of private information, perhaps mail providers should
consider not allowing account names that differ from existing accounts by
only a single character.


Re: The risks of getting your email address wrong (Levine, R-29.79)

Richard Bos
Sat, 01 Oct 2016 15:38:45 GMT
> The normal approach for verifying an e-mail address is to send a message to
> it with a click here if that was you who signed up and (too often missing)
> click there if it wasn't you.

There's nothing wrong with this link not being there. The thought behind its
absence is to fail safe: if there is no positive response, the automatic
assumption _must_ be that there would have been a negative one. In other
words, if you don't actively click "it was me", the list assumes that it
wasn't you. There is, and should be, no need to actively confirm the
negative case; if the positive case isn't actively confirmed, the negative
route is taken.

> But a lot of marketers apparently think that's too hard, and why would
> someone give us the wrong address?

Ah, now, a lack of a confirmation link—and therefore, an assumption of
the _positive_ reply, unlike in the previous case—is certainly wrong.
However, I suspect you give marketeers too much credit. My strong suspicion
is that they're not even being naive, they know many addresses they get are
of people who don't want their spam and they just don't care. Eat your spam,
Consumer Unit 56634, it's good for you.

Please report problems with the web pages to the maintainer

Top