The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 14

Friday 17 February 2017

Contents

To Lure Moviegoers, 20th Century Fox Dangles Fake News
Liam Stack and Sapna Maheshwari
Fake news is killing people's minds, says Apple boss Tim Cook
The Telegraph
Dutch election will be counted by hand
The Guardian
Forged Racist Emails Cause Stir at University of Michigan
ABC
New Mac malware from Iran targets US defense industry, human rights advocates with fake Flash updates
Apple
Can Foreign Governments Launch Malware Attacks on Americans Without Consequences?
EFF
Cooperative Bank sends a text with a dyn.co link
Martin Ward
Toyota recalls all the Mirais for software bug
Andrew Krok
Majority of Android VPNs can't be trusted to make users more secure
Ars Technica
"Flaw in Intel Atom chip could crash servers, networking gear"
Agam Shah
"S. Korea plans to tighten battery regulations after Note 7 crisis"
John Ribeiro
'Xagent' malware arrives on Mac, steals passwords, screenshots,
Ars Technica
Yahoo sends new security warning to users
Chicago Tribune
"Microsoft re-releases snooping patches KB 2952664, KB 2976978"
Woody Leonhard
"Microsoft Explains Why Windows Drivers Are Dated 21 June 2006"
Matthew Humphries
Why you can't depend on antivirus software anymore
Slate
The Internet of Evil Things
Tim Johnson
Security and the Internet of Things
Bruce Schneier
Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links
Citizen Lab
How do destroy a web form and the risks
Paul Robinson
Spanner, the Google Database That Mastered Time, Is Now Open to Everyone
WiReD
The AI Threat Isn't Skynet. It's the End of the Middle Class
WiReD
Google is spying on my photos
Geoff Kuenning
Lauren Weinstein
Re: D-Wave and quantum computer architecture
Rodney Van Meter
Re: quantum communications via plane and satellite
Rodney Van Meter
Re: Rob Slade on quantum computing
Rodney Van Meter
Re: Quantum Cryptography
Paul E. Black
Re: "The missile may have veered ... towards the United States"
Michael Black
Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
Amos Shapir
Re: The Truth About UNIX...
Paul Robinson)
*WiReD* in RISKS-30.13
Dave Horsfall
The 'March for Science' is gaining mainstream momentum
Joel Achenbach via Dewayne Hendricks
Stein Schjolberg: The History of Cybercrime
PGN
Info on RISKS (comp.risks)

To Lure Moviegoers, 20th Century Fox Dangles Fake News (Liam Stack and later Sapna Maheshwari in *The New York Times*)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 16 Feb 2017 9:19:00 PST
Liam Stack, *The New York Times*, 16 Feb 2017 [PGN-ed]

At least five fake news sites were set up (such as the Houston Leader and
the Salt Lake City Guardian), providing lots of partisan fake news headlines
such as

* LEAKED: Lady Gaga Half-time Performance to Feature Muslim Tribute

* BOMBSHELL: Trump and Putin spotted at Swiss Resort prior to election

* California Legislature to Consider Tax Rebates for Women Who Get Abortions

* Texas Doctor Charged with Multiple Counts of Human Experimentation

and lots more similarly false stuff on similar topics.  The intent was to
promote a new film—A Cure for Wellness—about a fake cure that makes
people even sicker.  “As part of this campaign, a 'fake' wellness site,
healthandwellness.com, was created and we partnered with a fake news creator
to publish fake news.''—according to a statement by Regency Enterprises
and 20th Century Fox acknowledging their roles in the ad campaign for the
film.

There apparently was considerable outrage within the film industry, because
the very next day, 20th Century Fox apologized for this movie ad campaign:

  Sapna Maheshwari, *The New York Times*, 17 Feb 2017
  The News Was Fake.  The Regret?  That's Real.

The *Times* article quotes Susan Credle (global chief creative officer of
the FBC ad agency):

  “Fake news is not a cute or silly subject.  When you start to tear down
  media and question what's real and what's not real, our democracy is
  threatened.  I think this is a hot enough subject that most marketers
  would understand that taking advantage of a vulnerable public is
  dangerous.''

    [One might wonder how many people will foolishly take such blatantly
    fake news as genuine.  Based on our experience with past April Fools
    items, I suspect there would be quite a few with some of the cleverer
    spoofs that really seem semi-plausible.  However, just one item quoted
    out of context can spread around the Internet and be accepted!

    In the early days of my collecting RISKS cases beginning in the
    mid-1970s, there was the notorious *Weekly World News* tabloid, with its
    utterly fantastic headlines.  Here are two examples from our archives:

    * 2 dead, 1 brain-dead from Chilean bank terminal
      (noted in ACM SIGSOFT Software Engineering Notes 12 2, April 1987)

    * First cybersex pregnancy (RISKS-19.60)

    Apparently this kind of outrageous nonsense brings in customers.  PGN]


Fake news is killing people's minds, says Apple boss Tim Cook (The Telegraph)

Lauren Weinstein <lauren@vortex.com>
Sat, 11 Feb 2017 13:08:05 -0800
NNSquad
http://www.telegraph.co.uk/technology/2017/02/10/fake-news-killing-peoples-minds-says-apple-boss-tim-cook/

  Tim Cook, the boss of Apple, is calling for governments to launch a public
  information campaign to fight the scourge of fake news, which is "killing
  people's minds".  In an impassioned plea, Mr Cook, boss of the world's
  largest company, says that the epidemic of false reports "is a big problem
  in a lot of the world" and necessitates a crackdown by the authorities and
  technology firms.


Dutch election will be counted by hand (The Guardian)

Mark Thorson <eee@sonic.net>
Wed, 8 Feb 2017 13:38:57 -0800
Netherlands reverts to paper ballots and hand counting to thwart hackers.
https://www.theguardian.com/world/2017/feb/02/dutch-will-count-all-election-ballots-by-hand-to-thwart-cyber-hacking


Forged Racist Emails Cause Stir at University of Michigan (ABC)

Lauren Weinstein <lauren@vortex.com>
Wed, 8 Feb 2017 10:09:34 -0800
NNSquad
http://abcnews.go.com/Technology/wireStory/forged-racist-emails-stir-university-michigan-45352248

  Someone sent racist and anti-Semitic emails to University of Michigan
  students and made it look like they were from a computer science professor
  who pushed for presidential election recounts in several states.

  The emails were sent mostly to engineering students Tuesday with subject
  lines such as "African American Student Diversity" and "Jewish Student
  Diversity." Two messages included the phrase "Heil Trump."

  A school spokesman, Rick Fitzgerald, said it wasn't a hack and that campus
  police are investigating. It's not known if the emails were connected to
  Alex Halderman's activism after the election.


New Mac malware from Iran targets US defense industry, human rights advocates with fake Flash updates (Apple)

geoff goodfellow <geoff@iconia.com>
Wed, 8 Feb 2017 12:41:39 -1000
http://appleinsider.com/articles/17/02/08/new-mac-malware-from-iran-targets-us-defense-industry-human-rights-advocates-with-fake-flash-updates


Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? (EFF)

Gabe Goldberg <gabe@gabegold.com>
Wed, 8 Feb 2017 10:29:02 -0500
Can foreign governments spy on Americans in America with impunity? That was
the question in front of the U.S. Court of Appeals for the District of
Columbia Circuit Thursday, when EFF, human rights lawyer Scott Gilmore, and
the law firms of Jones Day and Robins Kaplan went to court in /Kidane
v. Ethiopia/ <https://www.eff.org/cases/kidane-v-ethiopia>.

Jones Day partner Richard Martinez <http://www.jonesday.com/rmartinez/>
argued before a three-judge panel that an American should be allowed to
continue his suit against the Ethiopian government for infecting his
computer with custom spyware and monitoring his communications for weeks on
end. The judges questioned both sides for just over a half hour.  Despite
the numerous issues on appeal, the argument focused on whether U.S. courts
have jurisdiction to hear a case brought by an American citizen for
wiretapping and invasion of his privacy that occurred in his living room in
suburban Maryland. The question is relevant because, under the Foreign
Sovereign Immunities Act, foreign governments are only liable for torts they
commit within the United States. ...

Ethiopia's lawyer argued next, taking the position that it should be able to
do anything to Americans in America, even set off a car bomb, as long as
Ethiopia didn't have a human agent in the United States. One judge asked
what would happen if Ethiopia mailed a letter bomb into the United States to
assassinate an opponent, or hacked an American's self-driving car, causing
it to crash. Ethiopia didn't hesitate: their counsel said that they could
not be sued for any of those.

https://www.eff.org/deeplinks/2017/02/can-foreign-governments-launch-malware-attacks-americans-without-consequences


Cooperative Bank sends a text with a dyn.co link

Martin Ward <martin@gkc.org.uk>
Thu, 9 Feb 2017 11:35:30 +0000
Yesterday I received a text message, claiming to be from the Co-op Bank
stating:

  "This is the Co-op bank. Some services will be unavailable this weekend
  due to essential maintenance. For more details, visit:"

followed by a link to "CoopBank.dyn.co"

The ".co" top level domain is the country code for Columbia.

I sent an email to the Co-op Bank to warn them of this phishing attempt and
received a reply stating that the text was genuine!

How can we persuade people not to click on dodgy links in emails and text
messages when legitimate companies send out genuine messages with links that
are indistiguishable from phishing attempts?


Toyota recalls all the Mirais for software bug (Andrew Krok)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 16 Feb 2017 13:38:35 -0700
Andrew Krok, Road Show by CNET, February 16, 2017 11:19 AM PST

Toyota issued a recall for every single Mirai hydrogen fuel cell vehicle
sold around the world. That may seem like a ton, but bear in mind it's a
niche vehicle utilizing an infrastructure that isn't fully fleshed
out. Thus, only about 2,840 vehicles are affected.

The issue relates to the car's powertrain. A unique set of driving
conditions—for example, jamming the accelerator to the floor after
driving on a long descent under cruise control—might cause the fuel
cell's boost converter to output voltage higher than the maximum. If that
happens, a warning light will come on and the fuel cell system will stop
running.

Toyota will fix the issue with a simple software reflash.

https://www.cnet.com/roadshow/news/toyota-recalls-all-the-mirais-for-software-bug/


Majority of Android VPNs can't be trusted to make users more secure (Ars Technica)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 8 Feb 2017 20:35:39 PST
https://arstechnica.com/security/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/

  Over the past half-decade, a growing number of ordinary people have come
  to regard virtual private networking software as an essential protection
  against all-too-easy attacks that intercept sensitive data or inject
  malicious code into incoming traffic. Now, a comprehensive study of almost
  300 VPN apps downloaded by millions of Android users from Google's
  official Play Market finds that the vast majority of them can't be fully
  trusted. Some of them don't work at all.


"Flaw in Intel Atom chip could crash servers, networking gear" (Agam Shah)

Gene Wirchenko <genew@telus.net>
Thu, 09 Feb 2017 09:05:19 -0800
Agam Shah, Info World, 6 Feb 2017
Intel is 'implementing and validating a minor silicon fix' to resolve the issue
http://www.infoworld.com/article/3167205/storage/flaw-in-intel-atom-chip-could-crash-servers-networking-gear.html

[selected text]

A flaw in an old Intel chip could crash servers and networking equipment,
and the chipmaker is working to fix the issue.

The issue is in the Atom C2000 chips, which started shipping in 2013.

  [Four years old is old in a chip still in production?  Risks of short-term
  thinking?]

The usual server refresh cycle is three to five years, but networking and
storage equipment—which the C2000 is targeted toward—is often used for
five to 10 years.

Intel continuously finds flaws in its chips, and it fixes them over
time. But one that may crash a system is serious and could put data at risk.

  [I am curious about chip flaws being more common than I thought.  Is anyone
  is a position to knowledgeably comment about this?]

The chipmaker has given up making Atom chips for servers, ...  Intel is now
dedicating Atom chips to drones, robots, gateways, smart devices, and
Internet of things products.

  [IDIOT* strikes again?  *Insecurely-Designed Internet of Things]


"S. Korea plans to tighten battery regulations after Note 7 crisis" (John Ribeiro)

Gene Wirchenko <genew@telus.net>
Thu, 09 Feb 2017 09:18:38 -0800
John Ribeiro, InfoWorld, 6 Feb 2017
A government agency agreed with Samsung's view that faulty batteries
caused the Note 7 to overheat
http://www.infoworld.com/article/3165952/smartphones/south-korea-plans-to-tighten-battery-regulations-post-note7-crisis.html

[selected text]

In the wake of the Note 7 debacle, South Korea is introducing new tests and
regulations to ensure battery and smartphone safety, the Ministry of Trade,
Industry, and Energy said.

The announcement Monday by MOTIE also agrees with the analysis by Samsung
Electronics and some experts on the cause of the overheating and even
explosions of some Galaxy Note 7 smartphones.

Samsung, backed by experts from Exponent, TUV Rheinland, and UL, said in
January that the overheating of some Note 7 phones was likely caused by the
faulty design and manufacturing of batteries by two suppliers, rather than
by the design of the smartphone itself.


'Xagent' malware arrives on Mac, steals passwords, screenshots, iPhone backups (Ars Technica)

geoff goodfellow <geoff@iconia.com>
Tue, 14 Feb 2017 21:41:50 -1000
A Russian hacking group accused of interfering with last year's presidential
election has evolved its Xagent malware package, known for its ability to
infiltrate Windows, iOS, Android and Linux devices, to target Macs,
according to a report on Tuesday.

Uncovered by security research firm and antivirus builder Bitdefender, the
Mac strain of Xagent is similar to its predecessors in that it acts as a
modular backdoor for intruders, reports *Ars Technica*.
<https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/>
<https://arstechnica.com/security/2017/02/new-mac-malware-pinned-on-same-russian-group-blamed-for-election-hacks/>

Once the malware is installed, likely through the Komplex downloader, it
checks for the presence of a debugger. If none is found, Xagent waits for an
Internet connection to reach out to command and control servers, which in
turn activate specific payload modules, Bitdefender explains. As a Mac
malware, most C&C URLs impersonate Apple domains.

The Xagent payload includes modules capable of searching a target Mac's
system configuration, offloading running processes and executing code. More
troubling is the malware's ability to grab desktop screenshots, steal web
browser passwords and offload iPhone backups. The latter capability is
perhaps most important from an intelligence-gathering standpoint,
Bitdefender says.

While an exact lineage has yet to be determined, the security firm believes
APT28 is behind the Mac form of Xagent...

http://appleinsider.com/articles/17/02/14/xagent-malware-arrives-on-mac-steals-passwords-screenshots-iphone-backups


Yahoo sends new security warning to users (Chicago Tribune)

Lauren Weinstein <lauren@vortex.com>
Wed, 15 Feb 2017 11:36:12 -0800
via NNSquad
http://www.chicagotribune.com/bluesky/technology/ct-yahoo-new-security-warning-20170215-story.html

  Yahoo is warning users of potentially malicious activity on their accounts
  between 2015 and 2016, the latest development in the Internet company's
  investigation of a mega-breach that exposed 1 billion users' data several
  years ago.  Yahoo confirmed Wednesday that it was notifying users that
  their accounts had potentially been compromised but declined to say how
  many people were affected.

Unavoidable reference: https://www.youtube.com/watch?v=vUi1PdYn5nk


"Microsoft re-releases snooping patches KB 2952664, KB 2976978" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Thu, 09 Feb 2017 14:23:19 -0800
  Given the following and other Microsoft Windows 10 shenanigans, I have not
  done a Windows Update in quite some time now.  I am more worried about
  Microsoft doing something nefarious to my system than anyone else.

Woody Leonhard, InfoWorld, 9 Feb 2017
Earlier versions of the Win7 and 8.1 patches kicked off enhanced
snooping routines, and there's no indication what's changed in these versions
http://www.infoworld.com/article/3168397/microsoft-windows/microsoft-re-releases-snooping-patches-kb-2952664-kb-2976978.html

selected text:

We don't know what KB 2952664 (for Windows 7) and KB 2976978 (for Windows
8.1) actually do. But both patches have been shown in the past to trigger a
new Windows task called DoScheduledTelemetryRun.

But I do know that earlier versions of these patches triggered new snooping
scans, whether the Customer Experience Improvement Program is enabled or
not. And I do know that Microsoft hasn't documented much at all.


"Microsoft Explains Why Windows Drivers Are Dated 21 June 2006" (Matthew Humphries)

Gene Wirchenko <genew@telus.net>
Thu, 09 Feb 2017 14:13:24 -0800
  When is a date not a date?

  (I wonder if anyone has had problems because of supposedly outdated
  drivers.)

Matthew Humphries, PC Mag, 9 Feb 2017
http://www.pcmag.com/news/351668/microsoft-explains-why-windows-drivers-are-dated-june-21-20

selected text:

The drivers are regularly updated, but that timestamp never changes. Why?

Microsoft drivers in a lot of cases are the fallback option. We all run
hardware in our desktop PCs and laptops that's supplied by third-party
companies, and they produce drivers for those components.  These drivers are
preferable to Microsoft's own, but if every time Microsoft released an
updated driver it changed the timestamp to be current, Windows would view it
as newer than the custom driver and replace it. You probably don't want this
to happen as manufacturer's driver are more suited than Microsoft's.

So to avoid this, Microsoft timestamps all drivers with the Windows Vista
Release To Manufacturing (RTM) date, which is June 21, 2006.  The Vista RTM
was chosen because, "since only drivers as far back as Vista are compatible
with new versions of Windows, every driver should have a date newer than
Vista RTM, preserving the driver you installed as the best ranked driver."


Why you can't depend on antivirus software anymore (Slate)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 16 Feb 2017 9:06:28 PST
http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html

  [Thanks to Ray Perrault for spotting this one.  PGN]


The Internet of Evil Things (Tim Johnson)

geoff goodfellow <geoff@iconia.com>
Mon, 13 Feb 2017 16:26:37 -1000
As wireless devices flourish, network security pros break into cold sweats

Tim Johnson, McClatchy, 13 Feb 2017

http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html

Washington

Sure, your office may seem clean. But it's probably not. Invisible network
pollution contaminates the space, and it may open a door to evildoers.

The pollution comes from the growing list of Internet-connected devices:
cellphones, security cameras, thermostats, door locks, printers,
speakerphones, even coffeemakers. Not all of them have up-to-date security
patches or strong password protection. All of them are potential foot
soldiers for hackers.

<https://www.pwnieexpress.com/hubfs/2017InternetOfEvilThings.pdf?utm_campaign=IoET+2017&utm_source=hs_automation&utm_medium=email&utm_content=42452447>

In a report titled The Internet of Evil Things, to be released Monday, a
Boston-based company says the connected devices that surround us at home and
work give indigestion to technology security experts, who see the rise of a
menacing new force.

“Our devices live in an open and free world. They connect to anything. They
connect to good things and bad things. They don't know the difference,''
said Paul Paget, chief executive of Pwnie Express, the Boston cyber threat
detection firm.

The problem, Paget said, is that much of the Internet-connected world is
contaminated with malicious code, or malware, and your devices swim in that
pollution.

Increasingly, employees carry their own devices to work, perhaps unwittingly
bringing cyber infections and malware into contact with an office network,
or bringing devices with weak defenses that can be forcibly recruited into
in a hostile robotic network, or botnet, for attacks elsewhere.

The first major alarm about these zombie botnets arose on Oct. 21 when
hackers used malware, which security professionals dubbed Mirai
<http://www.mcclatchydc.com/news/nation-world/national/national-security/article105894272.html>,
to harness an army of enslaved connected devices, mainly security cameras,
to overwhelm a New Hampshire firm, Dyn, that is a backbone of the Internet.
The massive attack, the largest of its kind ever, took down Internet access
in some metropolitan areas of the East Coast.

Rather suddenly, the risk of connected devices became a hot topic. Even the
most mundane home or office device could seem, well, potentially virulent.
[...]

http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html


Security and the Internet of Things (Bruce Schneier)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 15 Feb 2017 10:22:35 PST
  [Bruce has written a long article that augments much of what we have
  noted here in the past, including the article Ulf Lindqvist and I have
  written for the February 2017 CACM Inside Risks series (item 240):
    http://www.csl.sri.com/neumann/insiderisks.html
  PGN]

             CRYPTO-GRAM
          February 15, 2017
<https://www.schneier.com/crypto-gram/archives/2017/0215.html>.
          by Bruce Schneier
        CTO, Resilient Systems, Inc.
        schneier@schneier.com
       https://www.schneier.com
 <https://www.schneier.com/crypto-gram.html>.

      Security and the Internet of Things

  [This essay previously appeared in "New York Magazine."]
http://nymag.com/selectall/2017/01/the-Internet-of-things-dangerous-future-bruce-schneier.html
  ]


Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links (Citizen Lab)

Jose Mara Mateo <chema@rinzewind.org>
Mon, 13 Feb 2017 12:14:57 -0500
https://citizenlab.org/2017/02/bittersweet nso mexico spyware/

Key Findings

* A prominent scientist at the Mexican National Institute for Public Health
(INSP) and two directors of Mexican NGOs working on obesity and soda
consumption were targeted with government exclusive spyware.

* All of the targets have been active supporters of Mexico's soda tax, a
public health measure to reduce the consumption of sugary drinks.

* The targets received messages with malicious links that would have
installed NSO Group's Pegasus spyware on their phones. NSO Group is an
Israeli cyber-warfare company.

* NSO's government surveillance tool may have been misused on behalf of
special commercial interests, not for fighting crime or terrorism.


How do destroy a web form and the risks

Paul Robinson <paul@paul-robinson.us>
Fri, 10 Feb 2017 03:39:25 +0000 (UTC)
There has been a problem I was having that, even though I have over 35 years
of experience as a computer programmer, I had no idea why it was happening,
and, explaining how I figured out what caused it.

Right now I am using a web form to type in this message. Sometimes I will go
on various web sites where you're allowed to post messages or comments in
forums, and on rare occasions, I'd be typing something in and the message
would simply vanish. It wasn't posted, it wasn't saved, it was if I had
asked the website to cancel my message. This can be very irritating to
express a complicated explanation or idea and have it vanish in the middle
of what you're typing.

So let me show you how this happens, and why it bodes large for more than
just someone typing a comment on a web page.

Tools Needed:
* A computer with Windows
* Running Firefox browser
* Having an Internet connection

The process:

* Log on to your favorite message boards or the compose page if you use Web
  mail.
* Choose to reply or create a new message. This opens a text box, sets
  "focus" to it, and places the cursor in the box, allowing you to type in
  text.
* Type in some material and make a mistake and proceed to press the
  backspace key to correct the mistake.
* Accidentally hit F12, which is directly above the backspace. This opens a
  debug window so you can analyze the objects and DOM layout of the web
  page.
* Realize that (unless you are a web designer or programmer who wants to
  analyze this page) you did not want that, and press F12 again to release
  the debug window and go back to the "ordinary" web page.
* Unless you are very attentive, you might not notice that the "focus" - the
  place where the system sends keystroke messages - is not on the input area
  of the page, but on the whole page. This means the "mode" of the
  application has silently changed, and keystroke messages are sent to the
  application, not to the text box.
* Proceed to correct the message by pressing the backspace key. Since you're
  not in the text area, the web browser does not treat the backspace as a
  command to "delete the previous typed in key" it is now the *back* button,
  which means to back up one web page from the stack of pages you've surfed
  through.
* This causes the web browser to return to the previous page before you
  wanted to enter a reply, destroys the current web page and discards
  everything you typed in. It's gone forever and you can't get it
  back. Using the "forward" button on the toolbar returns you to the posting
  page, but is cleared out as when you start a new post.

Now, the worst thing about this is given the number of functions available
from the keyboard this is not the only way for the focus to change, there
are other possible keystrokes you can made that can take the focus off the
input box and move it to the app, and thus potentially cause a mode change
that you do not even know has happened.

Now, this presents a big possibility of error "writ large" onto any
application or system where any button or key used by an application is
modal, in which the button's functionality is different according to the
current mode you are in. Obviously having a mode change the behavior of an
application without the user being aware of it could have substantial risks
that are clearly obvious.


Spanner, the Google Database That Mastered Time, Is Now Open to Everyone (WiReD)

Lauren Weinstein <lauren@vortex.com>
Tue, 14 Feb 2017 11:36:26 -0800
https://www.wired.com/2017/02/spanner-google-database-harnessed-time-now-open-everyone/#a-6159ef6b-4043-4271-89e3-b3c5108d72a8

  Google can change company data in one part of this database--running an
  ad, say, or debiting an advertiser's account--without contradicting
  changes made on the other side of the planet. What's more, it can readily
  and reliably replicate data across multiple data centers in multiple parts
  of the world--and seamlessly retrieve these copies if any one data center
  goes down. For a truly global business like Google, such transcontinental
  consistency is enormously powerful.


The AI Threat Isn't Skynet. It's the End of the Middle Class (WiReD)

"Dave Farber" <farber@gmail.com>
Fri, 10 Feb 2017 20:45:52 -0500
https://www.wired.com/2017/02/ai-threat-isnt-skynet-end-middle-class/


Google is spying on my photos

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, 12 Feb 2017 16:53:28 -0800
I stopped by our local wilderness park today to take a photo of some
wildflowers with my Android phone.

Imagine my shock an hour or so later when the phone's notifications screen
offered me a chance to "Be a part of Google Maps!  Share your pictures of
Claremont Hills Wilderness Park" complete with thumbnails of the photos I
took.

Now to be fair, the thumbnails could have been assembled into the message on
my phone without ever being sent to Google.  But the only way they could
have known that I took a picture near (not in) the park was if the GPS data
and the fact of the photo were sent to them, without my knowledge or
permission, when I hit the shutter button.

To make matters worse, I wasn't even using the phone's built-in camera app;
I was using an alternative, Camera FV-5, which as far as I can tell only
uses your GPS location internally.

So the conclusion is that every time my camera's shutter operates, the
location (and maybe a thumbnail) is sent to Google.  Most of the time they
might discard it, but it's still creepy.  And IMHO it certainly violates
their motto of "Don't be evil."

One more reason to use a real camera...


Re: Google is spying on my photos (Kuenning, RISKS-30.14)

Lauren Weinstein <lauren@vortex.com>
Sun, 12 Feb 2017 19:07:02 -0800
This is all documented.
If memory serves the specific option is in:
maps>settings>notifications ("add photos" or some such)

Also, a similar effect would likely be achieved by turning off location
sharing.

 - - -

  Add Photos to Multiple Places

  No more digging through photos and searching for the right now we
  automagically match them for you with Google Photos.

  On your Android phone, simply turn on the back up and location features in
  Google Photos to have your photos of places appear in the Contribute tab
  of Google Maps, ready for you to share and score points.


Re: D-Wave and quantum computer architecture

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Tue, 14 Feb 2017 10:47:18 +0900
I'm going to be a bit gauche and toot my own horn here, hopefully while
putting some context on the three quantum-related items in the last couple
of issues of RISKS.  I am one of the few classically-trained computer
architects whose research is full time quantum, and has been since 2003.
Apologies for the collective length, but since I'm addressing several prior
posts I hope you'll allow them.

First, D-Wave: the Wired article says, "D-Wave's computers can't tackle all
algorithms yet,"—no kidding!  It's a special-purpose machine that solves
optimization problems mapped to Ising spin problems, a type of graph
problem.  It's a one-trick pony, although it's a really good trick, if it
works.

"[T]hird-party research didn't consistently confirm hype about D-Wave
machines' speed gains versus classical computing."  *Really* no kidding!
The only person I trust unreservedly about this is Matthias Troyer (ETH
Zurich & Microsoft Research).  Turns out that characterizing performance of
algorithms with many parameters including probability of being within some
distance of optimal is tricky stuff.  A great place to start is
http://www.sciencemag.org/content/345/6195/420.abstract

The slides by John Seymour, linked to from the Wired article, are an
excellent account of one adventure using the machine.

Designing algorithms for somewhat more general-purpose quantum computers is
nothing like designing classical algorithms.  The entire goal is to use
entanglement and the wave nature of quantum states to drive the machine
toward a state where non-answers to your problem destructively interfere,
and answers to your problem constructively interfere.  For discussion of the
state of machines and our attempts to design them, see (ahem)

A blueprint for building a quantum computer:
http://dl.acm.org/citation.cfm?id=2494568

Quantum computing's classical problem, classical computing's quantum problem:
https://arxiv.org/abs/1310.2040
The path to scalable distributed quantum computing
http://ieeexplore.ieee.org/abstract/document/7562346/ or
https://arxiv.org/abs/1605.06951
and I love Dave Bacon's review of quantum algorithms, though it's
getting a bit long in the tooth now:
http://dl.acm.org/citation.cfm?doid=1646353.1646375


Re: quantum communications via plane and satellite

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Tue, 14 Feb 2017 14:37:03 +0900
Apologies for the length, I didn't set out to write something this long...

RISKS 30.13 had a note about the Jennewein team capturing single photons
from an airplane on the ground.  It's prepartory work to doing the same
thing from a satellite, and it's great stuff.  Note that Makarov is a
coauthor, and Makarov is the best "red team" QKD person on the planet, known
for his work hacking QKD systems.

And, in case you haven't heard, China already *has* a satellite in orbit for
essentially the same experiments:
https://www.rt.com/news/374167-china-quantum-satellite-operational/
They haven't yet published data from the satellite (launched last August),
but they're now saying it's performing "much better than expected".

The basic idea is to generate pairs of entangled photons in space, and
capture them at two different locations on the ground.  The current
experiments, as far as I know, involve only capturing and measuring the
photons directly, which means they are good for only quantum key
distribution (QKD), creating a guaranteed-secret stream of classical bits
shared with exactly one partner.  Doing this via satellite has a lot of
security advantages, including how hard it is to intercept and resend
signals.

This form of QKD (so-called Ekert-style, known as E91, using entangled pairs
of photons rather than single photons from a sender to a receiver) is not
subject to worries about e.g. the quality of the RNG on the satellite.  Even
if you could fly a high-altitude aircraft that spoofed the satellite, proper
operation of the checks on the ground would _still_ keep the key secure.  A
combination of spoofing the satellite with a known vulnerability in the RNG
at the ground stations could result in a compromised key, I believe, by
judiciously avoiding the checks.  Or, rather than directly spoofing the
entangled pairs, other recent work has shown how, with some receiver setups,
you can force any outcome you like (see DOI:10.1126/sciadv.1500793).

n.b.: Some of this is speculative, given that I haven't seen details of the
experiments they are doing with the actual satellite, but I have read many
of their preparatory papers.

Of course, there are a lot of limitations, including weather and satellite
orbit.  And if you have failures in orbit, fixing them is hard!

Jian-Wei Pan's group is the best in the world at this kind of optical
experiment.  He was in Zeilinger's group in Vienna, which is the only other
real contender for best at this kind of thing.  Jian-Wei is also chief
architect of the fiber-based QKD network they are now building out in
eastern China.  My viewpoint is limited, but from where I sit, he is
probably China's most famous and most politically powerful researcher, in
any field, and with good reason.

I've already gone on long here, but I want to note that QKD, which involves
early, direct measurement of the quantum states as photons, is only the
beginning of quantum networking.  If we can build quantum repeater networks
that create entanglement over long distances, we can do many more things:
sensor networks and interferometers with better-than-classical precision;
high-precision distributed clocks (although whether they can be built
without supporting classical infrastructure that already exceeds the quantum
portion is an open question); other security functions such as stronger
byzantine agreement; and distributed quantum computation (such as blind
computation).  See (again, ahem)
https://www.verisign.com/en_US/company-information/verisign-labs/speakers-series/quantum-networks/index.xhtml
and (final ahem) my book, _Quantum Networking_
http://as.wiley.com/WileyCDA/WileyTitle/productCd-1848215371.html (Apologies
for the price.  I get a couple of bucks, the publisher gets the rest.)

Happy to talk at more length with any RISKers who are interested in either
quantum computing or quantum networking.

Prof. Rodney Van Meter, Faculty of Environment and Information Studies,
Keio University, Japan  rdv@sfc.wide.ad.jp   http://web.sfc.keio.ac.jp/~rdv/


Re: Rob Slade on quantum computing

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Tue, 14 Feb 2017 11:19:33 +0900
I'm really thrilled to see someone of Rob's firepower thinking seriously
about what quantum computing means to a particular community (in this case,
the security community).  And I hadn't seen his articles before, so I'm
reading them and sharing with my students.

Re: security of the quantum computers themselves: yes, their operations are
very easily disrupted (a bigger problem, actually, for quantum networks, see
my next message).  But as to verifying the answers they produce, that should
be straightforward.  Anything like an NP-complete problem, or math problems
like factoring, it's pretty easy to check.  Other applications, such as
quantum chemistry (popularly touted as an important class of apps) are
harder.

Re: security of results: One of my favorite ideas of the last decade is
blind quantum computation, by Broadbent, Fitzsimons and Kashefi.  Like
Gentry's homomorphic encryption, it allows a computer to run an algorithm
with no access to the input or output data.  Blind QC goes a step further
and keeps even the algorithm hidden.  You can run the algorithm on a remote
server, and the server, its operators and hackers can learn nothing at all
except an upper bound on the size of the computation you have done.
https://arxiv.org/abs/0807.4154

The penalty for using BQC is substantial, but tolerable, even when
accounting for quantum error correction.  However, the network demands to
use it remotely in full form are unrealistically high for the foreseeable
future, see (again, ahem) https://arxiv.org/abs/1306.3664 and papers by
others that I don't have handy at the moment.

Re: applications for QCs: Rob suggests a number of things that are "hard"
problems.  Unfortunately, due to very limited memory capacity and
inconceivably low I/O rates, no "big data" applications are in the offing,
so e.g. climate modeling is right out.  Problems involving modeling of other
quantum systems, such as quantum chemistry of fertilizers (the favorite
example problem of the Microsoft Research folks) are good candidates.
Small-data problems with high branching factors, like solving chess or go
without a massive library, are good candidates.

Re: "superposition will allow for the processing of vast numbers of
possibilities simultaneously": Scott Aaronson, one of the premiere theorists
and quantum's most visible and funniest blogger, really hates that
description.  See my last message for a short discussion of algorithm design
via interference, or Scott's blog at
http://www.scottaaronson.com/blog/?p=2026 or his book _Quantum Computing
Since Democritus_, if you want the hard thinking without the math. (That
book is amazingly deep given the dearth of equations.)

Enough for now, a note about networking later...


Re: Quantum Cryptography (Werner U, RISKS-30.13)

"Black, Paul E. (Fed)" <paul.black@nist.gov>
Thu, 16 Feb 2017 18:56:08 +0000
Re: stealing a quantum key
(Feb 2 in WiReD))

On Mon, 6 Feb 2017 Werner U <werneru@gmail.com> wrote

  "... it's physically *impossible* for a hacker to steal a key encoded
  using quantum particles."

It is physically impossible for a hacker to steal such a key *without being
detected*.  This is clearly communicated in the rest of the paragraph.

Paul E. Black             100 Bureau Drive, Stop 8970
paul.black@nist.gov       Gaithersburg, Maryland  20899-8970
voice: +1 301 975-4794    fax: +1 301 975-6097
http://hissa.nist.gov/~black/                        KC7PKT


Re: "The missile may have veered ... towards the United States"

Black Michael <mdblack98@yahoo.com>
Mon, 13 Feb 2017 16:01:04 +0000 (UTC)
Having been on an observation ship during a failed missile test back in the
80's I can tell you this is much ado about nothing.  All missile
launches...including subs...have a missile safety officer Their sole job is
to have their finger on the detonate button if something goes wrong.

We were about 10km as I recall from a Trident launch and the missile started
to roll...took probably 2 seconds before the safety officer destroyed it.
The idea that a missile might "veer" towards the U.S. is just one of the
obviously many directions a bad missile might go.As soon as it goes off
course it will be destroyed.

The extremely poor scientific reporting that goes on in the media leaves a
lot of people with bad and/or incomplete information....just like the
current scare mongering from Fukushima with news agencies reporting "record
radiation levels"....of an area that had never been meaured before....and
who woulda thunk a nuclear reactor core might actually be dangerous?


Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Risks 30.13)

Amos Shapir <amos083@gmail.com>
Thu, 9 Feb 2017 13:58:47 +0200
What most respondents seem to ignore is that the difference between
indentation-oriented syntax and enclosing-delimiter-oriented one is not a
matter of the behavior or availability of automatic indenting applications.

The main issue is that with the latter syntax (e.g. Python's) there's no way
to know where an "if" or a "while" statement ends, except by indentation;
messing indentation on even a single line can result in a program which is
syntactically valid, but wrong.  In a language like C, one would have to
lose at least two opposing braces to get this result, and it's even harder
with languages which use syntax like if...fi and do...od .


Re: The Truth About UNIX... (Norman, RISKS-30.13)

Paul Robinson <paul@paul-robinson.us>
Mon, 13 Feb 2017 19:56:57 +0000 (UTC)
Don Norman wrote: "More facts: I never used a DEC (Digital) PDP-10, although
I did use (and own) many every other DEC machine: PDP 1, 4, 7, 8, 9, 11 and
Vax. I managed to skip the 10, which was replaced by the Vax."  To set the
record straight, the Decsystem 20 replaced the PDP 10, both of which were
36-bit architecture. Then DEC deprecated the 20. Then the only mainframe
option to a (now former) Decsystem 20 customer was either an IBM 370 series
or a DEC VAX. But the VAX, like the 370, is a 32-bit machine, is not
compatible in terms of operating system or architecture with the 10 or the
20, and was the replacement for the 16-bit PDP-11, with which its machine
instruction set was compatible.


*WiReD* in RISKS-30.13

Dave Horsfall <dave@horsfall.org>
Thu, 9 Feb 2017 10:34:55 +1100 (EST)
A couple of articles have mentioned the wired.com site; please be aware that
they run an ad-blocker-blocker, which means you either disable your blocker
(which I won't do) or risk (no pun intended) your privacy by signing up; I
won't trust any site that demands I either view adverts, or pay what amounts
to a ransom.

  [Let's hope someone at EFF is reading RISKS.  PGN]


The 'March for Science' is gaining mainstream momentum (Joel Achenbach)

Dewayne Hendricks <dewayne@warpspeed.com>
Sat, Feb 11, 2017 at 2:05 AM
Joel Achenbach, *The Washington Post*, 9 Feb 2017
https://www.washingtonpost.com/news/speaking-of-science/wp/2017/02/09/the-march-for-science-is-gaining-mainstream-momentum/

Many scientists are reluctant to leap into politically charged territory,
but these are not normal times, and even the most mainstream science
organizations say there may be no choice but to take to the streets. The
much-discussed March for Science, organized via social media and scheduled
for April 22 in Washington, has been gaining momentum.

Christine McEntee, executive director and chief executive of the American
Geophysical Union, said Thursday that her organization has been talking in
recent days with march organizers and looking for ways to support the
effort.

“We are pleased to see the growing support for the value of science and
scientific integrity. AGU has begun discussions with the organizers of the
march and we are exploring how we can best support their efforts. Democracy
is based on active participation. We fully support the efforts of
scientists to speak out on these important issues.''  [...]


Stein Schjolberg: The History of Cybercrime

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 11 Feb 2017 10:22:42 PST
"The History of Cybercrime (1976-2016)" was published in January 2017 in
Germany by the Cybercrime Research Institute, Cologne.  It contains new
information from United Nations organizations, INTERPOL, a new chapter on
Public-Private Partnerships, new information on Internet of Things (IoT),
the encryption problems for law enforcements, and much more.  The book is
now available on Amazon Kindle and book editions.

Please report problems with the web pages to the maintainer

Top