The RISKS Digest
Volume 30 Issue 31

Thursday, 8th June 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Russian malware communicates by leaving comments in Britney Spears's Instagram account
BoingBoing
Russian Gang Hacked Slot Machines and Plotted Over Stolen Sweets
The New York Times
How the Trump-Russia Data Machine Games Google to Fool Americans
Paste
An Ad Network That Helps Fake News Sites Earn Money Is Now Asking Users To Report Fake News
BuzzFeed
How The Intercept Outed Reality Winner
ErrataSec
The Internet Is Where We Share—and Steal—the Best Ideas
The New York Times
Why We Lie: The Science Behind Our Deceptive Ways
National Geographic
While EU Copyright Protests Mount, the Proposals Get Even Worse
EFF
Re: Alleged engineer says red light cameras may misissue tickets
John Levine
Joseph Brennan
Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless?
Kelly Bert Manning
Re: Software is forever... Re: WannaCry
Geoffrey Keating
Re: Robot Copilot Lands 737
Roderick A Rees
Re: What Happens When Your Car Gets Hacked?
David E. Ross
Info on RISKS (comp.risks)

Russian malware communicates by leaving comments in Britney Spears's Instagram account (BoingBoing)

Lauren Weinstein <lauren@vortex.com>
Wed, 7 Jun 2017 21:02:55 -0700
NNSquad
http://boingboing.net/2017/06/07/watering-holes.html

  A new analysis by Eset shows that Turla is solving its C&C problems by
  using Britney Spears' Instagram account as a cut-out for its C&C
  servers. Turla moves the C&C server around, then hides the current address
  of the server in encrypted comments left on Britney Spears's image
  posts. The compromised systems check in with Spears's Instagram whenever
  they need to know where the C&C server is currently residing.


Russian Gang Hacked Slot Machines and Plotted Over Stolen Sweets (The New York Times)

Monty Solomon <monty@roscom.com>
Thu, 8 Jun 2017 06:10:50 -0400
Federal authorities on Wednesday charged 31 people with roles in an
organized-crime scheme that pursued old-fashioned and novel forms of
racketeering.
https://www.nytimes.com/2017/06/07/nyregion/russian-eurasian-organized-crime.html


How the Trump-Russia Data Machine Games Google to Fool Americans (Paste)

Lauren Weinstein <lauren@vortex.com>
Wed, 7 Jun 2017 12:37:24 -0700
  "I'm going to show you one specific weapon in this war that's being used
  against you and me and the United States right now: Google. There are
  other information weapons, such as bots and fake news sites, but other
  stories have those pretty well covered. But before we get started, though,
  two things to keep in mind: First, most of us don't even know we're in
  this war yet. You don't know when you've been wounded, when you've been
  killed. And that's the whole point: You're not supposed to.  Second, the
  attacks in this war aren't aimed at your enemies.  You attack your own
  side."


An Ad Network That Helps Fake News Sites Earn Money Is Now Asking Users To Report Fake News (BuzzFeed)

Lauren Weinstein <lauren@vortex.com>
Mon, 5 Jun 2017 20:17:02 -0700
NNSquad
https://www.buzzfeed.com/craigsilverman/an-ad-network-that-works-with-fake-news-sites-just-launched?utm_term=.lm3aKGqzK#.xabvWQPXW

  An ad network launched a new initiative to "continue the fight against
  fake news" at the same time it was working with 21 websites that have
  published fake news stories, according to a review conducted by BuzzFeed
  News.


How The Intercept Outed Reality Winner (ErrataSec)

Monty Solomon <monty@roscom.com>
Tue, 6 Jun 2017 09:56:33 -0400
How The Intercept Outed Reality Winner
http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

  [See also:
The easy trail that led the feds to Reality Winner ...
https://www.washingtonpost.com/news/morning-mix/wp/2017/06/06/the-easy-trail-that-led-the-feds-to-reality-winner-alleged-source-of-nsa-leak/

The latest NSA leak is a reminder that your bosses can see your every move
The case of Reality Winner, the 25-year-old woman arrested and accused of
linking classified information, shows the limits of your privacy at work.
https://www.washingtonpost.com/news/the-switch/wp/2017/06/07/the-latest-nsa-leak-is-a-reminder-that-your-bosses-can-see-your-every-move/
  ]


The Internet Is Where We Share—and Steal—the Best Ideas (The New York Times)

Monty Solomon <monty@roscom.com>
Tue, 6 Jun 2017 08:29:05 -0400
The Internet Is Where We Share—and Steal—the Best Ideas
https://www.nytimes.com/2017/06/06/magazine/the-internet-is-where-we-share-and-steal-the-best-ideas.html

The schism between those driving cultural conversations online and those
profiting from them has us questioning ownership in the digital age.


Why We Lie: The Science Behind Our Deceptive Ways

Monty Solomon <monty@roscom.com>
Tue, 6 Jun 2017 02:47:15 -0400
http://www.nationalgeographic.com/magazine/2017/06/lying-hoax-false-fibs-science/


While EU Copyright Protests Mount, the Proposals Get Even Worse (EFF)

Lauren Weinstein <lauren@vortex.com>
Mon, 5 Jun 2017 17:47:46 -0700
NNSquad
https://www.eff.org/deeplinks/2017/05/while-eu-copyright-protests-mount-proposals-get-even-worse

  This week, EFF joined Creative Commons, Wikimedia, Mozilla, EDRi, Open
  Rights Group, and sixty other organizations in signing an open letter
  [PDF] addressed to Members of the European Parliament expressing our
  concerns about two key proposals for a new European "Digital Single
  Market" Directive on copyright.  These are the "value gap" proposal to
  require Internet platforms to put in place automatic filters to prevent
  copyright-infringing content from being uploaded by users (Article 13) and
  the equally misguided "link tax" proposal that would give news publishers
  a right to compensation when snippets of the text of news articles are
  used to link to the original source (Article 11).

If the EU proceeds with any of this nonsense, they risk being effectively
cut off the Internet from the rest of the world as far as most popular
services are concerned. EU citizens are being sold down the river by their
own politicians. Presumably they'll be cutting off the electricity next, and
bringing back The Plague.


Re: Alleged engineer says red light cameras may misissue tickets (RISKS-30.30)

"John Levine" <johnl@iecc.com>
6 Jun 2017 15:41:59 -0000
This is the same guy who was fined by the Oregon Board of Examiners for
Engineering for calling himself an engineer in letters that he wrote to
them, based on an unusual and ambiguously worded Oregon law about licensing
professional engineers.  (It's not unusual to have a licensing law, it's
unusual for the law to have broad restrictions on speech.)

https://www.nytimes.com/2017/04/30/business/traffic-light-fine.html

Järlström sued them in federal court, and it's not looking good for
the state.  In a preliminary injunction last week, the state agreed
permanently not to try to prevent Järlström from speaking about
engineering or traffic lights or calling himself an engineer:

http://ij.org/wp-content/uploads/2017/05/Agreed-PI-signed-by-judge.pdf

It appears that Oregon is a slow learner.  Here's an article about a
case 20 years ago where they did the same thing to an academic
geologist who was testifying against a proposed project under a
professional geologist licensing law. They lost that one, too:
https://www.theatlantic.com/politics/archive/2017/05/license-to-speak/525450/


Re: "Red Light Cameras May Issue Some Tickets"

Joseph Brennan <brennan@columbia.edu>
Tue, 6 Jun 2017 12:58:45 -0400
Oregon is one of the minority of states with a "restrictive yellow" traffic
law.  The driver is expected to stop at a yellow signal unless the driver
"cannot stop in safety" in which case the driver must "drive cautiously
through the intersection" and yet almost in contradiction to driving
cautiously the driver must also be clear of the intersection before the red
signal. The arguments in the case have to do with the definition of being
able to "stop in safety" based on many factors-- how far the driver is from
the intersection, how fast the driver might legally be moving, and even the
type of vehicle and whether the driver intends to turn. The length of the
yellow phase therefore is critical because of the requirement to be out of
the intersection before the red signal.

In the other 37 states, entering the intersection on yellow is permitted,
and only *entering* on red is a violation. I have learned for the first time
from looking things up just now that my own state of New Jersey is
restrictive while New York where I learned to drive is permissive. On the
road I have seen little sign that any driver in New Jersey knows about this!

Here, Appendix A, pages 19-23 give the rules state by state
http://www.jarlstrom.com/PDF/Exhibit_1_FINAL_An_investigation_of_the_ITE_formula_and_its_use_R14.pdf


Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless?

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Tue, 6 Jun 2017 18:24:50 -0400 (EDT)
If memory serves me correctly I heard MIT Prof Nancy Leveson say that one of
the reasons she rarely takes a flight on an Airbus plane is that Airbus and
Boeing have different philosophies about what to do when Automation and
pilots have opposite views of what the controls should make the plane do.

Dr. Leveson said that in the end Boeing will have the plane do what the
pilots want it to do, but they might have to use all their strength to
oppose the automation.

Airbus gives automation the last say about what the plane should do,
sometimes with disastrous results.

I believe that Dr. Leveson said she took an Airbus flight once, when the
alternative was spending a night in downtown Chicago.

  [Second prize was Two nights in downtown Chicago?  PGN]


Re: Software is forever... Re: WannaCry (Grossman, RISKS-30.30)

Geoffrey Keating <geoffk@geoffk.org>
05 Jun 2017 16:30:47 -0700
There's another option than those four: vendors can arrange for the software
to stop working when its support period ends, and tell the customer to
arrange for an upgrade as necessary; whether that means buying a new
lightbulb, plugging a USB stick into their car, or just clicking the button
for "yes, ok, I give in, I will upgrade".

You might think this is dangerous; but then, so is the current state.  So
which is the greatest danger?  How bad would the state need to be before
this last option starts looking good?


Re: Robot Copilot Lands 737 (RISKS-30.30)

Roderick A Rees <rarees@frontier.com>
Tue, 6 Jun 2017 08:43:24 -0700
"The risk? Second Officer Robo Pilot not having been programmed for an
unusual and very bad situation. Say, a bird strike on both engines leaving
NYC's LaGuardia Airport or an incapacitated human pilot. Nice corporate
goal, "reduced crew operations while ensuring that aircraft performance and
mission success are maintained or improved"—and it does mention
safety—but I wonder about handling those occasional oddities where human
experience shines.experience. Aren't some aircraft designated two-crew for
good reasons?"

Right—the pilots are there to deal with the designers' mistakes and
inadequate assumptions.  Shawn Coyle, a very experienced helicopter test
pilot, wrote that of all the many emergencies he had had to deal with, not
one was like those that the designers had told him to prepare for.  Without
him, the machine would have crashed, expensively.  Automation enthusiasts
have for decades been saying that pilots should be abolished; but in a
recent blog, an air transport pilot said that “Yes, the aircraft can fly
itself, but the crew have their hands near the controls the whole time, to
take over when the automatic system messes up - and it does mess up.''

The greatest problem is over-confidence by the designers.  The Airbus Chief
Test Pilot was killed because he did not understand how the Alpha Floor,
which is supposed to prevent stalls, actually worked - which means it had
not been properly explained to him. And Air France 447, for example, need
not have crashed; but the designers and Air France assumed that pilots no
longer needed to be taught how to fly the aircraft when the automatic system
does not cope correctly.

This is found in other fields too, when it is assumed that complex logic
must be right; but the more complex the logic, the less likely it is to be
correct, usually because the input assumptions are inadequate or false (as
the Lockheed rep was quoted as saying about an F-22 problem,  “There are
millions of lines of code in there and you can't check everything.''

None of this is dealt with just by saying that complex logic is now to be
called Artificial Intelligence.

And two-valued logic in itself has many limitations.

  [But it might be safer and faster than Trans-Turing computations with
  conceptually unbounded precision!  PGN]


Re: What Happens When Your Car Gets Hacked? (RISKS-30.30)

"David E. Ross" <david@rossde.com>
Mon, 5 Jun 2017 14:36:48 -0700
Bruce Schneier states
 > It's only older unpatched systems on your computer that are vulnerable.
and then goes on to state
 > Most people have set up their computers and phones to automatically
 > apply these patches, and the whole thing works seamlessly.

Much of that is quite true.  The problem is that the latest patched Windows
10 was still vulnerable to the WannaCrypt ransomware.

Worse, patches often contain bugs that can make things worse instead of
better.  For that reason, many of the more knowledgeable Windows 7 users
block automatic patches (a capability denied to Windows 10 users).  They
wait a week or more to see what other experience with new patches before
accepting them.

Since the end of 2014, Microsoft's record of patches has been dismal.
At least 39 patches issued since then were defective and had to be
replaced.  That is more than one defective patch a month.  Three
replacement patches themselves were also defective and had to be replaced.

Please report problems with the web pages to the maintainer

x
Top