The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 38

Monday 17 July 2017

Contents

A Solar Eclipse Could Wipe Out 9,000 Megawatts of Power Supplies
Bloomberg
Massachusetts tax system blocks payments, sends refunds in error
MassLive
The AlphaBay Takedown Sends Dark Web Markets Reeling
WiReD
Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
UpGuard
How Fake News Goes Viral—Here's the Math
Scientific American
While Some Cry 'Fake,' Spotify Sees No Need to Apologize
The New York Times
Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network'
Gizmodo
Elon Musk says preventing a 'fleet-wide hack' is Tesla's top security priority
Electrek
Weekend Video Extra: A Prescient Warning re: AI and Robotics, from 1956!
Lauren Weinstein
Your pacemaker is spying on you
Mark Thorson
Leaping Kangaroos
Anthony Thorn
Paper ballots
Tom Donilon
To avoid cyberattacks, Israel urged to manually count election results
Haaretz
UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials
The Washington Post
Re: Western tech firms bow to Russian demands to share cybersecrets
Martyn Thomas
Re: DIY devices let car owners add autonomous features to vehicles
Simon Wright
Re: Funny how these articles are all the same
Jonathan Levine
Re: Press kits or other publications on thumb drives?
Kelly Bert Manning
Review: "Twitter and Tear Gas," by Zeynep Tufekci
Bruce Schneier
Info on RISKS (comp.risks)

Bloomberg: A Solar Eclipse Could Wipe Out 9,000 Megawatts of Power Supplies

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, Jul 16, 2017 at 6:29 PM
  [via Dave Farber]

... a recurring but unexplained phenomenon keeps shutting down *all*
solar power in the country for as much as 14 hours at a time.
Scientists have not yet named the frightening event, although some
have suggested adapting the French term "La nuit" or German's "Der
Nacht".

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Massachusetts tax system blocks payments, sends refunds in error (MassLive)

Monty Solomon <monty@roscom.com>
Sat, 15 Jul 2017 11:14:30 -0400
http://www.masslive.com/business-news/index.ssf/2017/07/massachusetts_tax_system_blocks_payments.html


The AlphaBay Takedown Sends Dark Web Markets Reeling (WiReD)

Monty Solomon <monty@roscom.com>
Sat, 15 Jul 2017 19:34:40 -0400
https://www.wired.com/story/alphabay-takedown-dark-web-chaos/

Not since the days of the now-legendary Silk Road has a single site
dominated the dark web's black market as completely, and for as long, as the
online bazaar known as AlphaBay. And with the news that the site has been
torn down by a law enforcement raid--and one of its leaders found dead in a
Thai prison—the dark web drug trade has fallen into a temporary state of
chaos.

https://www.wired.com/story/alphabay-takedown-dark-web-chaos/


Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard)

Lauren Weinstein <lauren@vortex.com>
Fri, 14 Jul 2017 07:51:23 -0700
via NNSquad
https://www.upguard.com/breaches/verizon-cloud-leak

  The data repository, an Amazon Web Services S3 bucket administered by a
  NICE Systems engineer based at their Ra'anana, Israel headquarters,
  appears to have been created to log customer call data for unknown
  purposes; Verizon, the nation's largest wireless carrier, uses NICE
  Systems technology in its back-office and call center operations. In
  addition, French-language text files stored in the server show internal
  data from Paris-based telecommunications corporation Orange S.A.--another
  NICE Systems partner that services customers across Europe and Africa.
  Beyond the risks of exposed names, addresses, and account information
  being made accessible via the S3 bucket's URL, the exposure of Verizon
  account PIN codes used to verify customers, listed alongside their
  associated phone numbers, is particularly concerning.  Possession of these
  account PIN codes could allow scammers to successfully pose as customers
  in calls to Verizon, enabling them to gain access to accounts--an
  especially threatening prospect, given the increasing reliance upon mobile
  communications for purposes of two-factor authentication.


How Fake News Goes Viral—Here's the Math (Scientific American)

Lauren Weinstein <lauren@vortex.com>
Fri, 14 Jul 2017 07:56:21 -0700
NNSquad
https://www.scientificamerican.com/article/how-fake-news-goes-viral-mdash-heres-the-math/

  Models similar to those used to track disease show what happens when too
  much information hits social media networks.


While Some Cry 'Fake,' Spotify Sees No Need to Apologize (The New York Times)

Monty Solomon <monty@roscom.com>
Sat, 15 Jul 2017 09:40:04 -0400
Spotify's playlists are dotted with hundreds of songs done by composers under pseudonyms, but the company says it is just soliciting music to meet demand.
https://www.nytimes.com/2017/07/14/business/media/while-some-cry-fake-spotify-sees-no-need-to-apologize.html


Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Mon, 17 Jul 2017 10:37:03 -0700
via NNSquad
http://gizmodo.com/nearly-90-000-sex-bots-invaded-twitter-in-one-of-the-la-1796985630

  Last week, Twitter's security team purged nearly 90,000 fake accounts
  after outside researchers discovered a massive botnet peddling links to
  fake "dating" and "romance" services. The accounts had already generated
  more than 8.5 million posts aimed at driving users to a variety of
  subscription-based scam websites with promises of—you guessed it—hot
  Internet sex.


Elon Musk says preventing a 'fleet-wide hack' is Tesla's top security priority

Lauren Weinstein <lauren@vortex.com>
Mon, 17 Jul 2017 08:39:48 -0700
via NNSquad
https://electrek.co/2017/07/17/tesla-fleet-hack-elon-musk/?utm_content=buffer304a1&utm_medium=social&utm_source=plus.google.com&utm_campaign=buffer

  He followed with an interesting example of what someone could do with that
  kind of access: "In principles, if someone was able to say hack all the
  autonomous Teslas, they could say - I mean just as a prank - they could
  say 'send them all to Rhode Island' [laugh] - across the United
  States... and that would be the end of Tesla and there would be a lot of
  angry people in Rhode Island."  And that's like a best case scenario.
  Musk continued with what Tesla is doing to try to prevent that: "We gotta
  make super sure that a fleet-wide is basically impossible and that if
  people are in the car, that they have override authority on whatever the
  car is doing. If the car is doing something wacky, you can press a button
  that no amount of software can override and ensure that you gain control
  of the vehicle and cut the link to the servers."

But governments will demand access to data from and control over autonomous
vehicles, both individually and en masse, no matter what Musk or other
manufacturers want. Autonomous vehicles represent the greatest potential for
government control over individuals in the history of mankind.


Weekend Video Extra: A Prescient Warning re: AI and Robotics, from 1956!

Lauren Weinstein <lauren@vortex.com>
Sat, 15 Jul 2017 09:27:56 -0700
https://www.youtube.com/watch?v=qtpRMsDuH74


Your pacemaker is spying on you

Mark Thorson <eee@sonic.net>
Fri, 14 Jul 2017 21:45:35 -0700
It seems to me that any allegation that the pacemaker data is evidence of
anything should require, at a minimum, establishment of a cause --> effect
relationship published in peer-reviewed literature.  Lacking that, it's just
like tarot cards or something.
  http://www.bbc.com/news/technology-40592520


Leaping Kangaroos (Re: Horsfall, RISKS-30.37)

Anthony Thorn <anthony.thorn@atss.ch>
Sat, 15 Jul 2017 21:47:58 +0200
I am reluctant to question an Australian's statement about kangaroos, but
surely a taller object would appear to be nearer than it really is?


Paper ballots (Tom Donilon)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 16 Jul 2017 18:12:37 PDT
Tom Donilon, National Security Advisor 2010-2013, advocates for paper
ballots in his opinion piece
https://www.washingtonpost.com/opinions/russia-will-be-back-heres-how-to-hack-proof-the-next-election/2017/07/14/f085e870-67d5-11e7-a1d7-9a32c91c6f40_story.html?utm_term=.1be864cac68d

Tom Donilon, *The Washington Post*, 14 Jul 2017
Russia will be back. Here's how to hack-proof the next election.
Russian President Vladimir Putin and President Trump meet at the G-20
summit in Hamburg on July 7. (Evan Vucci/Associated Press) [PGN-ed]

Tom Donilon was national security adviser to President Barack Obama from
2010 to 2013. In 2016, he chaired the President's Commission on Enhancing
National Cybersecurity.

We now know that Russian President Vladimir Putin ordered a comprehensive
effort to interfere with the 2016 presidential election. This mission
involved the cybertheft and strategic publication of politically sensitive
emails, the placement and amplification of misinformation on social media,
overt propaganda and efforts to penetrate the systems of dozens of state
election authorities.

This is not speculation or political posturing; it is the public and
high-confidence conclusion of the U.S. intelligence community. And it is
wholly consistent with past Soviet and Russian use of active measures --
intelligence operations meant to shape an adversary's political decisions --
with the strategic goal of undermining the integrity of and confidence in
the West. Modern technology has only increased the speed, scale and efficacy
of such actions.  This would be alarming even as a one-time occurrence, but
as former FBI director James B. Comey recently warned, They will be back.

The fact is that, so far, Putin has paid too small a price to meaningfully
deter him in the future.

Here are five concrete steps the United States should take to meet this
ongoing threat to our democracy:

First, President Trump must unequivocally acknowledge Russia's attack on the
2016 election and clearly state that any future attack on our democratic
institutions will not be tolerated.  [...]

Second, the Department of Homeland Security and the Election
Assistance Commission (EAC) should lead a process to develop election
baseline cybersecurity guidelines and help states implement these best
practices.  [...]

Third, we must develop a better system for sharing information between state
and federal officials. While the U.S. election system is decentralized, the
threats against it are not confined to state borders.  [...]

Fourth, we must engage in a national policy discussion about the roles
and responsibilities of our social media platforms and the steps they
should take to protect our democracy from malign interference.  [...]

Fifth, the United States should work within international forums to
establish the principle that an attack on election systems violates
the principles of noninterference and sovereignty and would justify a
robust response.  [...]

These are steps we can take to help secure the future of our democratic
institutions in the cyber-age. We are on notice. We must act now.


To avoid cyberattacks, Israel urged to manually count election results

"Peter G. Neumann" <peter.neumann@sri.com>
Mon, 17 Jul 2017 14:28:10 -0700
Middle East Monitor (Israel), Jul 14 2017 [PGN-ed]
<https://www.middleeastmonitor.com/category/region/middle-east/israel/>

*Haaretz* reported yesterday that Israel's National Cyber Authority is
expected to recommend the manual counting of votes in future elections
in order to prevent cyberattacks, following recent attempts to meddle
with elections in the West,

Formed 18 months ago, the authority is working on a defence plan against
possible meddling in Israeli elections through cyberattacks similar to what
recently took place in the United States, France and Ukraine.  It will
recommend that votes continue to be counted manually in Israel, as they
always have, even if this is an outdated method.

However, *Haaretz* noted that other aspects of the election campaign and
preparations for Election Day are also exposed to cyberattacks and need
protection.  Citing cyberexperts, they report that Israel is aware that
countries and groups seek to disrupt Israeli elections, and that there is a
growing risk they might succeed in their endeavour.


UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 16 Jul 2017 23:05:06 -0400
https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html


Re: Western tech firms bow to Russian demands to share cybersecrets (Youngman, RISKS-30.37)

Martyn Thomas <martyn@thomas-associates.co.uk>
Sat, 15 Jul 2017 16:31:43 +0100
Maybe I have forgotten the context of Youngman's email but I don't
understand what point he is making. ALL engineering depends on mathematics,
because math-based methods are far more likely to lead to dependable systems
than using math-free methods. What methods would he recommend?

All reasoning depends on axioms. Does Youngman eschew reasoning?

https://www.gresham.ac.uk/professorships/it-professorship/


Re: DIY devices let car owners add autonomous features to vehicles (Said, RISKS-30.37)

Simon Wright <simon@pushface.org>
Sat, 15 Jul 2017 08:34:23 +0100
> Risks (totally unmentioned, and often left to the imagination of RISKS
> readers) might include (for example), ...

And probably invalidating your insurance.


Re: Funny how these articles are all the same (Goldberg, RISKS-30.37)

Jonathan Levine <jonathan.canuck.levine@gmail.com>
Sat, 15 Jul 2017 16:29:30 -0600
No surprise here.  Tapscott, a "futurist" (and now with his son), has a
well-established history as an uncritical Internet cheerleader, and he's
simply applying his MO to the Next Big Thing.  Hard to sell books and get
lecturing gigs otherwise.


Re: Press kits or other publications on thumb drives? (Goldberg, RISKS-30.37)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sat, 15 Jul 2017 17:47:11 -0400 (EDT)
> "How do you check out shrink-wrapped commercial thumb drives?"

The commercial antivirus installed on my home computer automatically scans
any portable media connected via a USB port. The scan continues unless
stopped explicitly.

Doing away with auto run was a good start.

That said, scanning only works for detectable malware.

Custom or low volume malware may evade scans for a long time, unless the
people using it get stupid or the check monitors patterns of access to
storage and network.

Michael Haephrati and his "clients" got caught when he used his custom
malware to hack ex-relatives after a bitter divorce, then posted draft novel
excerpts written by one of them on the web.

Ironically the novel portrayed police investigating IT crimes as
unresponsive and ineffective. In life Israeli Law Enforcement action was
timely and very effective. Life is not compelled to imitate Art.

http://www.networkworld.com/article/2344015/security/four-private-investigators-in-the-israeli-trojan-fiasco-sentenced--finally-.html
https://www.theguardian.com/world/2005/may/31/israel
https://en.wikipedia.org/wiki/Amnon_Jackont#Trojan_horse_exposure


"Twitter and Tear Gas," by Zeynep Tufekci

Bruce Schneier <schneier@schneier.com>
Sat, 15 Jul 2017 00:25:08 -0500
Bruce Schneier, CTO, IBM Resilient  https://www.schneier.com
CRYPTO-GRAM, July 15, 2017  [PGN-excerpted]

For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.

      Book Review: "Twitter and Tear Gas," by Zeynep Tufekci

There are two opposing models of how the Internet has changed protest
movements. The first is that the Internet has made protesters mightier than
ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt
(2011), and Ukraine (2013). The second is that it has made them more
ineffectual. Derided as "slacktivism" or "clicktivism," the ease of action
without commitment can result in movements like Occupy petering out in the
US without any obvious effects. Of course, the reality is more nuanced, and
Zeynep Tufekci teases that out in her new book "Twitter and Tear Gas."

Tufekci is a rare interdisciplinary figure. As a sociologist, programmer,
and ethnographer, she studies how technology shapes society and drives
social change. She has a dual appointment in both the School of Information
Science and the Department of Sociology at University of North Carolina at
Chapel Hill, and is a Faculty Associate at the Berkman Klein Center for
Internet and Society at Harvard University. Her regular "New York Times"
column on the social impacts of technology is a must-read.

Modern Internet-fueled protest movements are the subjects of "Twitter and
Tear Gas." As an observer, writer, and participant, Tufekci examines how
modern protest movements have been changed by the Internet—and what that
means for protests going forward. Her book combines her own ethnographic
research and her usual deft analysis, with the research of others and some
big data analysis from social media outlets. The result is a book that is
both insightful and entertaining, and whose lessons are much broader than
the book's central topic.

"The Power and Fragility of Networked Protest" is the book's subtitle.  The
power of the Internet as a tool for protest is obvious: it gives people
newfound abilities to quickly organize and scale. But, according to Tufekci,
it's a mistake to judge modern protests using the same criteria we used to
judge pre-Internet protests. The 1963 March on Washington might have
culminated in hundreds of thousands of people listening to Martin Luther
King Jr. deliver his "I Have a Dream" speech, but it was the culmination of
a multi-year protest effort and the result of six months of careful planning
made possible by that sustained effort. The 2011 protests in Cairo came
together in mere days because they could be loosely coordinated on Facebook
and Twitter.

That's the power. Tufekci describes the fragility by analogy. Nepalese
Sherpas assist Mt. Everest climbers by carrying supplies, laying out ropes
and ladders, and so on. This means that people with limited training and
experience can make the ascent, which is no less dangerous—to sometimes
disastrous results. Says Tufekci: "The Internet similarly allows networked
movements to grow dramatically and rapidly, but without prior building of
formal or informal organizational and other collective capacities that could
prepare them for the inevitable challenges they will face and give them the
ability to respond to what comes next." That makes them less able to respond
to government counters, change their tactics—a phenomenon Tufekci calls
"tactical freeze"—make movement-wide decisions, and survive over the long
haul.

Tufekci isn't arguing that modern protests are necessarily less effective,
but that they're different. Effective movements need to understand these
differences, and leverage these new advantages while minimizing the
disadvantages.

To that end, she develops a taxonomy for talking about social movements.
Protests are an example of a "signal" that corresponds to one of several
underlying "capacities." There's narrative capacity: The ability to change
the conversation, as Black Lives Matter did with police violence and Occupy
did with wealth inequality. There's disruptive capacity: The ability to stop
business as usual. An early Internet example is the 1999 WTO protests in
Seattle. And finally, there's electoral or institutional capacity: The
ability to vote, lobby, fund raise, and so on. Because of various
"affordances" of modern Internet technologies, particularly social media,
the same signal—a protest of a given size—reflects different
underlying capacities.

This taxonomy also informs government reactions to protest movements.  Smart
responses target attention as a resource. The Chinese government responded
to 2015 protesters in Hong Kong by not engaging with them at all, denying
them camera-phone videos that would go viral and attract the world's
attention. Instead, they pulled their police back and waited for the
movement to die from lack of attention.

If this all sounds dry and academic, it's not. "Twitter and Tear Gas" is
infused with a richness of detail stemming from her personal participation
in the 2013 Gezi Park protests in Turkey, as well as personal on-the-ground
interviews with protesters throughout the Middle East—particularly Egypt
and her native Turkey—Zapatistas in Mexico, WTO protesters in Seattle,
Occupy participants worldwide, and others. Tufekci writes with a warmth and
respect for the humans that are part of these powerful social movements,
gently intertwining her own story with the stories of others, big data, and
theory. She is adept at writing for a general audience, and—despite being
published by the intimidating Yale University Press—her book is more
mass-market than academic. What rigor is there is presented in a way that
carries readers along rather than distracting.

The synthesist in me wishes Tufekci would take some additional steps, taking
the trends she describes outside of the narrow world of political protest
and applying them more broadly to social change. Her taxonomy is an
important contribution to the more-general discussion of how the Internet
affects society. Furthermore, her insights on the networked public sphere
has applications for understanding technology-driven social change in
general. These are hard conversations for society to have. We largely prefer
to allow technology to blindly steer society or—in some ways worse --
leave it to unfettered for-profit corporations.  When you're reading
"Twitter and Tear Gas," keep current and near-term future technological
issues such as ubiquitous surveillance, algorithmic discrimination, and
automation and employment in mind. You'll come away with new insights.

Tufekci twice quotes historian Melvin Kranzberg from 1985: "Technology is
neither good nor bad; nor is it neutral." This foreshadows her central
message. For better or worse, the technologies that power the networked
public sphere have changed the nature of political protest as well as
government reactions to and suppressions of such protest.

I have long characterized our technological future as a battle between the
quick and the strong. The quick—dissidents, hackers, criminals,
marginalized groups—are the first to make use of a new technology to
magnify their power. The strong are slower, but have more raw power to
magnify. So while protesters are the first to use Facebook to organize, the
governments eventually figure out how to use Facebook to track
protesters. It's still an open question who will gain the upper hand in the
long term, but Tufekci's book helps us understand the dynamics at work.

This essay originally appeared on Vice Motherboard.
https://motherboard.vice.com/en_us/article/43dx3j/twitter-and-tear-gas-review

The book:
https://www.twitterandteargas.org/
https://www.amazon.com/Twitter-Tear-Gas-Fragility-Networked/dp/0300215126/

Tufekci:
https://twitter.com/zeynep
https://www.nytimes.com/column/zeynep-tufekci

Please report problems with the web pages to the maintainer

Top