The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 39

Saturday 22 July 2017

Contents

Authorities shut down two black markets on the Darknet
NYTimes
On Reddit, Intimate Glimpses of Addicts in Thrall to Opioids
NYTimes
To tackle online crime, Israel approves web censorship law
Times of Israel
Uber and Airbnb Want To Tap Into India's Massive and Controversial Biometric Database
Gizmodo
FBI To Parents: Watch Out For Kids' Privacy With Internet-Connected Toys
Consumerist
Wifi Webcam TENVIS sends all it knows to dvripc.cn
turgut kalfaglu
PSA: Update iPhones/iPads to iOS 10.3.3 now to fix serious wifi vulnerability allowing attacker complete control
Geoff Goodfellow
Watch a Homemade Robot Crack a Safe in Just 15 Minutes
WiReD
TV computer weather animation proves global warming
Gabe Golding
Risks of hoarding vulnerabilies
Belfer Center et al.
9-year standoff between Ireland's DP Commissioner & Statistics Office
Bernard Lyons
Mixed standard output and error streams
Diomidis Spinellis
Connected cars—where to attack first?
FPF
Ransomware attack puts KQED in low-tech mode
San Francisco Chronicle
Facebook fights fake news spread via modified link previews
TechCrunch
Re: Charging Phone Kills 14-Year-Old Girl in Bathtub"
Paul Fenimore
Re: Your pacemaker is spying on you
Rich Wales
Re: Western tech firms bow to Russian demands to share cybersecrets
Anthony Youngman
Martin Ward
Anthony Youngman
Re: Press kits or other publications on thumb drives?
Geoffrey Keating
Ivan Jager
Kelly Bert Manning
Re: Leaping Kangaroos
Dave Horsfall
Amos Shapir
Power outages caused by squirrels vs. kangaroos to date
PGN
Info on RISKS (comp.risks)

Authorities shut down two black markets on the Darknet

Monty Solomon <monty@roscom.com>
Fri, 21 Jul 2017 05:58:12 -0400
Nathaniel Poppower and Rebecca Ruiz, *The New York Times*, 21 Jul 2017
The authorities took control of one large site, Hansa Market, and covertly
operated it to catch refugees fleeing the closing of the largest market,
AlphaBay.
https://www.nytimes.com/2017/07/20/business/dealbook/alphabay-dark-web-opioids.html


On Reddit, Intimate Glimpses of Addicts in Thrall to Opioids

Monty Solomon <monty@roscom.com>
Fri, 21 Jul 2017 09:06:01 -0400
https://www.nytimes.com/2017/07/20/us/opioid-reddit.html

Dispatches left on a now-banned forum show the role one of the world's
largest online communities played in facilitating access to drugs tied to a
mounting toll.


To tackle online crime, Israel approves web censorship law

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Jul 2017 11:18:46 -0400
To tackle online crime, Israel approves web censorship law Courts may now
order providers to block terror group websites, online illegal gambling,
prostitution services, hard drug sales.  ...

The court order may be issued only if it is essential to halting the
criminal activity taking place online; or essential to prevent the exposure
of the Israeli user to an activity that, would it be done in Israel, would
be a crime, and the website's activity has some connection to Israel; or if
the website belongs to a terror organization.

In certain cases, if the owner of the website is Israel-based, the court may
order the provider to seek the website's removal, rather than merely
restricting access, it said.

The courts may also order search engines to remove the websites from their
search results and may rely on classified government testimony to make their
decision. All affected parties must be present in court, the law said,
unless they were summoned and failed to appear. ...

http://www.timesofisrael.com/to-tackle-online-crime-israel-approves-web-censorship-law/


Uber and Airbnb Want To Tap Into India's Massive and Controversial Biometric Database

Lauren Weinstein <lauren@vortex.com>
Wed, 19 Jul 2017 13:56:47 -0700
NNSquad
http://gizmodo.com/uber-and-airbnb-want-to-tap-into-india-s-massive-and-co-1797066488

  The national ID database, Aadhar, contains information on about 90 percent
  of India's population of 1.3 billion people, as well as people working and
  living in the country.  Aadhar was launched in 2009 as a way to inhibit
  fraud and improve access to welfare and healthcare. But the
  biometric-based system has been criticized as Orwellian and dangerous
  because it can be used to monitor residents and because the nation has no
  privacy regulations. According to a report from India's Centre for
  Internet and Society, about 130 million citizens were put at risk of fraud
  after Aadhar data was recently leaked online.  Earlier this month,
  Microsoft also integrated Aadhar into Skype Lite, but the company said it
  will keep user information encrypted. As more companies use Aadhar data,
  the risk of personal data being leaked will likely increase.  Anonymous
  sources at Airbnb, Uber, and Ola told BuzzFeed News how the companies
  planned to use the controversial system.  Airbnb is interested in using
  the database to authenticate India-based hosts and is already testing it
  with a sample of users, according to an Airbnb spokesperson. Hosts
  selected for the test are given the option to use Aadhar to verify their
  identity.


FBI To Parents: Watch Out For Kids' Privacy With Internet-Connected Toys

Gabe Goldberg <gabe@gabegold.com>
Fri, 21 Jul 2017 16:07:44 -0400
A basketball, a Lego set, or a box of crayons is largely what it seems, but
modern smart toys and entertainment devices for kids have a lot of things in
them that can collect sensitive data. And as more and more of a kid's
nursery fills up with gadgets that connect to Bluetooth, the web, or parent
apps, the feds are advising parents to be wary.

The FBI's public service announcement doesn't outright say not to buy
connected toys, but it does say that parents and caretakers need to be aware
of the vulnerabilities smart toys present.

https://consumerist.com/2017/07/19/fbi-to-parents-watch-out-for-kids-privacy-with-internet-connected-toys/


Wifi Webcam TENVIS sends all it knows to dvripc.cn

turgut kalfaglu <turgut@kalfaoglu.com>
Tue, 18 Jul 2017 07:47:32 +0300
I have purchased several wifi webcams, but the TENVIS webcam is unique;
every few minutes, I see a GET request going out from my LAN, to China.

Here is its log from squid cache - using which I blocked the webcam's
outbound requests:

1497330724.676    278 192.168.1.99 TCP_DENIED/403 5976 GET
http://post.dvripc.cn/post/post.aspx?xmldata=%3c%3fxml+version%3d%221.0%22+encoding%3d%22gb2312%22%3f%3e%0d%0a+%3cdvs+dvsid%3d%220018A977AF83%22+domainname%3d%2277AF83%22+corpid%3d%22%22++dvsname%3d%22IPCAM%22+dvsip%3d%22192.168.1.99%22+webport%3d%2280%22+ctrlport%3d%228200%22+protocol%3d%22tcp%22++userid%3d%22root%22+password%3d%22mypassword%22+model%3d%22C006-A1080003%22+postfrequency%3d%2260%22+version%3d%22H150602%22+status%3d%220%22+serverip%3d%220.0.0.0%22+serverport%3d%2280%22+transfer%3d%222%22+mobileport%3d%2215961%22+channelcount%3d%221%22%3e%0d%0a%3cdv+channel%3d%220%22+dvname%3d%22Channel01%22+status%3d%221%22+%2f%3e%0d%0a%3c%2fdvs%3e%0d%0a
- HIER_NONE/- text/html

(Modified IP addresses and password)

Risks are obvious: Trust a webcam to keep you private, but it sends
everything to "post.dvripc.cn" instead.  Nowhere in the configuration does
it mention that it sends information to some "cloud".


PSA: Update iPhones/iPads to iOS 10.3.3 now to fix serious wifi vulnerability allowing attacker complete control

geoff goodfellow <geoff@iconia.com>
Thu, 20 Jul 2017 18:41:49 -1000
It's always a good idea to accept iOS dot updates as soon as they are
available as they generally have significant security fixes. But iOS 10.3.3
<https://9to5mac.com/2017/07/19/ios-10-3-3/>, released yesterday, fixes one
particularly nasty vulnerability, making a swift update a particularly good
idea.

Apple's security document <https://support.apple.com/en-us/HT207923>
describes it in rather mundane-sounding terms.

Impact: An attacker within range may be able to execute arbitrary code on
the Wi-Fi chip

Description: A memory corruption issue was addressed with improved memory
<handling.

*But what Nitay Artenstein of Exodus Intelligence discovered—and reported
to Apple—was that it was able to exploit the issue to run code in the
main application processor.  In other words, gain complete control of your
device.*

*The underlying issue is a weakness in the Broadcom BCM43xx family of wifi
chips. These are used in every iPhone from the iPhone 5 to iPhone 7, as well
as 4th-gen iPad and later, and iPod Touch 6th gen. But Artenstein found a
way to leverage control of the wifi chip to then take control of the main
processor.*

Now that the vulnerability is fixed, Artenstein will be sharing full
details at the Black Hat conference
<https://www.blackhat.com/us-17/briefings/schedule/#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets-7603>next
week.

It's not the first time that a bug has allowed an attacker to take control
of an iPhone via wifi. Back in 2015, attackers were able to completely
disable <https://9to5mac.com/2015/04/22/security-flaw-ios-carriers/> any
device running iOS 8 within range of a given wifi network.

https://9to5mac.com/2017/07/20/broadpwn-wifi-vulnerability-iphone-ipad/

  N.B. in the articles comments: "most Android users won't get this
  fix at all," vis-a-vis "... fix serious wifi vulnerability allowing
  attacker complete control"


Watch a Homemade Robot Crack a Safe in Just 15 Minutes

Gabe Goldberg <gabe@gabegold.com>
Fri, 21 Jul 2017 18:12:36 -0400
Last Christmas, Nathan Seidle's wife gave him a second-hand safe she'd found
on Craigslist. It was, at first glance, a strange gift. The couple already
owned the same model, a $120 SentrySafe combination fire safe they'd bought
from Home Depot. But this one, his wife explained, had a particular feature:
The original owner had locked it and forgotten the combination. Her
challenge to Seidle: Open it.

Seidle isn't much of a safecracker. But as the founder of the Niwot,
Colorado-based company SparkFun, a DIY and open-source hardware supplier,
he's a pretty experienced builder of homemade gadgets, tools, and robots. So
over the next four months, he and his SparkFun colleagues set about building
a bot that could crack the safe for them. The result: A fully automated
device, built from off-the-shelf and 3-D printed components, that can open
his model of SentrySafe in a maximum of 73 minutes, or half that time on
average, with no human interaction. In fact, in the demonstration Seidle
gave WIRED in the video above, the process took just 15 minutes.

https://www.wired.com/story/watch-robot-crack-safe/


TV computer weather animation proves global warming

Gabe Goldberg <gabe@gabegold.com>
Fri, 21 Jul 2017 13:15:18 -0400
https://www.youtube.com/watch?v=iXuc7SAyk2s


Risks of hoarding vulnerabilies

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 21 Jul 2017 8:23:41 PDT
http://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Rediscovery.pdf

https://jia.sipa.columbia.edu/sites/default/files/attachments/Healey%20VEP.pdf

https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf


9-year standoff between Ireland's DP Commissioner & Statistics Office

Bernard Lyons <bernard.lyons@mac.com>
Thu, 20 Jul 2017 21:11:41 +0100
A project by [Ireland's] Central Statistics Office proposing to track
tourists and Irish residents traveling abroad using mobile phone roaming
data has been described as *surveillance at its worst* by a world-renowned
privacy expert.

The statistics office wants to compel mobile operators to transfer to it
monthly the details of phones or users roaming on the networks, as well as
the dates and times of their calls.

It has been in a stand-off with the Data Protection Commissioner for almost
nine years on the legality of the proposal, but said last week it had found
an *innovative technical solution* to anonymise the phone records.

The commissioner's office has described the project as *disproportionate*
and *extraordinary*.

Dr Ann Cavoukian, executive director of the Privacy and Big Data Institute
at Ryerson University in Toronto, and former information and privacy
commissioner for Ontario, said she was *appalled* by the proposal,
particularly given the *negative messaging* from the commissioner.  [...]

Full article
<https://www.irishtimes.com/business/technology/cso-mobile-phone-plan-surveillance-at-its-worst-privacy-expert-1.3159979>


Mixed standard output and error streams

Diomidis Spinellis <dds@aueb.gr>
Tue, 18 Jul 2017 12:22:54 +0300
A student sent me a shell script attached in an email.  My mail program
wouldn't display it, so I tried to view it through the email's source code.
This also didn't work, because the script was base64-encoded.  Rather than
saving the attachment and opening it with an editor, I lazily copied the
text into the clipboard and run "base64 -d /dev/clipboard".  This is what I
got.

#!/bin/bash

input_file=$1
echo "Input file:" $input_filebase64: invalid input

I first thought that the student had sent me a wrong incomplete script.  I
then realized that the actual output, intermixed with the base64 error
message was a plausible shell script.  The risks are obvious; here is a
possible solution.

Now that we all have color screens and work with smart terminal emulators,
it would make sense for terminal emulators to subtly color a program's
standard error stream, so as to make it distinguishable from its standard
output.  This would also educate novice users on the difference between the
two types of outputs, and encourage tool authors to properly use the two
types of streams.  While at it, coloring folded lines would also help us
read streams with long lines (e.g. log files) and, again, educate novice
users on the folly of writing such text.

Diomidis Spinellis - https://www.spinellis.gr


Connected cars—where to attack first?

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Jul 2017 17:21:02 -0400
https://fpf.org/2017/06/29/infographic-data-connected-car-version-1-0/

https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected

Videos:
https://www.ftc.gov/news-events/audio-video/video/connected-cars-privacy-security-issues-related-connected-automated-0


Ransomware attack puts KQED in low-tech mode

Gabe Goldberg <gabe@gabegold.com>
Wed, 19 Jul 2017 10:47:28 -0400
The journalists at San Francisco's public TV and radio station, KQED, have
been stuck in a time warp.  All Internet-connected devices, tools and
machinery have been cut off in an attempt to isolate and contain a
ransomware attack that infected the station's computers on 15 Jun.  More
than a month later, many remain offline.

Though the stations' broadcasts have been largely uninterrupted—minus a
half-day loss of the online stream on the first day of the attack—KQED
journalists said every day has brought new challenges and revealed the
immeasurable ways the station, like many businesses today, has become
dependent on Internet-connected devices.

“It's like we've been bombed back to 20 years ago, technology-wise,'' said
Queena Kim, a senior editor at KQED.  “You rely on technology for so many
things, so when it doesn't work, everything takes three to five times longer
just to do the same job.''

http://www.sfchronicle.com/business/article/Ransomware-attack-puts-KQED-in-low-tech-mode-11295175.php


Facebook fights fake news spread via modified link previews (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Tue, 18 Jul 2017 15:33:14 -0700
via NNSquad
https://techcrunch.com/2017/07/18/facebook-link-preview-modification/?ncid=rss

  Until now, any Facebook Page that posted a link could change the headline,
  body text and image that appeared in the News Feed preview.  That allowed
  fake news distributors to bait-and-switch readers into visiting articles
  they didn't expect, or make it look like legitimate news publishers were
  posting inflammatory or false headlines. But it also let real news outlets
  A/B test link previews, tailor content to different audiences and update
  previews as news stories evolved.  To combat false news without stifling
  responsible publications, Facebook is now starting to disable the ability
  of all Pages to edit the previews of the links they post in the Page
  composer or API, with an exemption for some original publishers.


Re: Charging Phone Kills 14-Year-Old Girl in Bathtub" (Harriet Sinclair re: RISKS-30.38)

Paul Fenimore <fenimore@swcp.com>
Wed, 19 Jul 2017 03:27:32 -0600
I claim the biggest risk here is not principally poor user education --
which is on-going for a Century or more. Instead, regardless of particulars
in this case (the essential technical detail about the presence or absence
of ground-fault protection is missing from the news articles), the
fundamental risk associated with allowing grand-fathered electrical circuits
to continue operating without a clear sunset provision for older, unsafe
circuits. I am not claiming this fundamental problem is easy solve. I am
claiming the problem of old installations is the real problem.

The persistent risk of shock in wet *and damp* environments observed
over the decades has not been radically reduced by the population
becoming more familiar with electricity and widgets. Education cannot
and will not solve this problem because 120V 15A 60Hz electrical power
in wet *and damp* environments is fundamentally unsafe without
engineering controls. The technical basis for the risk is a ground-fault
current, and addressing that risk *as an engineering challenge* is the
only effective means of mitigating a fundamental risk associated with
wet environments. The National Electric Code (US) specifies that
electric power sockets in these *high risk* areas be "protected" by a
ground-fault interrupter. There are also special rules for the presence
of power cabling in wet and damp environments even without a socket.

There is an analogy of old power circuit designs to old software that is
not maintained but continues to operate in the high-risk environments
found on networks.

[There is something to be said for understanding the basics of
technology. GW]

Harriet Sinclair, *Newsweek*, 11 Jul 2017
http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208

opening text:

A teenager has been killed after using her cell phone in the bath and
suffering an electric shock.


Re: Your pacemaker is spying on you (Thorson, RISKS-30.38)

Rich Wales <richw@richw.org>
Wed, 19 Jul 2017 22:28:02 -0700
Any discussion of the forensic value of pacemaker data should certainly
mention the 2000 death of David Crawford in Australia, whose time of death
was precisely established through analysis of his pacemaker—thus
disproving the alibi offered by his killer.  There is, to be sure, a
difference between the (presumably) steadily beating heart of an accused
arsonist one the one hand, and the non-beating heart of a murder victim on
the other.


Re: Western tech firms bow to Russian demands to share cybersecrets (Thomas, RISKS-30.38)

Wols Lists <antlists@youngman.org.uk>
Tue, 18 Jul 2017 11:19:27 +0100
There were two points. First, reasoning is HARD. It takes time, and
(like cryptography) many problems have no solution that can be computed
in the time we have available.

> All reasoning depends on axioms. Does Youngman eschew reasoning?

And second, that reason is itself unreasonable ... ?

The thing with axioms is they have this sneaky little habit of turning out
to be unreliable—we get them wrong, we pick the wrong ones, etc.  And
Godel proved that this is not our fault, this is actually the fundamental
nature of an axiom.

So no, I'm actually all in favour of reasoning, and logical thought.  What I
am against is glib calls for it treating it as if it is a "magic bullet",
with no regard to its failings.

I'm a scientist. I've seen too many examples of "the wrong maths in the
wrong place", leading to mathematically perfect but practically erroneous
results. (My favourite example, Euclid's "parallel lines never meet" leads
to Newtons laws of motions, which are mathematically perfect but clearly
erroneous.) Formal mathematical proofs are only as good as the assumptions,
or axioms, on which they are based. And both experience and formal
mathematical proofs—Godel's theorem—lead me to the inevitable
conclusion that these axioms will have holes in them.


Re: Western tech firms bow to Russian demands to share cybersecrets (Youngman, RISKS-30.38)

Martin Ward <martin@gkc.org.uk>
Thu, 20 Jul 2017 14:41:00 +0100
The last occasion when a flaw was discovered in the axioms used to prove the
correctness of programs (logic and basic set theory) was Russell's Paradox:
discovered in 1901, partially fixed by Russell's theory of types in 1903,
and resolved in 1908.  Putting to one side questions concerning the Axiom of
Choice and various large cardinal axioms (which are not relevant to proofs
in computer science) there have been no subsequent flaws uncovered in the
axioms in over a century.  We cannot prove that the axioms are consistent
(cf Godel), but the axioms have survived the entire history of electronic
computing so far and so can probably be relied on in the future!

As Martyn Thomas points out, *all* engineering depends on mathematics.
Engineering also depends on the "laws" of physics: which have been revised
several times over the last century.  But engineers use physics and
mathematics extensively because they know that these methods are far more
likely to lead to dependable systems.

> Then of course, there is the little problem that any program of any size
> will likely exhibit knapsack complexity, i.e., an automated proof would
> take longer than the universe has existed.

Most formal-methods researchers do not advocate writing a program in an
informal way, and then attempting to prove it correct.  Instead, we develop
methods for deriving code from specifications such that the code guaranteed
to be correct by construction.  For example, in my paper "Provably Correct
Derivation of Algorithms Using FermaT" (Formal Aspects of Computing, Volume
26, Issue 5, pp 993--1031, 2013) I derived a program for polynomial addition
using Knuth's four-way linked list data structure.  The first time I ran the
program it crashed :-( But I soon noticed a typo: I had mistyped a variable
name when typing up the code from my written notes.  After fixing this typo
the program ran correctly, and was tested by running it continuously for
several days.  The derived algorithm also turned out to be over twice as
fast as Knuth's algorithm in "Fundamental Algorithms" Vol 1.  I then derived
a program to solve the more complex problem of polynomial
multiplication. This time I took more care with my typing, and the program
ran correctly first time.

Martyn Thomas <martyn@thomas-associates.co.uk> writes:
> All reasoning depends on axioms. Does Youngman eschew reasoning?

There is (alas) a new and growing area of research under the heading
"empirical software engineering" which does appear to eschew reasoning.  A
program is deemed "correct" if and only if it passes its test suite.
Various automated and semi-automated ways of modifying the program are being
investigated: any modification which passes the test suite is deemed to be
"correct". For example, "empirical slicing" may be defined as "delete random
sections of code and call the result a valid slice if it passes the
regression test". Program semantics and program analysis are considered to
be "too difficult" by these researchers, and therefore are not attempted.

Regular RISKS readers will no doubt already be wondering how such methods
avoid introducing security holes: given that a security hole will not
necessarily prevent the program from passing its test suite (unless the
tests happen to include the carefully crafted data which triggers the
security hole!) As far as I can tell, the answer is: they don't!

Dr Martin Ward | Email: martin@gkc.org.uk | http://www.gkc.org.uk


Re: Western tech firms bow to Russian demands to share cybersecrets (Thomas, RISKS-30.39)

Wols Lists <antlists@youngman.org.uk>
Thu, 20 Jul 2017 18:24:45 +0100 cybersecrets (Ward, RISKS-30.38)
> The last occasion when a flaw was discovered in the axioms used
> to prove the correctness of programs (logic and basic set theory)
> was Russell's Paradox:

And? The maths was flawed, it was incorrect.

My problem is people using the wrong maths—it's correct but
inappropriate.  Like I said, Newton's laws of motion are mathematically
correct, but useless for calculating the path of a spacecraft ...

> But engineers use physics and mathematics extensively because they know
> that these methods are far more likely to lead to dependable systems.

And as I learnt on Groklaw, philosophers seem to divide into two camps.  The
majority view appears to be that Mathematics tells the Universe what to do.
I seem to be in the minority believing that Mathematics describes what the
Universe does.

That doesn't mean that mathematics is any less important to those of us in
the second camp. It just makes us rather more skeptical about the assumption
that a proof means the program will run correctly.  (Regardless of that, my
personal attitude is that the time spent doing it formally is time very well
spent.)

> ...

I got my first programming job based on top 'A'-level grades so have no
formal computer qualifications. That said, it always seems to have been me
pushing for formal methods, good programming practice, etc etc. I tend to
program top down by defining the problem and refining it into a program -
quite like the mechanism you describe :-) (And I've seen what happens when
such a program is "improved" by someone ignoring the proof logic :-)

My position is quite simple - formal methods and proofs are time well
spent, but given that the foundations of mathematics are themselves
provably unprovable, a complete formal proof is impossible. That's not
saying they're not worth having.


Re: Press kits or other publications on thumb drives? (Manning, RISKS-30.38)

Geoffrey Keating <geoffk@geoffk.org>
17 Jul 2017 23:28:03 -0700
High-value targets probably shouldn't rely on that.  A random object
inserted into a USB port might not actually be a thumb drive; it might be a
chip that impersonates a keyboard and/or mouse and takes over your system.
Or it might be a perfectly functional blank thumb drive that's been
additionally programmed to impersonate a keyboard at some time in the
future.


Re: Press kits or other publications on thumb drives? (Manning, RISKS-30.38)

Ivan Jager <aij+@mrph.org>
Tue, 18 Jul 2017 17:21:08 +0000
I believe the RISK being referred to is that of assuming that an untrusted
USB gadget will present itself as a mass storage device when you plug it
into a *general-purpose* bus on your computer. (As opposed to a keyboard,
mouse, network adapter, USB hub, etc.)

Most computers these days will accept input from a new USB keyboard without
requiring any configuration.

Your antivirus may be able to scan media for known malicious content, but it
cannot scan circuits.


Re: Press kits or other publications on thumb drives? (Jager, RISKS-30.39)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Tue, 18 Jul 2017 14:36:20 -0400 (EDT)
For me this risk comes up most often when I get Conference Proceedings on a
USB drive, rather than downloading individual presentations one by one from
a web server.

At the annual local Privacy and Security conference someone always does a
demo of a WiFi Pineapple type interception of wireless traffic, so I started
doing an optical disk boot of Tails OS at conferences, and mentioned that to
the session presenter last time it happened. Those events might be places
where folks with the skills might see a challenge or an opportunity.

I check that the mass storage device scan is starting. Windows 8 seems to
prompt me that a new USB device has been installed if it detects a new USB
device that is not a mass storage drive.

The risk of malware in circuitry is a good point. Weren't news organisations
that had received copies of documents from the Snowden Document Dump ordered
to turn chips from devices and peripherals such as keyboards over to
NSA-GCHA, not just hard drives and removable storage media?

The implication is that long-term data recording may involve writable chip
memory within workstations and peripheral devices. A USB connected "device"
could be in that category.


Re: Leaping Kangaroos (Thorn, RISKS-30.38)

Dave Horsfall <dave@horsfall.org>
Thu, 20 Jul 2017 11:00:02 +1000 (EST)
In RISKS-30.38, Anthony Thorn wrote:

> I am reluctant to question an Australian's statement about kangaroos,
> but surely a taller object would appear to be nearer than it really is?

Although Australian (well, British/Australian, to be precise), I don't claim
to be an expert on our hopping fauna, but I believe the system measures from
the bottom of the object to the perceived road surface, thus a mid-air
marsupial appears to be further away than it really is.  How it handles kids
on pogo-sticks is anyone's guess...  Does anyone know for sure how it works?

Dave Horsfall, North Gosford, NSW, Australia


Re: Leaping Kangaroos (Thorn, RISKS-30.38)

Amos Shapir <amos083@gmail.com>
Thu, 20 Jul 2017 18:52:19 +0300
For the same reason the leaping man in this photograph
<http://www.trendingly.com/weird-perspectives/3>  seems to be farther away
-- a near object above ground and a far object on the ground occupy the
same place on the 2D plane of the camera.


Power outages caused by squirrels vs. kangaroos to date

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 18 Jul 2017 11:48:15 PDT
  [From CyberSquirrel1 data as of 18 Jul 2017; cumulative?]

Squirrel	1018
Bird	         528
Unknown	         130
Snake	          95
Raccoon	          85
Rat	          45
Marten	          23
aCat	          22
Beaver	          16
Jellyfish	  13
Monkey	          11
Possum	          11
Eagle	           8
Bat	           7
Rodent	           5
Gopher	           4
Elephant	   3
Mouse	           3
Deer	           2
Fox	           2
Lizard	           2
Bear	           2
Marmot	           2
Frog	           2
Slug	           1
Shark	           1
Duck	           1
Chicken	           1
Caterpillar	   1
Mongoose	   1
Leopard	           1
Bobcat	           1
Baboon	           1
Kangaroo	   1  <=====!

  [Incidentally, SRI recently had what I think was our eighth total outage
  in Menlo Park (although our co-generation plant continued to function this
  time).  However, that is irrelevant when applied to self-driving cars in
  Australia.  A few years from now, the kangaroos on Australian roadways may
  seriously outrank the squirrels in causing highway accidents, whereas the
  squirrels are very unlikely to have any significant impact {!!!} on the
  vehicles or on passengers.  PGN]

Please report problems with the web pages to the maintainer

Top