The RISKS Digest
Volume 30 Issue 6

Friday, 30th December 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

FBI/DHS Unclassified Summary Technical Report re Russian Hacking Attacks on U.S.
Documentcloud
How Russia Recruited Elite Hackers for Its Cyberwar
The NYTimes
Obama Strikes Back at Russia for Election Hacking
The NYTimes
It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe
Motherboard
Pixel Security: Better, Faster, Stronger
GoogleBlog
Advertising's Moral Struggle: Is Online Reach Worth the Hurt?
The NYTimes
White House: Robots may take half of our jobs
Henry Baker
"14 eyebrow-raising things Google knows about you"
JR Raphael
German Fake News debate: "False Opinion" destabilizes
Thomas Koenig
Facebook's Safety Check, Now Automated, Turns a Firecracker Into an Explosion
The NYTimes
Britney Spears reminds fans she's very much alive after death hoax
USAToday
Fake Academe, Looking Much Like the Real Thing
The NYTimes
OSCE security monitors targeted by hackers
BBC
Bid for Access to Amazon Echo Audio in Murder Case Raises Privacy Concerns
The NYTimes
For Millions of Immigrants, a Common Language: WhatsApp
The NYTimes
Why Some of Your Holiday Gifts Might Not Fly
The NYTimes
Re: MSFT $927M tech support contract
John Levine
Re: SHAME ON YOU, GOOGLE!
Bob Wilson
Re: Is no place sacred from surveillance?
on Jenna Wortham via HB
Scholarships for Women Studying Information Security
Jeremy Epstein
Info on RISKS (comp.risks)

FBI/DHS Unclassified Summary Technical Report re Russian Hacking Attacks on U.S. (Documentcloud)

Lauren Weinstein <lauren@vortex.com>
Fri, 30 Dec 2016 08:28:15 -0800
Documentcloud via NNSquad
https://assets.documentcloud.org/documents/3248260/DHS-FBI-analysis-of-Russian-hackers.pdf


How Russia Recruited Elite Hackers for Its Cyberwar

Monty Solomon <monty@roscom.com>
Thu, 29 Dec 2016 15:03:23 -0500
http://www.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html

The government scouted a wide range of civilian programmers in recent years,
even criminals, while expanding its cyberwarfare abilities.

While much about Russia's cyberwarfare program is shrouded in secrecy,
details of the government's effort to recruit programmers in recent years --
whether professionals like Mr. Vyarya, college students, or even criminals
-- are shedding some light on the Kremlin's plan to create elite teams of
computer hackers.


Obama Strikes Back at Russia for Election Hacking

Monty Solomon <monty@roscom.com>
Thu, 29 Dec 2016 15:03:01 -0500
http://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html

The Obama administration said it was tossing out 35 intelligence operatives
and imposing sanctions on Russian intelligence services and officers.

  [Editorial comment:
     We must always remember that the allegedly secure systems on which we
     must depend are nowhere near secure enough.  Furthermore, security is
     often compromised by simple social engineering and other low-hanging
     bad fruit, irrespective of the technology.  Nevertheless, nation-state
     hacking into other nations' systems is reprehensible.  However, it is
     very likely to happen—especially as long as one's system and network
     security is so weak, and one's overall national computer literacy is so
     inadequate.  PGN]


It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe

Monty Solomon <monty@roscom.com>
Tue, 27 Dec 2016 11:12:19 -0500
http://motherboard.vice.com/read/global-travel-booking-systems-open-to-fraud-and-abuse

  [This involves a decades-old back-end Global Distribution system that is
  hopelessly vulnerable and is being regularly exploited.  No meaningful
  authentication.  Almost all you need is the six-character reservation
  code.  Exploitable hacks were apparently being discussed on 27 Dec at the
  annual Chaos Communication Conference.  Legacy, schmegacy!  PGN]


Pixel Security: Better, Faster, Stronger

Monty Solomon <monty@roscom.com>
Mon, 26 Dec 2016 17:59:13 -0500
https://security.googleblog.com/2016/11/pixel-security-better-faster-stronger.html


Advertising's Moral Struggle: Is Online Reach Worth the Hurt? (The NYTimes)

Lauren Weinstein <lauren@vortex.com>
Tue, 27 Dec 2016 09:19:42 -0800
NNSquad
http://www.nytimes.com/2016/12/26/business/media/advertising-online-ads-fake-news-google.html?partner=rss&emc=rss

  "Honestly, the long tail is to advertising what subprime was to
  mortgages," he said. "No one knows what's in it, but it helps people
  believe that there is a mysterious tonnage of impressions that are really
  low cost. But low-cost impressions would mean low-cost human
  attention. How can any publisher of quality content survive on low-cost
  impressions?"  Marc Goldberg, chief executive of Trust Metrics, an ad
  safety vendor, said the effort to remove bad actors ignored the fact that
  many advertisers value impressions over everything else.  They would
  rather not choose and monitor what websites they are appearing on, he
  said, because they worry they will miss out on potentially lucrative
  destinations.  "What they're doing is introducing all of these bad sites
  into our ecosystem and not having the means to monitor them appropriately
  and effectively," he said. "The big problem in our industry is our
  expectations of scale are not aligned with reality."


White House: Robots may take half of our jobs

Henry Baker <hbaker1@pipeline.com>
Tue, 27 Dec 2016 14:13:10 -0800
What are the risks of robots in the White House?  If a robot can drive, why
not a robot that tweets at 3am?

The White House could use more automation, but could a robot deal with the
lack of a "W" key?

Also, does a robot requires Senate confirmation?

https://secure.marketwatch.com/story/white-house-robots-may-take-half-of-our-jobs-and-we-should-embrace-it-2016-12-21
https://www.whitehouse.gov/sites/whitehouse.gov/files/documents/Artificial-Intelligence-Automation-Economy.PDF

White House: Robots may take half of our jobs

Will artificial intelligence have unintended consequences?


"14 eyebrow-raising things Google knows about you" (JR Raphael)

Gene Wirchenko <genew@telus.net>
Wed, 28 Dec 2016 09:27:03 -0800
JR Raphael, *Computerworld*, 28 Dec 2016
Some are fascinating, others are frightening—but here's how to
find out what Google has on you
http://www.infoworld.com/article/3150925/privacy/14-eyebrow-raising-things-google-knows-about-you.html


German Fake News debate: "False Opinion" destabilizes

Thomas Koenig <tkoenig@netcologne.de>
Wed, 28 Dec 2016 15:37:03 +0100
There is an amusing (or, alternatively, chilling) tidbit on the German "fake
news" debate.

Michael Grosse-Brömer is Parliamentary Chairman of the CDU, the party of
Chancellor Merkel. He made a short video teaser for a TV broadcast on ZDF,
the public-service TV broadcaster, about "fake news".  In this, he said (my
translation)

"We have to take notice, supported by findings of journalists, scientists
and intelligence agencies, that there are a lot of people on the Net who
want to destabilize, who spread false opinion, who want to
manipulate. Politics has to deal with this, especially before election
campaigns."

Yes, he said "spread false opinion" ("falsche Meinung verbreiten" in the
original German).

Viewer comments ranged from "Finally, a politician who speaks the truth" to
"Freudian slip, he said what he thinks, not what he wanted to say".

Interestingly enough, the ZDF pulled the video and resulting viewer comments
without comment or explanation.

Grosse-Brömer later stated on Twitter that he meant to say "spread false
reports" ("Falsche Meldungen verbreiten").

In view of the efforts create a "Ministry of Truth" within the German
government (see RISKS-30.05), this is rather chilling.

Here is the video, including the original sound track:
https://twitter.com/berlindirekt/status/809786307648036865

And here some more analysis of his texts, in German:
http://www.tichyseinblick.de/meinungen/destabilisierende-falsche-meinung-bitte-was/


Facebook's Safety Check, Now Automated, Turns a Firecracker Into an Explosion

Monty Solomon <monty@roscom.com>
Thu, 29 Dec 2016 19:45:27 -0500
http://www.nytimes.com/2016/12/29/world/asia/facebook-safety-check-bangkok.html

The social network automatically linked to a bogus article about an
explosion in Thailand and appeared to conflate it with a 2015 bombing.


Britney Spears reminds fans she's very much alive after death hoax

Monty Solomon <monty@roscom.com>
Wed, 28 Dec 2016 10:57:50 -0500
http://www.usatoday.com/story/life/entertainthis/2016/12/27/britney-spears-tweets-death-hoax/95869094/


Fake Academe, Looking Much Like the Real Thing

Monty Solomon <monty@roscom.com>
Fri, 30 Dec 2016 10:14:58 -0500
Sham scholarly publications and academic conferences without rigor reflect a
legitimate problem: too many Ph.D. holders chasing too few credentials.
http://www.nytimes.com/2016/12/29/upshot/fake-academe-looking-much-like-the-real-thing.html


OSCE security monitors targeted by hackers (BBC)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 28 Dec 2016 10:20:38 PST
The OSCE (international monitoring organization) says its IT systems were
hit by cyberattackers.

http://www.bbc.com/news/world-europe-38451064


Bid for Access to Amazon Echo Audio in Murder Case Raises Privacy Concerns

Monty Solomon <monty@roscom.com>
Thu, 29 Dec 2016 19:46:26 -0500
Arkansas investigators are seeking access to what may have been recorded on the electronic personal assistant.
http://www.nytimes.com/2016/12/28/business/amazon-echo-murder-case-arkansas.html


For Millions of Immigrants, a Common Language: WhatsApp

Monty Solomon <monty@roscom.com>
Fri, 30 Dec 2016 01:43:14 -0500
With the ability to communicate securely and free, the messaging app has
become a mainstay for those who have left their homes for the unknown.
http://www.nytimes.com/2016/12/21/technology/for-millions-of-immigrants-a-common-language-whatsapp.html


Why Some of Your Holiday Gifts Might Not Fly

Monty Solomon <monty@roscom.com>
Fri, 30 Dec 2016 01:43:46 -0500
Airlines are wary of drones and other devices with powerful batteries. And
they won't be as delighted as you are with that virtual reality headset.
http://www.nytimes.com/2016/12/26/business/why-some-of-your-holiday-gifts-might-not-fly.html


Re: MSFT $927M tech support contract (Macintyre, R 30 05)

"John Levine" <johnl@iecc.com>
27 Dec 2016 01:41:41 -0000
FYI, Bill Gates now owns about 4% of Microsoft's stock.
It's a big contract for Microsoft, but it's irrelevant for Gates.


Re: SHAME ON YOU, GOOGLE!

Bob Wilson <wilson@math.wisc.edu>
Tue, 27 Dec 2016 13:02:33 -0600
In addition to fearing the results if governments try to label truth and
falsehood, I certainly see little likelihood of that happening at least in
the USA. In any grocery store checkout line there will be tabloid
"newspapers" which present as truth all sorts of falsehoods. I see people
reading them while waiting to check out, and occasionally buying them. When
some celebrity thinks he/she has been damaged by an article, photograph,
etc., and sues, these papers have consistently used the defense that
"everybody knows we are just publishing material we created, for
entertainment, with no claim to fact". (But I think many readers never heard
that defense and subscribe to the "If it is in print it must be true"
position.) These seem to me to be quite like the false news sites, but the
US government has so far as I know never made any attempt to control them,
and I suspect it would be thrown out on 1st Amendment grounds if it were
tried.

This does not mean I really want this attack on our national belief system
to continue without legal action of some sort. But the only action I can
imagine having a significant effect has no chance of happening, somehow
educating and motivating our population to think.


Re: Is no place sacred from surveillance? (on Jenna Wortham)

Henry Baker <hbaker1@pipeline.com>
Wed, 28 Dec 2016 07:08:09 -0800
  [I thought Churchix was a bad joke 18 months ago, but apparently not;
  here's a *NYTimes* article from yesterday.  HB]

Jenna Wortham, *The New York Times*, 27 Dec 2016
Finding Inspiration for Art in the Betrayal of Privacy

http://www.nytimes.com/2016/12/27/magazine/finding-inspiration-for-art-in-the-betrayal-of-privacy.html

"There was an interactive demonstration on a widely used program called
"Churchix," a facial-recognition tool licensed to churches that records and
logs the identities of people entering the premises."


Scholarships for Women Studying Information Security

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 28 Dec 2016 10:10:07 -0500
Since 2011, Applied Computer Security Associates, sponsor of the ACSAC,
NSPW, LAW, and LASER conferences, has offered scholarships for women in
security-related undergraduate and masters' degree programs through the
Scholarships for Women Studying Information Security (SWSIS, www.swsis.org).

Thanks to a $250,000 4-year contribution by Hewlett Packard Enterprise (HPE)
in early 2014, ACSA expanded our program to award 11 scholarships for the
2014-15 academic year, 16 for the 2015-16 academic year, and 16 for the
2016-17 academic year. The Committee on the Status of Women in Computing
Research (CRA-W), an arm of the Computing Research Alliance, led selection
of scholarship winners.  Information about the 49 SWSIS Scholars
(scholarship winners) is available at www.swsis.org.

ACSA, CRA-W, and HPE are pleased to announce that applications for
2017-18 scholarships are accepted Dec 15 2016 - Feb 1 2017.

To apply, an applicant must provide:
* An essay describing her interest and background in the information
  security field.
* A current transcript.
* A resume or CV.
* At least two letters of reference (typically from faculty members).
* Her university name and class status.

The scholarship is renewable for a second year subject to availability of
funds, given proof of satisfactory academic progress and available
funds. Scholars must be US citizens or permanent residents; funds are
available for use at any US campus of a US university.

More information at www.swsis.org or swsis@swsis.org

Jeremy Epstein, Director, Scholarship Programs
Applied Computer Security Associates, Inc.
Founder & Managing Director, SWSIS

Rebecca Wright, CRA-W Scholar Selection Director
Computing Research Association Committee on the Status of Women in
Computing Research

Please report problems with the web pages to the maintainer

x
Top