The RISKS Digest
Volume 30 Issue 66

Sunday, 22nd April 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Don't Blame Me for Facebook's Privacy Crisis
Ross Anderson
Facebook and Cambridge Analytica
CRYPTO-GRAM
Cambridge Analytica and the Coming Data Bust
NY Times
Palantir Knows Everything About You
Bloomberg
American elections are too easy to hack. We must take action now
Bruce Schenier
Instant Runoff Voting
Stephen H. Unger
Time for airplane engine diversity?
Christine Negroni
Deutsche Bank Inadvertently Made a $35 Billion Payment in a Single Transaction
Bloomberg
Blockchain Kiddy Porn
Rebecca Mercuri
Browser Standard WebAuthn Could Usher in a Password-Free Future
WiReD
Teen charged in Nova Scotia government breach says he had 'no malicious intent'
CBC News
Two vendors now sell iPhone cracking technology and police are buying
Lucas Mearian
"12+ things you can do with a locked iPhone"
Jonny Evans
France builds WhatsApp rival due to surveillance risk
Reuters
"Android security: Your phone's patch level says you're up to date, but that may be a lie"
Liam Tung
In a Leaked Memo, Apple Warns Employees to Stop Leaking Information
Mark Gurman
"Fake Android apps used for targeted surveillance found in Google Play"
Zack Whittaker
"Swim at your own risk: How botched IoT can sink your precious first-world life"
Jason Perlow
Police use Experian Marketing Data for AI Custody Decisions
Big Brother Watch
A call to regulate the use of AI
Nature
Yahoo and AOL just gave themselves the right to read your emails *again*
CNET
FCC dings T-Mobile $40M for faking rings on calls that never connected
TechCrunch
The EU's horrific and tyrannical "Right To Be Forgotten"— as described in 1944 George Orwell
Lauren Weinstein
China's Xi says Internet control key to stability
Reuters
Moscow State University Team Wins Gold in ACM ICPC Programming Contest
ACM Bulletins
Re: "A bad day with mobile 2FA"
Dmitri Maziuk
Re: Fox News accidentally puts up a poll graphic that shows how they are the least-trusted network
Bob Rahe
Re: Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'
Kelly Bert Manning
Info on RISKS (comp.risks)

Don't Blame Me for Facebook's Privacy Crisis (Ross Anderson)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 14 Apr 2018 18:13:40 PDT
Ross Anderson, *New Scientist*, 13 April 2018
Don't blame academics like me for Facebook's privacy crisis
http://www.newscientist.com/article/2166331-dont-blame-academics-like-me-for-facebooks-privacy-crisis/

Mark Zuckerberg wonders what is going on at Cambridge University—I can
tell him, but he won't like what privacy researchers have found, says Ross
Anderson

Mark Zuckerberg has tried to deflect blame for Facebook's privacy crisis by
pointing the finger at my university. “We do need to understand whether
there was something bad going on in Cambridge University overall, that will
require a stronger action from us,'' he told the US Senate this week.

There is a short answer to that, and a deeper one. The short answer is that
when Aleksandr Kogan, the researcher whose “This Is Your Digital Life'' app
is at the heart of the current row, applied to use the data collected by his
company in university research, our ethics committees turned him down flat.
The reason? While the people who installed his app had consented to their
data being used in research, their Facebook `friends' had not.

The deeper answer goes back almost 10 years, to when I asked two PhD
candidates to choose a topic. They said *Facebook privacy*.  Seeing my
astonishment, one of them said “We don't expect a married guy like you to
appreciate this, but in Cambridge all the party invitations come via
Facebook, so if you're not on Facebook you go to no parties, you meet no
girls, you have no sex, so you have no kids and your genes die out. It's a
Darwinian imperative to be on Facebook. Yet you seem to have no
privacy. We're wondering if it's possible to fix that.''

Six months later, they gave it up as hopeless. Facebook operates by
providing users with a false sense of security, of being in a private and
intimate space, so they puts lots of sensitive information online—which
Facebook's advertisers can then use to target them.

Opting out is made deliberately difficult. Yet thanks to a decade of data on
students' privacy preferences, we now know that as time goes by, ever more
users discover Facebook's privacy settings and figure out how to use them.
Facebook responds with periodic redesigns that often reset people to
*sharing* their data with advertisers by default. As a result, users have to
learn new and often confusing privacy controls. Yet, after each reset, more
people choose to opt out.

Academia has indeed got a lot to say about Facebook and privacy, but maybe
not the things that Mr Zuckerberg wants to hear. Facebook is powerful not
because it has great products, but because of network effects; people need
to use the tools that everyone else uses. Competing firms such as Instagram
and WhatsApp get bought out. And research shows that, although people often
disregard privacy, they are starting to learn not to.

Ross Anderson is professor of security engineering at the University of
Cambridge Computer Laboratory.


Facebook and Cambridge Analytica (CRYPTO-GRAM)

Bruce Schneier <schneier@schneier.com>
Sun, 15 Apr 2018 01:18:29 -0500
Bruce Schneier (CTO, IBM Resilient), CRYPTO-GRAM, 15 April 2018 [PGN Excerpted]
  schneier@schneier.com  http://www.schneier.com

In the wake of the Cambridge Analytica scandal, news articles and
commentators have focused on what Facebook knows about us. A lot, it turns
out.  It collects data from our posts, our likes, our photos, things we type
and delete without posting, and things we do while not on Facebook and even
when we're offline. It buys data about us from others.  And it can infer
even more: our sexual orientation, political beliefs, relationship status,
drug use, and other personality traits—even if we didn't take the
personality test that Cambridge Analytica developed.

But for every article about Facebook's creepy stalker behavior, thousands of
other companies are breathing a collective sigh of relief that it's Facebook
and not them in the spotlight. Because while Facebook is one of the biggest
players in this space, there are thousands of other companies that spy on
and manipulate us for profit.

Harvard Business School professor Shoshana Zuboff calls it "surveillance
capitalism." And as creepy as Facebook is turning out to be, the entire
industry is far creepier. It has existed in secret far too long, and it's up
to lawmakers to force these companies into the public spotlight, where we
can all decide if this is how we want society to operate and—if not --
what to do about it.

There are 2,500 to 4,000 data brokers in the United States whose business is
buying and selling our personal data. Last year, Equifax was in the news
when hackers stole personal information on 150 million people, including
Social Security numbers, birth dates, addresses, and driver's license
numbers.

You certainly didn't give it permission to collect any of that information.
Equifax is one of those thousands of data brokers, most of them you've never
heard of, selling your personal information without your knowledge or
consent to pretty much anyone who will pay for it.

Surveillance capitalism takes this one step further. Companies like Facebook
and Google offer you free services in exchange for your data.  Google's
surveillance isn't in the news, but it's startlingly intimate.  We never lie
to our search engines. Our interests and curiosities, hopes and fears,
desires and sexual proclivities, are all collected and saved.  Add to that
the websites we visit that Google tracks through its advertising network,
our Gmail accounts, our movements via Google Maps, and what it can collect
from our smartphones.

That phone is probably the most intimate surveillance device ever
invented. It tracks our location continuously, so it knows where we live,
where we work, and where we spend our time. It's the first and last thing we
check in a day, so it knows when we wake up and when we go to sleep. We all
have one, so it knows who we sleep with. Uber used just some of that
information to detect one-night stands; your smartphone provider and any app
you allow to collect location data knows a lot more.

Surveillance capitalism drives much of the Internet. It's behind most of the
"free" services, and many of the paid ones as well. Its goal is
psychological manipulation, in the form of personalized advertising to
persuade you to buy something or do something, like vote for a candidate.
And while the individualized profile-driven manipulation exposed by
Cambridge Analytica feels abhorrent, it's really no different from what
every company wants in the end. This is why all your personal information is
collected, and this is why it is so valuable. Companies that can understand
it can use it against you.

None of this is new. The media has been reporting on surveillance capitalism
for years. In 2015, I wrote a book about it. Back in 2010, the Wall Street
Journal published an award-winning two-year series about how people are
tracked both online and offline, titled "What They Know."

Surveillance capitalism is deeply embedded in our increasingly computerized
society, and if the extent of it came to light there would be broad demands
for limits and regulation. But because this industry can largely operate in
secret, only occasionally exposed after a data breach or investigative
report, we remain mostly ignorant of its reach.

This might change soon. In 2016, the European Union passed the comprehensive
General Data Protection Regulation, or GDPR. The details of the law are far
too complex to explain here, but some of the things it mandates are that
personal data of EU citizens can only be collected and saved for "specific,
explicit, and legitimate purposes," and only with explicit consent of the
user. Consent can't be buried in the terms and conditions, nor can it be
assumed unless the user opts in. This law will take effect in May, and
companies worldwide are bracing for its enforcement.

Because pretty much all surveillance capitalism companies collect data on
Europeans, this will expose the industry like nothing else. Here's just one
example. In preparation for this law, PayPal quietly published a list of
over 600 companies it might share your personal data with.  What will it be
like when every company has to publish this sort of information, and
explicitly explain how it's using your personal data?  We're about to find
out.

In the wake of this scandal, even Mark Zuckerberg said that his industry
probably should be regulated, although he's certainly not wishing for the
sorts of comprehensive regulation the GDPR is bringing to Europe.

He's right. Surveillance capitalism has operated without constraints for far
too long. And advances in both big data analysis and artificial intelligence
will make tomorrow's applications far creepier than today's. Regulation is
the only answer.

The first step to any regulation is transparency. Who has our data? Is it
accurate? What are they doing with it? Who are they selling it to?  How are
they securing it? Can we delete it? I don't see any hope of Congress passing
a GDPR-like data protection law anytime soon, but it's not too far-fetched
to demand laws requiring these companies to be more transparent in what
they're doing.

One of the responses to the Cambridge Analytica scandal is that people are
deleting their Facebook accounts. It's hard to do right, and doesn't do
anything about the data that Facebook collects about people who don't use
Facebook. But it's a start. The market can put pressure on these companies
to reduce their spying on us, but it can only do that if we force the
industry out of its secret shadows.

  [Lots of useful URLs included.  PGN]


Cambridge Analytica and the Coming Data Bust (NY Times)

Richard M Stein <rmstein@ieee.org>
Mon, 16 Apr 2018 11:31:31 +0800
http://www.nytimes.com/2018/04/10/magazine/cambridge-analytica-and-the-coming-data-bust.html

John Herrman argues that the Cambridge Analytica incident is only business
as usual. Unlike the 2008 financial crisis, when home evictions decimated
neighborhoods, no consumers experienced direct humiliation or experienced
vilification via their weaponized Facebook profile data, though evidence
suggests these weaponized profiles collectively influenced the 2016
presidential election. Herrman writes:

  "Experiences that test our trust of the free-services-for-personal- data
  internet are accumulating and threaten to become more personal: the
  failure of Twitter to ban someone who harassed or threatened you; a small
  but embarrassing email hack resulting in a scammer asking old friends for
  money and concluding with an admonishment from your provider that you just
  needed a better password; an identity theft, a suffering credit score and
  then news of a hack at Equifax, a service to which you never even chose to
  provide data. Or it could be nothing more than an eerily well-targeted ad,
  one that suggests that a certain service—maybe one you never even meant
  to interact with—knows things about you that you don't remember telling
  it.

  "The wider consequences of these arrangements are harder to quantify and
  sometimes even to see. They are: a social-media ecosystem that has annexed
  the news and the public sphere; nascent but increasingly assertive systems
  of identity and social currency that seek to transcend borders while
  answering only to investors; billions of lives' worth of trustingly
  volunteered data in the hands of companies that might want to make money
  from it, or that might have no need for it anymore, or that might go out
  of business, change ownership or simply forget what they had in the first
  place. Perhaps someone—a new partner, an enterprising researcher, a
  repressive government—might, one day, discover new uses for the data.

  "A loss of faith in tech companies as semipublic infrastructure would also
  arrive simultaneously with an understanding that that;s what they had been
  all along: services that we depended on, ones we gave ourselves to, and
  that revealed themselves to be—or merely became—the sorts of
  services we'd rather not. They're not too big to fail in the banking
  sense. But they're similarly hard to budge, having constructed entire
  modes of interaction, consumption and identity verification that are now
  intimately interwoven with our lives, so all-encompassing that they'/ve
  practically become invisible. To stop using these products is to leave the
  Internet, and these companies made it their mission to make sure there
  isn't anywhere else to go."

In WW II, tobacco companies contributed free cigarettes to troops creating a
generation of addicts. Nicotine level manipulation in cigarettes sustained
tobacco company profits while unleashing a cancer epidemic among millions
who could not, or would not, break from addiction. Analogously, social media
platforms manipulate the brain's dopamine delivery channel with free
services in exchange for surrender of personal information to exploit. Aside
from coach potato syndrome and smart phone rapture, social media's impact on
physical health is apparently marginal.

Low user account turnover churn at Facebook, post-Cambridge Analytica, shows
that Facebook addiction is stronger than brand outrage and trust erosion
merit. Consumer allegiance and free service access form a resilient bond.

What type of incident might initiate a wholesale abandonment of social media
platforms by their users? An insidious act that implicates the platform (via
an social media insider/conspiracy) that: precipitates a nuclear alert per
"The Missiles of October." An infrastructure take down—imagine no power
for 1 week or a repeat DDoS that cripples social media access/destroys data
centers and backup recovery? Or a conspiracy per "Mr. Robot" that erases all
financial records? All unlikely to arise, except in "The Twilight Zone."

Without widespread civil protest born of deep personal outrage, social media
platforms are unlikely to experience wholesale abandonment. Regulation,
however, is one means to throttle corporate behavior. Global adoption of the
EU's "Right to be Forgotten" and the GPDR can influence corporate behavior
to respect and protect consumer rights. Strengthening these rules, and
rigorous enforcement of them, can diminish backlash potential at the expense
of corporate profit—often the only lesson a business is retrospectively
forced to learn—save for a collective CxO perp walk.


Palantir Knows Everything About You (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Sun, 22 Apr 2018 01:20:16 -0400
JPMorgan's experience remains instructive. “The world changed when it
became clear everyone could be targeted using Palantir,'' says a former
JPMorgan cyber expert who worked with Cavicchia at one point on the insider
threat team.  “Nefarious ideas became trivial to implement; everyone's a
suspect, so we monitored everything. It was a pretty terrible feeling.''

http://www.bloomberg.com/features/2018-palantir-peter-thiel/


American elections are too easy to hack. We must take action now (Bruce Schneier)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Apr 2018 16:51:37 PDT
http://www.theguardian.com/commentisfree/2018/apr/18/american-elections-hack-bruce-scheier%3FCMP%3Dshare_btn_fb

American elections are too easy to hack. We must take action now
The Guardian

Bruce Schneier

The computers we use in the voting process are vulnerable at every level. We
need a system resilient to threats—and in many cases, that means paper

Wed 18 Apr 2018

Elections serve two purposes. The first, and obvious, purpose is to
accurately choose the winner. But the second is equally important: to
convince the loser. To the extent that an election system is not
transparently and auditably accurate, it fails in that second purpose. Our
election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in
computer databases. We vote on computerized voting machines. And our
tabulation and reporting is done on computers. We do this for a lot of good
reasons, but a side effect is that elections now have all the insecurities
inherent in computers. The only way to reliably protect elections from both
malice and accident is to use something that is not hackable or unreliable
at scale; the best way to do that is to back up as much of the system as
possible with paper.

Recently, there have been two graphic demonstrations of how bad our
computerized voting system is. In 2007, the states of California and Ohio
conducted audits of their electronic voting machines. Expert review teams
found exploitable vulnerabilities in almost every component they
examined. The researchers were able to undetectably alter vote tallies,
erase audit logs, and load malware on to the systems. Some of their attacks
could be implemented by a single individual with no greater access than a
normal poll worker; others could be done remotely.

Senators release election security recommendations to deter meddling

Last year, the Defcon hackers' conference sponsored a Voting
Village. Organizers collected 25 pieces of voting equipment, including
voting machines and electronic poll books. By the end of the weekend,
conference attendees had found ways to compromise every piece of test
equipment: to load malicious software, compromise vote tallies and audit
logs, or cause equipment to fail.

It's important to understand that these were not well-funded nation-state
attackers. These were not even academics who had been studying the problem
for weeks. These were bored hackers, with no experience with voting
machines, playing around between parties one weekend.

It shouldn't be any surprise that voting equipment, including voting
machines, voter registration databases, and vote tabulation systems, are
that hackable. They're computers—often ancient computers running
operating systems no longer supported by the manufacturers—and they don't
have any magical security technology that the rest of the industry isn't
privy to. If anything, they're less secure than the computers we generally
use, because their manufacturers hide any flaws behind the proprietary
nature of their equipment.

We're not just worried about altering the vote. Sometimes causing widespread
failures, or even just sowing mistrust in the system, is enough. And an
election whose results are not trusted or believed is a failed election.

Voting systems have another requirement that makes security even harder to
achieve: the requirement for a secret ballot. Because we have to securely
separate the election-roll system that determines who can vote from the
system that collects and tabulates the votes, we can't use the security
systems available to banking and other high-value applications.

We can securely bank online, but can't securely vote online. If we could do
away with anonymity—if everyone could check that their vote was counted
correctly—then it would be easy to secure the vote. But that would lead
to other problems. Before the US had the secret ballot, voter coercion and
vote-buying were widespread.

We can't, so we need to accept that our voting systems are insecure. We need
an election system that is resilient to the threats. And for many parts of
the system, that means paper.

Let's start with the voter rolls. We know they've already been targeted. In
2016, someone changed the party affiliation of hundreds of voters before the
Republican primary. That's just one possibility. A well-executed attack that
deletes, for example, one in five voters at random—or changes their
addresses—would cause chaos on election day.

Security researchers agree that the gold standard is a voter-verified paper
ballot

Yes, we need to shore up the security of these systems. We need better
computer, network, and database security for the various state voter
organizations. We also need to better secure the voter registration
websites, with better design and better Internet security. We need better
security for the companies that build and sell all this equipment.

Multiple, unchangeable backups are essential. A record of every addition,
deletion, and change needs to be stored on a separate system, on write-only
media like a DVD. Copies of that DVD, or—even better—a paper printout
of the voter rolls, should be available at every polling place on election
day. We need to be ready for anything.

Next, the voting machines themselves. Security researchers agree that the
gold standard is a voter-verified paper ballot. The easiest (and cheapest)
way to achieve this is through optical-scan voting. Voters mark paper
ballots by hand; they are fed into a machine and counted automatically. That
paper ballot is saved, and serves as a final true record in a recount in
case of problems. Touch-screen machines that print a paper ballot to drop in
a ballot box can also work for voters with disabilities, as long as the
ballot can be easily read and verified by the voter.

Finally, the tabulation and reporting systems. Here again we need more
security in the process, but we must always use those paper ballots as
checks on the computers. A manual, post-election, risk-limiting audit varies
the number of ballots examined according to the margin of
victory. Conducting this audit after every election, before the results are
certified, gives us confidence that the election outcome is correct, even if
the voting machines and tabulation computers have been tampered
with. Additionally, we need better coordination and communications when
incidents occur.

Lack of US election auditing raises fears of Russian vote meddling in 2018

It's vital to agree on these procedures and policies before an
election. Before the fact, when anyone can win and no one knows whose votes
might be changed, it's easy to agree on strong security. But after the vote,
someone is the presumptive winner—and then everything changes. Half of
the country wants the result to stand, and half wants it reversed. At that
point, it's too late to agree on anything.

The politicians running in the election shouldn't have to argue their
challenges in court. Getting elections right is in the interest of all
citizens. Many countries have independent election commissions that are
charged with conducting elections and ensuring their security. We don't do
that in the US.

Instead, we have representatives from each of our two parties in the room,
keeping an eye on each other. That provided acceptable security against
20th-century threats, but is totally inadequate to secure our elections in
the 21st century. And the belief that the diversity of voting systems in the
US provides a measure of security is a dangerous myth, because few districts
can be decisive and there are so few voting-machine vendors.

We can do better. In 2017, the Department of Homeland Security declared
elections to be critical infrastructure, allowing the department to focus on
securing them. On 23 March, Congress allocated $380m to states to upgrade
election security.

These are good starts, but don't go nearly far enough. The constitution
delegates elections to the states but allows Congress to *make or alter such
Regulations*. In 1845, Congress set a nationwide election day. Today, we
need it to set uniform and strict election standards.


Instant Runoff Voting

"Stephen H. Unger" <shu2@columbia.edu>
April 22, 2018 at 12:05:57 PM EDT
Following is a response to a recent IP posting on Instant Runoff Voting (IRV).

Instant Runoff Voting (IRV) seems, at first look, to be a great way to
improve our elections. But a closer examination reveals that it can produce
clearly irrational results. For example, it is not hard to construct cases
where an IRV winner would have been defeated in a 2-candidate election by at
least one of the losing candidates.

IRV is also a very complex method. Processing an IRV election is far more
difficult and costly than processing a conventional election.

A far better election scheme is Approval Voting (AV): a very simple system,
where voters can vote for any number of the candidates on the ballot. This
deals effectively with such dilemmas as multiple candidates with similar
platforms, or cases where the voter dislikes the front runners. There are no
bizarre cases such as those that can turn up in IRV elections. AV elections
are no more difficult to process than are traditional elections.

For a discussion of IRV, see
http://www1.cs.columbia.edu/~unger/articles/irv.html

For a discussion of AV, see
http:///electology.org/approval-votingreserved=0


Time for airplane engine diversity? (Christine Negroni)

Henry Baker <hbaker1@pipeline.com>
Fri, 20 Apr 2018 06:40:12 -0700
  [Since the 787 has only 2 engines, perhaps they should be from different
  manufacturers for "diversity"?]

Christine Negroni, *The New York Times*, 19 Apr 2018
Engine on Southwest Jet Not the Only One to Develop Cracks

http://www.nytimes.com/2018/04/19/business/engine-on-southwest-jet-not-the-only-one-to-develop-cracks.html

The engine that failed so catastrophically on a Boeing 737 plane operated by
Southwest Airlines this week is not the only jet engine model with problems
that have caught the eye of safety officials.

Like the engine on the Southwest jet, two others ­ one used on the Boeing
787 Dreamliner and another on some Boeing 767s ­ developed cracks. On
Tuesday, the same day as the engine failure on the Southwest plane, the
Federal Aviation Administration said Boeing 787 Dreamliners powered by
Rolls-Royce engines could no longer be flown on ultra-long, over-water
flights.

The engines are produced by three different manufacturers, but the fact that
all three have developed safety issues is prompting questions about the
engines' design, operation and their inspection procedures.  ...

Inspections have also been ordered for the Rolls-Royce Trent 1000 engines
that power a quarter of Boeing's newest wide-body, the 787 Dreamliner,
after cracks were found on rotor blades. But the F.A.A. went further and
rescinded the operators' approval to fly the airplanes any farther than 2
hours and 20 minutes from an emergency airport.

International long-haul carriers like United Airlines, Qantas Airways, Japan
Airlines, Air New Zealand and British Airways purchased the Dreamliner over
the past decade specifically for the plane's ability to carry fewer
people on longer routes more fuel efficiently. On extended flights over
water, an airline could schedule flights on routes of up to five hours
flying time from an emergency airport.

American and European regulators now say that cannot be safely accomplished.
Should one Rolls-Royce engine fail, the higher power demand on the remaining
engine could cause the second engine to fail.  ...


Deutsche Bank Inadvertently Made a $35 Billion Payment in a Single Transaction (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Fri, 20 Apr 2018 15:23:26 -0400
http://www.bloomberg.com/news/articles/2018-04-19/deutsche-bank-flub-said-to-send-35-billion-briefly-out-the-door


Blockchain Kiddy Porn

Rebecca Mercuri <mercuri@acm.org>
Sat, 21 Apr 2018 09:08:32 -0400
University researchers in Germany (funded by the German Federal Ministry of
Education and Research) have pre-released a paper titled "A Quantitative
Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin."  See
http://fc18.ifca.ai/preproceedings/6.pdf

Their claim is that by embedding illegal content within the blockchain data,
the possession of it (such as for legitimate financial transactions) can be
deemed illegal. Their analysis of existing blockchain data appears to have
revealed "more than 1600 files on the blockchain, over 99% of which are
texts or images." Horrifyingly, "among these files, there is clearly
objectionable content such as links to child pornography, which is
distributed to Bitcoin participants."

In response, there have been assertions that all of this is "fake news" and
that there is nothing to worry about. But the paper, with 73 very non-fake
footnotes, does not look like an April-fool's joke to me. As a digital
forensics expert, I know first-hand that U.S. Prosecutors and Law
Enforcement have become more aggressive recently in filing possession,
receipt and distribution charges (which can carry lengthy prison sentences)
for those with illegal data that is discovered in unallocated space or
embedded within other files, despite extremely clear evidence that the
computer's owner or user has no awareness of such illicit content. We also
know, that the injection of malware (such as the FBI's NIT) that forces
computers using anonymizers to reveal their actual IP addresses has not been
rejected by the courts as inappropriate investigation technology. There is
also growing evidence that individuals of certain demographics are being
targeted for digital surveillance via open file shares, which do not require
search warrants to remotely inspect.

In this context, therefore, the information in the research paper is
extremely troubling. If the findings are indeed correct, this must be taken
very seriously by the RISKS and Crypto communities. I should note that as
some in the election community are now considering blockchain as a potential
method for "secure remote voting" this could also be a way of distributing
kiddy porn to the entire country, and then cherry-picking whomever the
Government wants to arrest. Welcome to the Brave New World dystopia. I would
urge everyone to take a look at the paper and see what you think.


Browser Standard WebAuthn Could Usher in a Password-Free Future (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 22 Apr 2018 01:08:07 -0400
Password-free logins have long been the stuff of dreams for security
researchers and privacy advocates—not to mention regular people who
fat-finger their account passwords into a browser every day. Industry
efforts to end our reliance on the multi-character password have resulted in
the proposal of numerous alternative login methods, including biometric
verification and the use of behavioral data to prove an individual's
identity. But most of these attempts haven't yet lead to the promised land:
A web without passwords.

http://www.wired.com/story/7-steps-to-password-perfection/

Now, a new standard for the web called WebAuthn is being lauded as a major
step forward in secure authentication, and "probably the most effective
anti-phishing measure for the web that's out there," according to Selena
Deckelmann, senior director of engineering for Mozilla Firefox.
http://www.w3.org/TR/webauthn/

It introduces a set of rules for the web that, if adopted by popular
browsers and websites, would mean people could use a single device or a
single fingerprint to log into, well, almost everything.

But like the password-free attempts before it, WebAuthn still faces hurdles
before it becomes something that impacts the masses. Some security and
identity experts seem reluctant to claim that our password-free future has
finally arrived. And a lot of WebAuthn's success comes down to whether
hugely popular websites like Amazon or Facebook will adopt this new
standard.

http://www.wired.com/story/webauthn-in-browsers

One key to rule them all? What could go wrong?


Teen charged in Nova Scotia government breach says he had 'no malicious intent' (CBC News)

Jose Maria Mateos <chema@rinzewind.org>
Tue, 17 Apr 2018 07:50:02 -0400
http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970

When he was around eight, he remembered playing around with the HTML of the
Google search page, making the coloured letters spell out his name.

Around the same time, his Grade 3 class adopted an animal at a shelter,
receiving an electronic adoption certificate.

That lead to a discovery on the classroom computer.

"The website had a number at the end, and I was able to change the last
digit of the number to a different number and was able to see a certificate
for someone else's animal that they adopted," he said. "I thought that was
interesting."

***The teenager's current troubles arose because he used the same trick on
Nova Scotia's freedom-of-information portal, downloading about 7,000
freedom-of-information requests.***  [Emphasis mine. ]

Someone's at fault here, but I doubt it's the kid.


Two vendors now sell iPhone cracking technology and police are buying (Lucas Mearian)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 08:31:29 -0700
Lucas Mearian, Computerworld, 13 Apr 2018
http://www.computerworld.com/article/3268729/mobile-wireless/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html

Two vendors now sell iPhone cracking technology—and police are buying
Local and regional police departments and federal agencies are lining up to
buy technology from two companies whose products can bypass iPhone security
mechanisms.


"12+ things you can do with a locked iPhone" (Jonny Evans)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 09:06:52 -0700
Jonny Evans, Computerworld | Apr 16, 2018 7:06 AM PT
You may be surprised at just how many things you can do with a locked
iPhone. Learn what you can do and how to switch these features off.

http://www.computerworld.com/article/3268884/apple-ios/12-things-you-can-do-with-a-locked-iphone.html


France builds WhatsApp rival due to surveillance risk (Reuters)

Lauren Weinstein <lauren@vortex.com>
Mon, 16 Apr 2018 11:34:00 -0700
via NNSquad
http://www.reuters.com/article/us-france-privacy/france-builds-whatsapp-rival-due-to-surveillance-risk-idUSKBN1HN258

  The French government is building its own encrypted messenger service to
  ease fears that foreign entities could spy on private conversations
  between top officials, the digital ministry said on Monday.

Uh huh. A service that nobody can spy on EXCEPT the French government, eh?


"Android security: Your phone's patch level says you're up to date, but that may be a lie" (Liam Tung)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 09:28:32 -0700
Liam Tung, ZDNet, 13 Apr 2018
Study into missed security updates casts doubt on Google's Android
patch level system.

http://www.zdnet.com/article/android-security-your-phones-patch-level-says-youre-up-to-date-but-that-may-be-a-lie/

selected text:

Google has spent the past two years building momentum behind its Android
monthly patch level system, but a study has found critical patches that
should be on devices displaying a patch level aren't actually present.

The results, shared with Wired, show that some popular Android devices are
missing as many as a dozen patches that users would expect to be there,
based on the patch level string displayed in settings in date format.

But, according to Nohl, some Android manufacturers appear to be gaming the
patch level system to falsely improve their image. And, as vendors chalk up
security points for non-existent patches, end users are left with a false
sense of security.


In a Leaked Memo, Apple Warns Employees to Stop Leaking Information (Mark Gurman)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 09:35:41 -0700
Mark Gurman, Bloomberg, 13 Apr 2018

http://www.bloomberg.com/news/articles/2018-04-13/apple-warns-employees-to-stop-leaking-information-to-media

selected text:

Apple Inc. warned employees to stop leaking internal information on future
plans and raised the specter of potential legal action and criminal charges,
one of the most-aggressive moves by the world's largest technology company
to control information about its activities.

The Cupertino, California-based company said in a lengthy memo posted to its
internal blog that it "caught 29 leakers," last year and noted that 12 of
those were arrested. "These people not only lose their jobs, they can face
extreme difficulty finding employment elsewhere," Apple added. The company
declined to comment on Friday.

The employee who leaked the meeting to a reporter later told Apple
investigators that he did it because he thought he wouldn't be
discovered. But people who leak—whether they're Apple employees,
contractors or suppliers—do get caught and they're getting caught faster
than ever.


"Fake Android apps used for targeted surveillance found in Google Play" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 09:44:41 -0700
Zack Whittaker for Zero Day, 16 Apr 2018
The apps relied on a second-stage component that was downloaded after the
apps were installed.

http://www.zdnet.com/article/fake-android-apps-used-for-targeted-surveillance-found-in-google-play/


"Swim at your own risk: How botched IoT can sink your precious first-world life" (Jason Perlow)

Gene Wirchenko <genew@telus.net>
Mon, 16 Apr 2018 09:18:35 -0700
Jason Perlow for Tech Broiler, ZDNet, 12 Apr 2018
Boo-hoo. A bungled Internet of Things (IoT) update means you can't switch
your swimming pool to spa mode. Laugh all you want: When the HVAC or your
home security system fails, the implications are serious.

http://www.zdnet.com/article/swim-at-your-own-risk-how-botched-iot-can-sink-your-precious-first-world-life/


Police use Experian Marketing Data for AI Custody Decisions (Big Brother Watch)

Jose Maria Mateos <chema@rinzewind.org>
April 15, 2018 at 11:06:57 AM EDT
via Dave Farber

http://bigbrotherwatch.org.uk/all-media/police-use-experian-marketing-data-for-ai-custody-decisions/

POLICE USE EXPERIAN MARKETING DATA FOR AI CUSTODY DECISIONS

Durham Police has paid global data broker Experian for UK postcode
stereotypes built on 850 million pieces of information to feed into an
artificial intelligence (AI) tool used in custody decisions, a Big Brother
Watch investigation has revealed.

Durham Police is feeding Experian's `Mosaic' data, which profiles all 50
million adults in the UK[1] to classify UK postcodes, households and even
individuals [2] into stereotypes, into its AI `Harm Assessment Risk Tool'
(HART). The 66 `Mosaic' categories include `Disconnected Youth', `Asian
Heritage' and `Dependent Greys'.[3]

Durham Police's AI tool processes Experian's `Mosaic' data and other
personal information to predict whether a suspect might be at low, medium or
high risk of reoffending.[4]

Experian's Mosaic code includes the `demographic characteristics' of each
stereotype—characterising `Asian Heritage' as `extended families' living
in `inexpensive, close-packed Victorian terraces', adding that `when people
do have jobs, they are generally in low paid routine occupations in
transport or food service'.[5]

`Disconnected Youth' are characterised as `avid texters' whose `wages are
often low'[6]—with first names like `Liam' and `Chelsea'[7].


A call to regulate the use of AI (Nature)

Martyn Thomas <martyn@thomas-associates.co.uk>
Wed, 18 Apr 2018 09:52:19 +0100
Regulate artificial intelligence to avert cyber arms race:

Define an international doctrine for cyberspace skirmishes before they
escalate into conventional warfare, urge *Mariarosaria Taddeo *and *Luciano
Floridi*

http://www.nature.com/articles/d41586-018-04602-6


Yahoo and AOL just gave themselves the right to read your emails *again* (CNET)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sat, 14 Apr 2018 18:45:57 -1000
http://www.cnet.com/news/yahoo-aol-oath-privacy-policy-verizon-emails-messages/


FCC dings T-Mobile $40M for faking rings on calls that never connected (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Mon, 16 Apr 2018 11:31:58 -0700
via NNSquad

http://techcrunch.com/2018/04/16/fcc-dings-t-mobile-40m-for-faking-rings-on-calls-that-never-connected/

  The issue at hand is that when someone is trying to call an area with poor
  connectivity, it can sometimes take several seconds to establish a line to
  the other party—especially if a carrier itself does not serve the area
  in question and has to hand off the call to a local provider.  That's
  exactly what T-Mobile was doing, and there's nothing wrong with it—just
  a consequence of spotty coverage in rural areas.  But what is prohibited
  is implying to the caller that their call has gone through and is ringing
  on the other end, if that's not the case. Which is also exactly what
  T-Mobile was doing, and had been doing since 2007. Its servers began
  sending a "local ring back tone" when a call took a certain amount of time
  to complete around then.


The EU's horrific and tyrannical "Right To Be Forgotten"—as described in 1944 by George Orwell

Lauren Weinstein <lauren@vortex.com>
Sat, 14 Apr 2018 11:56:56 -0700
"Day by day and almost minute by minute the past was brought up to date. In
this way every prediction made by the Party could be shown by documentary
evidence to have been correct, nor was any item of news, or any expression
of opinion, which conflicted with the needs of the moment, ever allowed to
remain on record. All history was a palimpsest, scraped clean and
reinscribed exactly as often as was necessary."

    —("Nineteen Eighty-Four" - George Orwell - 1944)


China's Xi says Internet control key to stability (Reuters)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 21 Apr 2018 12:08:14 PDT
Reuters, 21 Apr 2018,
http://www.yahoo.com/news/chinas-xi-says-internet-control-key-stability-110428337.html

  SHANGHAI (Reuters) - China must strengthen its grip on the Internet to
  ensure broader social and economic goals are met, state news agency Xinhua
  reported on Saturday citing comments from President Xi Jinping,
  underlining a hardening attitude towards online content.

  Under Xi's rule China has increasingly tightened its grip on the Internet,
  concerned about losing influence and control over a younger generation who
  are driving a diverse and vibrant online culture from livestreaming to
  blogs.  "Without web security there's no national security, there's no
  economic and social stability, and it's difficult to ensure the interests
  of the broader masses," Xinhua cited Xi as saying.  "We cannot let the
  Internet become a platform for disseminating harmful information and
  stirring up trouble with rumours," he added in comments made at a cyber
  security conference in Beijing, Xinhua said.

  Chinese regulators have been driving a sweeping crackdown on media
  content, which has been gaining force since last year, spreading a chill
  among content makers and distributors.  China is also looking to take a
  leading role globally in Internet regulation and technology more broadly,
  which has come into sharp focus amid a trade standoff with the United
  States and an arms race over technology.

  The United States banned sales of parts and software to Chinese telecoms
  equipment maker ZTE earlier this week, which the Chinese firm said on
  Friday threatened its survival. ZTE uses U.S. chips in many of its
  smartphones.  The ZTE case had "triggered a heated debate" in China about
  advanced technology, Xinhua said in a separate report on Saturday, adding
  mastering high-end technologies such as chips was "key" to becoming a
  strong nation.

  Luo Wen, China's deputy industry minister, said while China had made
  progress in advance manufacturing in areas like electric vehicles and
  aviation, it was still facing challenges due to a lack of top talent and
  global scale, Xinhua said.  "Our advanced manufacturing development faces
  the risk of being boxed in at the low-end," Xinhua reported, citing Luo.


Moscow State University Team Wins Gold in ACM ICPC Programming Contest

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 20 Apr 2018 14:39:40 PDT
Baylor via ACM Bulletins, Apr 20 2018

Three students from Moscow State University earned the title of 2018 World
Champions in the ACM International Collegiate Programming Contest (ICPC,
http://icpc.baylor.edu

Teams from the Moscow Institute of Physics and Technology, Peking University
and The University of Tokyo placed in second, third and fourth places and
were recognized with gold medals in the prestigious competition, held April
15-19 in Beijing, China.

ACM-ICPC is the premier global programming competition conducted by and for
the world's universities. It is conceived, operated and shepherded by ACM
and headquartered at Baylor University. This year's World Finals were hosted
by Peking University and CYSC: Children and Youth Science Center of CAST,
and the contest was sponsored by Founder Group and JetBrains. For more than
four decades, the competition has raised the aspirations and performance of
generations of the world's problem solvers in computing sciences and
engineering.

At ICPC, teams of three students tackle eight or more complex, real-world
problems. The students are given a problem statement, and must create a
solution within a looming five-hour time limit. The team that solves the
most problems in the fewest attempts in the least cumulative time is
declared the winner, with the top teams receiving medals.

ICPC regional participation included 49,935 contestants from 3,089
universities in 111 countries on six continents competing at more than 585
sites, all with the goal of earning one of the coveted invitations to
Beijing.

As computing increasingly becomes part of the daily routines of a growing
percentage of the global population, the solution to many of tomorrow's
challenges will be written with computing code. The ICPC serves as a unique
forum for tomorrow's computing professionals to showcase their skills, learn
new proficiencies and to work together to solve many real-world
problems. This international event fosters the innovative spirit that
continues to transform our world.

Full results of the competition are available at
http://icpc.baylor.edu/worldfinals/results


Re: "A bad day with mobile 2FA" (Evan Schuman, R 30 65)

Dmitri Maziuk <dmaziuk@bmrb.wisc.edu>
Sun, 15 Apr 2018 06:24:34 -0500
My bank uses Google authenticator app that requires—obviously, once you
know—synchronized clocks between the server and client cellphone.  As it
turns out my Galaxy note 4 sometimes automagically turns off network time,
not sure why exactly.

The backup option was e-mail but that was removed at some point because it
is "insecure". A robo-call to my home phone (and then I could call my
answering machine from overseas if I remembered the codes to play back my
messages) is still available, as is a human person on the phone.


Re: Fox News accidentally puts up a poll graphic that shows how they, are the least-trusted network (RISKS-30.65)

Bob Rahe <bob@dtcc.edu>
Sun, 15 Apr 2018 10:05:20 -0400
Not sure about the relevance to RISKS with that article other than to maybe
highlight how fakenews can manipulate various categories of readers.

About the only thing correct about that article was that the wrong graphic
was displayed and it was on FNC and MediaBuzz with Kurtz.  The graphic did
not show relative trust between networks, and the implication that Kurtz was
angry about it just isn't accurate.  The article also implies that that
graphic wasn't shown as part of the segment.  It was.

Kurtz's show deals with the media and he does a pretty good job of sticking
to the media [coverage] of stories rather than the stories themselves. Thus
the graphic actually shown had to do with the trust of the various media
outlets vs. the President in a study by Monmouth.  The article completely
mis-characterized it.  Either they did so intentionally in order to try to
score points or they were just sloppy and only saw the graphic for the few
seconds it was actually on screen and didn't watch the rest of the segment.

That article was variously bogus/fake/incomplete in any number of ways.
Even Politifact called it mostly false and has the rest of the story correct
in its analysis (below.)  Although the Trump/Fox/etc.  haters won't like it.

If you've lost the left 'fact checker' Politifact, you must be doing
something *really* wrong!

http://www.politifact.com/punditfact/statements/2018/apr/13/blog-posting/No-Fox-News-did-not-put-up-graphic-showing-it-was/


Re: Windows security: Microsoft patch for Outlook password leak bug 'not a full fix' (RISKS-30.65)

Kelly Bert Manning <bo774@freenet.carleton.ca>
Sun, 15 Apr 2018 11:56:10 -0400
This sort of thing, along with Ctrl F being Forward, not Find as in almost
every other Windows product, is why I pronounce it Lookout.

Microsoft keeps trying to install some form of Outlook on my windows
machines at home, even though I never choose Outlook as my non work email
software and do not use any form of Instant Messaging.

http://www.itworld.com/article/2696441/consumerization/the-story-behind-microsoft-outlook-s-terrible-ctrl---f-shortcut.html

Failure to address widespread customer concerns is an old story at
Microsoft.  If memory serves me correctly they didn't address the need to
reboot to add a directly connected printer until William Gates III
experienced it in public while doing a major product release
presentation. Then it became a High Priority Use Interface Issue.

http://www.pcmag.com/article/351494/how-to-fix-the-most-annoying-things-in-windows-10

Please report problems with the web pages to the maintainer

x
Top