The RISKS Digest
Volume 30 Issue 71

Tuesday, 5th June 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Microsoft to acquire GitHub for $7.5 billion
Lauren Weinstein
Bitcoin backlash as 'miners' suck up electricity, stress power grids in Central Washington
Seattle Times
Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
Joon Ian Wong
Google to remove "secure" indicator from HTTPS pages on Chrome
Keith Medcalf
Gene Wirchenko
John Levine
"How your web browser tells you when it's safe"
Gregg Keizer
"Smart lock user? Z-wave pairing flaw lets attackers open your doors from yards away"
Liam Tung
FBI tells router users to reboot now to kill malware infecting 500k devices
Dan Goodin
Banks Adopt Military-Style Tactics to Fight Cybercrime
NYTimes
How One Company Scammed Silicon Valley. And How It Got Caught.
John Carreyrou
Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era?
NPR
YouTube stars' fury over algorithm tests
BBC.com
Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later
Fortune
Amazon's Echo privacy flub has big implications for IT
Evan Schuman
"Bank of Montreal, CIBC's Simplii Financial report customer data breaches"
Asha McLean
License Plate Risks
Jeremy Ardley
"Jira bug exposed private server keys at major companies, researcher finds"
Zack Whittaker
Google Started a Political Sh*tstorm Because of Its Over-Reliance on Wikipedia
Motherboard
Signs of sophisticated cellphone spying found near White House, U.S. officials say
WaPo
Massive Visa Outage Shows the Fragility of Global Payments
WiReD
How can criminals manipulate cryptocurrency markets?
The Conversation
Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User Email Addresses
Gizmodo
Commentary: GDPR Misses the Point
Fortune
GDPR, Privacy, and CISSPforum vs "Community"
Rob Slade
German spy agency can keep tabs on Internet hubs: court
Phys
Trendism and cognitive stagnation
John Ohno
Re: Securing Elections
Amos Shapir
Info on RISKS (comp.risks)

Microsoft to acquire GitHub for $7.5 billion

Lauren Weinstein <lauren@vortex.com>
Mon, 4 Jun 2018 10:34:09 -0700
via NNSquad
  Microsoft Corp. on Monday announced it has reached an agreement to acquire
  GitHub, the world's leading software development platform where more than
  28 million developers learn, share and collaborate to create the
  future. Together, the two companies will empower developers to achieve
  more at every stage of the development lifecycle, accelerate enterprise
  use of GitHub, and bring Microsoft's developer tools and services to new
  audiences.

All GitHub users forthwith will be required to run Windows 10 or subsequent
Microsoft operating systems with all privacy options disabled, manage their
code only by voice via Cortana, and install the new Microsoft Clippy 2018!
Microsoft Office Assistant on all of their devices. Microsoft will now scan
all GitHub materials for patent infringement and turn violators over to
local authorities for arrest.


Bitcoin backlash as 'miners' suck up electricity, stress power grids in Central Washington (Seattle Times)

Lauren Weinstein <lauren@vortex.com>
Sun, 27 May 2018 14:40:13 -0700
NNSquad
http://www.seattletimes.com/business/bitcoin-backlash-as-miners-suck-up-electricity-stress-power-grids-in-central-washington/

  But it's not simply the scale of requests that is perplexing utility
  staff. Many would-be miners have no understanding of how large power
  purchases work. In one case this winter, miners from China landed their
  private jet at the local airport, drove a rental car to the visitor center
  at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan
  County PUD officials, politely asked to see the "dam master because we
  want to buy some electricity."  Bitcoin fever has created other,
  smaller-scale problems for the utility. Three times a week, on average,
  utility crews in Chelan County discover unpermitted home miners running
  computer servers far too large for the electrical grids of residential
  neighborhoods. In one instance last year, the transformer outside a
  bootleg miner's home overheated and touched off a grass fire, Chelan
  County PUD officials say.

Just cut these cryptocurrency mining parasites off. Knock them off the
grid. If they can generate their own power safely, fine. Otherwise, to hell
with them.


Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold (Joon Ian Wong)

Dewayne Hendricks <dewayne@warpspeed.com>
May 26, 2018 at 8:10:52 AM EDT
Joon Ian Wong, QZ, 24 May 2018
http://qz.com/1287701/bitcoin-golds-51-attack-is-every-cryptocurrencys-nightmare-scenario/

Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency,
bitcoin. It shares much of the same code and works in a similar way to
bitcoin, with Bitcoin Gold miners contributing computational power to
process new transactions. That also means it faces the same vulnerabilities
as bitcoin, but without the protections that come from the large, dispersed
group of people and organizations whose computers are powering the bitcoin
blockchain.

In recent days the nightmare scenario for any cryptocurrency is playing out
for Bitcoin Gold, as an attacker has taken control of its blockchain and
proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in
circulation is valued at $786 million, according to data provider
Coinmarketcap. Blockchains are designed to be decentralized but when an
individual or group acting in concert controls the majority of a
blockchain's processing power, they can tamper with transactions and pave
the way for fraud. This is known as a 51% attack.

The possibility of a 51% attack has been one of the concerns institutions
such as banks and tech companies have had over the years about using the
blockchain for transactions; some have worried that the Chinese government
could at some point endeavor to do that, ordering all of the Chinese bitcoin
miners to act in concert. It's unlikely for bitcoin, but for smaller
cryptocurrencies, 51% attacks are a concern, one dramatized on a recent
episode of HBO's series Silicon Valley.

Cryptocurrency miners commit their computer processing power--or hash
power--to adding new transactions to a coin's blockchain. They are rewarded
in units of the coin in return. The idea is that these incentives create
competition among miners to add more hash power to the chain. The more hash
power is added, the better the chances of winning a reward.

So what's a 51% attack? It's when a single miner controls more than half of
the hash power on a particular blockchain. When this happens, that miner can
mess with transactions in a bunch of ways, including spending coins
twice. This is the *double-spending problem*, a puzzle surrounding digital
money that has vexed computer scientists for years—and which was solved
by bitcoin. But the solution only holds if no single miner controls the
majority of the hash power on a chain.

Bitcoin Gold has been experiencing double-spending attacks for at least a
week, according to forum posts by Bitcoin Gold director of communications
Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's
hash rate and is double-spending coins. Since an attacker must spend coins
in his or her possession, and can't conjure up new coins, the attack is
somewhat limited.

What's happening now, according to Iskra, is that exchanges that
automatically accept large deposits are being targeted. The fraudster
deposits Bitcoin Gold into an account at an exchange, where coins are
traded. Once the exchange credits the Bitcoin Gold to the attacker's
account, the attacker trades those coins for another cryptocurrency and
withdraws it. The attacker can repeatedly make deposits of the same Bitcoin
Gold it deposited in the first exchange and profit in this way.

A bunch of other cryptocurrencies have been attacked in similar ways
recently. Something called Verge has been hit twice in the last two months,
leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and
Electroneum have also suffered from 51% attacks not too long ago.


Google to remove "secure" indicator from HTTPS pages on Chrome

"Keith Medcalf" <kmedcalf@dessus.com>
Sat, 26 May 2018 18:03:44 -0600
Google should be keelhauled for this (or at least the dolts who thought it
up should be keelhauled, and the sailors doing the hauling should be given
three toddy's of rum when the googlers' are half-way along the keel).  HTTPS
does not mean that the Web Site is secure.  It means that it is transport
encrypted.  Similarly, that the web site is not using SSL/TLS does not mean
it is unsecure—it simply means that the transport is not encrypted.

There is a *LOT* more to being *secure* that merely engaging transport
security.  It should be noted that Google will not detect "forged" or MITM
certificates, and that as a result much of what they hold out as "secure"
actually does not even have meaningful transport security.


Google to remove `secure' indicator from HTTPS pages on Chrome (ZDNet)

Gene Wirchenko <genew@telus.net>
Fri, 18 May 2018 09:13:42 -0700
  [In other news, your local second-level (province, state, prefecture,
  etc.) government announced plans to remove those curve speed caution signs
  to make the roads safer.  Well, not actually.  They have a bit more sense
  than Google. GW]

http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

Stephanie Condon, ZDNet, 17 May 2018
Google to remove "secure" indicator from HTTPS pages on Chrome
Users should expect the web to be safe by default, Google explained.

As part of its push to make the web safer, Google on Thursday said it will
stop marking HTTPS pages as "secure."

The logic behind the move, Google explained, is that "users should expect
that the web is safe by default." It will remove the green padlock and
"secure" wording from the address bar beginning with Chrome 69 in September.


Google to remove "secure" indicator from HTTPS pages on Chrome (ZDNet)

"John Levine" <johnl@iecc.com>
28 May 2018 11:45:16 -0400
  Google previously announced that it would mark HTTP pages as "not
  secure" beginning with Chrome 68 in July.

  By October with Chrome 70, Google will start showing a red "not
  secure" warning when users enter data on HTTP pages. "Previously, HTTP
  usage was too high to mark all HTTP pages with a strong red warning,"
  Google said.


"How your web browser tells you when it's safe" (Gregg Keizer)

Gene Wirchenko <genew@telus.net>
Sun, 27 May 2018 08:54:17 -0700
Gregg Keizer, Computerworld, 23 May 2018
https://www.computerworld.com/article/3275726/web-browsers/how-your-web-browser-tells-you-when-its-safe.html

As Google moves to change how its Chrome browser flags insecure websites,
rival browsers may be forced to follow suit. Here's how other browsers
currently handle website security and what changes they have coming.

selected text:

Google last week spelled out the schedule it will use to reverse years of
advice from security experts when browsing the Web - to "look for the
padlock." Starting in July, the search giant will mark insecure URLs in its
market-dominant Chrome, not those that already are secure. Google's goal?
Pressure all website owners to adopt digital certificates and encrypt the
traffic of all their pages.

Security pros praised Google's campaign, and the probable end-game.  "I
won't have to tell my mom to look for the padlock," said Chester Wisniewski,
principal research scientist at security firm Sophos, of the
switcheroo. "She can just use her computer."

  [Let us change stuff for the people who do not know much about computers.
  That will make things simpler for them.  These two sentences do not belong
  together.]

But what are Chrome's rivals doing? Marching in step or sticking to
tradition? Computerworld fired up the Big Four—Chrome, Mozilla's Firefox,
Apple's Safari and Microsoft's Edge—to find out.


"Smart lock user? Z-wave pairing flaw lets attackers open your doors from yards away" (Liam Tung)

Gene Wirchenko <genew@telus.net>
Sun, 27 May 2018 09:07:11 -0700
Liam Tung, ZDNet, 25 May 2018
https://www.zdnet.com/article/smart-lock-user-z-wave-pairing-flaw-lets-attackers-open-your-door-from-yards-away/
Up to 100 million Internet of Things devices could be at risk.

starting text:

Hackers may be able to remotely unlock your smart lock if it relies on the
Z-Wave wireless protocol.

According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable
to an attack that forces the current secure pairing mechanism, known as S2,
to an earlier version with known weaknesses, called S0.

The problem with S0 is that when two devices, like a controller and a smart
lock, are pairing, it encrypts the key exchange using a hardcoded key
'0000000000000000'. So, an attacker could capture traffic on the network and
easily decrypt it to discover the key.

S2 fixed this problem by employing the Diffie-Hellman algorithm for securely
sharing secret keys, but the downgrade removes that protection.

The researchers have posted a video demonstrating the downgrade attack --
dubbed Z-Shave—on a Conexis L1 Smart Door Lock from lock manufacture
Yale. They note that an attacker within about 100 meters could, after the
downgrade attack, then steal the keys to the smart lock.

Z-Wave chips are in 100 million smart gadgets, from lights to heating
systems, but the risk is greater for things with security applications, such
as locks.


FBI tells router users to reboot now to kill malware infecting 500k devices (Dan Goodin)

Dewayne Hendricks <dewayne@warpspeed.com>
May 27, 2018 at 9:56:50 AM EDT
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
Dan Goodin, Ars Technica, 25 May 2018

http://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

The FBI is advising users of consumer-grade routers and network-attached
storage devices to reboot them as soon as possible to counter
Russian-engineered malware that has infected hundreds of thousands devices.

Researchers from Cisco's Talos security team first disclosed the
existence of the malware on Wednesday. The detailed report said the malware
infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP,
and TP-Link. Known as VPNFilter, the malware allowed attackers to collect
communications, launch attacks on others, and permanently destroy the
devices with a single command. The report said the malware was developed by
hackers working for an advanced nation, possibly Russia, and advised users
of affected router models to perform a factory reset, or at a minimum to
reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed
developed by a Russian hacking group, one known by a variety of names,
including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also
said the FBI had seized an Internet domain VPNFilter used as a backup means
to deliver later stages of the malware to devices that were already infected
with the initial stage 1. The seizure meant that the primary and secondary
means to deliver stages 2 and 3 had been dismantled, leaving only a third
fallback, which relied on attackers sending special packets to each infected
device.

Limited persistence

The redundant mechanisms for delivering the later stages address a
fundamental shortcoming in VPNFilter—stages 2 and 3 can't survive a
reboot, meaning they are wiped clean as soon as a device is
restarted. Instead, only stage 1 remains. Presumably, once an infected
device reboots, stage 1 will cause it to reach out to the recently seized
ToKnowAll.com address. The FBI's advice to reboot small office and home
office routers and NAS devices capitalizes on this limitation. In a
statement published Friday, FBI officials suggested that users of all
consumer-grade routers, not just those known to be vulnerable to VPNFilter,
protect themselves. The officials wrote:

The FBI recommends any owner of small office and home office routers rebo ot
the devices to temporarily disrupt the malware and aid the potential
identification of infected devices. Owners are advised to consider disabling
remote management settings on devices and secure with strong passwords and
encryption when enabled. Network devices should be upgraded to the latest
available versions of firmware.

In a statement also published Friday, Justice Department officials wrote:

  Owners of SOHO and NAS devices that may be infected should reboot their
  devices as soon as possible, temporarily eliminating the second stage
  malware and causing the first stage malware on their device to call out
  for instructions. Although devices will remain vulnerable to reinfection
  with the second stage malware while connected to the Internet, these
  efforts maximize opportunities to identify and remediate the infection
  worldwide in the time available before Sofacy actors learn of the
  vulnerability in their command-and-control infrastructure.

The US Department of Homeland Security has also issued a statement advising
that "all SOHO router owners power cycle (reboot) their devices to
temporarily disrupt the malware."

As noted in the statements, rebooting serves the objectives of (1)
temporarily preventing infected devices from running the stages that collect
data and other advanced attacks and (2) helping FBI officials to track who
was infected. Friday's statement said the FBI is working with the non-profit
Shadow Foundation to disseminate the IP addresses of infected devices to
ISPs and foreign authorities to notify end users.

Authorities and researchers still don't know for certain how compromised
devices are initially infected. They suspect the attackers exploited known
vulnerabilities and default passwords that end users had yet to patch or
change. That uncertainty is likely driving the advice in the FBI statement
that all router and NAS users reboot, rather than only users of the 14
models known to be affected by VPNFilter [...]


Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 27 May 2018 13:25:03 -0400
*The New York Times*

“Those are the decisions you don't want to be making for the first time
during a real attack,'' said Bob Stasio, IBM's cyber range operations
manager and a former operations chief for the National Security Agency's
cyber center. One financial company's executive team did such a poor job of
talking to its technical team during a past IBM training drill, Mr.  Stasio
said, that he went home and canceled his credit card with them.

Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
touches. Whiteboards and giant monitors fill nearly every wall, with
graphics that can be manipulated by touch.

“You can't have a fusion center unless you have really cool TVs,'' quipped
Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
global cybersecurity head, at a recent cybercrime conference.  “It's even
better if they do something when you touch them.  It doesn't matter what
they do. Just something.''

Security pros mockingly refer to such eye candy as `pew pew' maps, an
onomatopoeia for the noise of laser guns in 1980s movies and video
arcades. They are especially useful, executives concede, to put on display
when V.I.P.s or board members stop by for a tour. Two popular pew maps are
from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the
defunct security vendor Norse http://www.norsecorp.com/ whose video
game-like maps show laser beams zapping across the globe. Norse went out of
business two years ago, and no one is sure what data
<https://na01.safelinks.protection.outlook.com/ the map is based on, but
everyone agrees that it looks cool.

http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html


How One Company Scammed Silicon Valley. And How It Got Caught. (John Carreyrou)

Richard M Stein <rmstein@ieee.org>
Sun, 27 May 2018 16:26:44 -0700
BAD BLOOD
John Carreyrou
Secrets and Lies in a Silicon Valley Startup
352 pp. Alfred A. Knopf. $27.95.
*The New York Times* Book Review
http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro

  "Despite warnings from employees that Theranos wasn't ready to go live on
  human subjects—its devices were likened to an eighth-grade science
  project—Holmes was unwilling to disappoint investors or her commercial
  partners. The result was a fiasco. Samples were stored at incorrect
  temperatures. Patients got faulty results and were rushed to emergency
  rooms. People who called Theranos to complain were ignored; employees who
  questioned its technology, its quality control or its ethics were
  fired. Ultimately, nearly a million tests conducted in California and
  Arizona had to be voided or corrected."

Investors and personalities enamored by technological wizardry, though based
on fundamentally fraudulent solutions, were suckered in by Theranos' promise
to revolutionize routine blood tests with a few tiny blood droplets from a
pinprick. ~US$ 1B dropped on a real "unicorn" sighting.

The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues
who possessed 110-ohm noses (striped brown-brown-brown per the Resistor
color code) that kissed her fanny. Findings and facts that disputed her
vision were concealed from investors. Knowing how to ask the right questions
remains a valuable skill to possess.

When an ethical, professional engineer confronts a situation of this nature,
there are few alternatives to pursue: (a) become a whistle-blower; (b)
continue to document findings that support legal discovery and a fraud
investigation while holding your nose and tongue; or, (c) jump ship at the
earliest opportunity.

If something appears too good to be true, it is likely the case.
P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a
sucker born every minute." An aphorism that remains prescient today for the
incurious or greedy.


Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)

Richard M Stein <rmstein@ieee.org>
Sun, 27 May 2018 17:30:59 -0700
https://www.npr.org/templates/transcript/transcript.php%3FstoryId%3D6140792

Get out your checkbook or boost your PayPal account balance. All the free
services "enjoyed" today, that exploit volunteered information for a little
dopamine, will shift to a subscription or micropayment model.

The Internet as a true utility, like the water and power that comes out of
the wall, billed per bit. Internet disenfranchisement is likely to evolve if
meter ticks attributed to premium information become unaffordable.

Will governments introduce a subsidy—a new entitlement—to boost the
information "have-nots" into a realm approximating the "haves"? Or will there
be a multi-tier model—surrender your data for 24x7 tracking and attention
whipsaw for free, versus pay for the right to volunteer data with an
explicit opt-in (EU ePrivacy) granting license and viewing preferences as
the product?


YouTube stars' fury over algorithm tests (BBC.com)

Richard M Stein <rmstein@ieee.org>
Mon, 28 May 2018 08:05:13 -0700
http://www.bbc.com/news/technology-44279189

  'Originally, the YouTube subscription feed was a chronological list of
  videos from all the channels that a person had chosen to "subscribe"
  to. The system let people curate a personalised feed full of content from
  their favourite video-makers.

  'However, many video-makers have previously complained that some of their
  videos have not appeared in the subscription feed, and have questioned
  whether YouTube manipulates the list to boost viewer retention and
  advertising revenue.

  'YouTube's latest experiment—which it said appeared for a "small number"
  of users—changed the order of videos in the feed. Instead of showing the
  most recent videos at the top, YouTube said the manipulated feed showed
  people "the videos they want to watch".'

Algorithmic refactoring experiment adjusts video delivery order.
YouTube apparently 'wins' over content creator/copyright owners,
despite subscription historical preference and profile settings.


Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Tue, 29 May 2018 16:10:52 -0400
http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/

The risk? Online/automated/robot cashiers. Same as my grocery store
self-checkout charged me for 22 avocados instead of 2. At least I could get
quick refund from on-scene humans.


Amazon's Echo privacy flub has big implications for IT (Evan Schuman)

Gene Wirchenko <genew@telus.net>
Tue, 29 May 2018 17:14:58 -0700
Evan Schuman, *Computerworld*, 26 May 2018
https://www.computerworld.com/article/3276347/mobile-wireless/amazons-echo-privacy-flub-has-big-implications-for-it.html

Amazon has confirmed that one of its Echo devices recorded a family's
conversation and then messaged it to a random person on the family's contact
list.  The implications are terrifying.


"Bank of Montreal, CIBC's Simplii Financial report customer data breaches" (Asha McLean)

Gene Wirchenko <genew@telus.net>
Tue, 29 May 2018 17:34:18 -0700
Asha McLean, ZDNet, 29 May 2018
http://www.zdnet.com/article/bank-of-montreal-cibcs-simplii-financial-confirm-customer-data-breaches/

Bank of Montreal, CIBC's Simplii Financial report customer data breaches The
Canadian banks have reported being contacted by external 'fraudsters'
claiming to have accessed information on an estimated 90,000 customers.  The
trial appears to be limited to 24 plates.

The plates are digital displays that can be updated and modified remotely.
Therefore, they can be updated immediately once car registration is updated.
They can also be used to "broadcast" messages such as emergency and amber
alerts, and can be set to display personal messages when the car is not in
motion.

http://www.dailymail.co.uk/sciencetech/article-5781915/California-starts-trial-digital-license-plates-allow-police-track-move.html
or https://is.gd/NRJ4Ey

The plates also broadcast information to sensors in or beside roads, and can
communicate with each other.

I trust it is not too difficult to point out the huge numbers of ways these
plates could be attacked or misused.

Asha McLean, ZDNet, 1 Jun 2018
CBA sent over 650 emails holding data on 10k customers in error.  The bank
has admitted discovering an issue with emails going to incorrect addresses.
https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/

opening text:

The Commonwealth Bank of Australia (CBA) has once again found itself in the
spotlight for the potential mishandling of customer information, admitting
it had sent over 650 incorrectly addressed internal emails.

The bank said on Friday it had completed an investigation that was initiated
after a concern was raised about internal CBA emails being inadvertently
sent to email addresses using the cba.com domain, prior to taking ownership
of that domain in April 2017.

Its usual email domain is cba.com.au.


License Plate Risks

Jeremy Ardley <jeremy@ardley.org>
Thu, 31 May 2018 07:21:49 +0800
Two different dynamically changeable number plates.

The traditional:
http://www.youtube.com/watch%3Fv%3DwSFXyIlq5xw

The $699 plus $7/month electronic paper version issued by the California
Department of Motor Vehicles:
https://youtu.be/XgyuIVePdEc

I leave it as an exercise for the reader as to what risks exist in
either. Asides that is from pointing out the stupidity of an electronic tag
in the age of high quality Automatic Number Plate Recognition systems linked
to a licensing computer.

However, there is a second risk in being able to detect unlicensed vehicles;
work overload. The Western Australian Police have had to turn off the
unlicensed vehicle feature in their ANPR system because there are too many
alerts!

"WA Police 'can't cope' with high number of auto-detect car registration
alerts"

http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160


"Jira bug exposed private server keys at major companies, researcher finds" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 30 May 2018 18:37:19 -0700
Zack Whittaker, ZDNet, 30 May 2018
https://www.zdnet.com/article/jira-bug-exposed-private-server-keys-at-major-companies-researcher-finds/

Jira bug exposed private server keys at major companies, researcher finds A
major TV network, a UK cell giant, and one US government agency are among
the companies affected.


Google Started a Political Sh*tstorm Because of Its Over-Reliance on Wikipedia (Motherboard)

José María Mateos <chema@rinzewind.org>
Thu, 31 May 2018 19:39:42 -0400
https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation

As VICE News reported earlier Thursday, a Google search for `California
Republican Party' resulted in Google listing `Nazism' as the ideology of the
party. This happened because of Google's Featured Snippets tool, which pulls
basic information for search terms and puts it on the front page. These are
also sometimes called Google Cards and Knowledge Panels.

The information on these cards is often taken from Wikipedia entries, which
is what seems to have happened here. Six days ago, someone edited the
Wikipedia page for `California Republican Party' to include `Nazism',
something that wasn't changed until Wednesday, Wikipedia's edit logs show.

You take content from another site and put it into yours and pretend it's
"the truth", and all that is an automated process. Can't see what might go
wrong there.


Signs of sophisticated cellphone spying found near White House, U.S. officials say (WaPo)

RICHARD M STEIN <rmstein@ieee.org>
Fri, 01 Jun 2018 15:36:42 -0700
https://www.washingtonpost.com/news/the-switch/wp/2018/06/01/signs-of-sophisticated-cell-phone-spying-found-near-white-house-say-u-s-officials/?utm_term=.3cff9618ae33

  "A federal study found signs that surveillance devices for intercepting
  cellphone calls and texts were operating near the White House and other
  sensitive locations in the Washington area last year."

Only Rip Van Winkle would have been surprised by this headline. What
precautions are the SIGINT targets using to forestall intercept? Are
they effective, or have they been compromised too? Whatever happened to
good ol' "Blackbag" jobs?


Massive Visa Outage Shows the Fragility of Global Payments (WiReD)

Lauren Weinstein <lauren@vortex.com>
Fri, 1 Jun 2018 14:04:19 -0700
NNSquad
https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/

  On Friday, VISA'S payment network suffered outages across Europe, limiting
  transactions for both businesses and individuals. Banks and commerce
  groups began advising customers to use cash or other payment cards if
  possible, and reports indicated that online and contactless transactions
  were having more success than chip cards.  Though some Visa transactions
  still went through, the failure appeared widespread. The Financial Times
  even reported that some ATMs in the United Kingdom were already out of
  cash within a couple of hours of the first outage reports. Some observers
  saw in the outage a stark reminder of the fragility of payment networks,
  and the weaknesses in global economic platforms.


How can criminals manipulate cryptocurrency markets? (The Conversation)

Gabe Goldberg <gabe@gabegold.com>
Sat, 2 Jun 2018 02:01:55 -0400
https://theconversation.com/how-can-criminals-manipulate-cryptocurrency-markets-97294


Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User Email Addresses (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Fri, 25 May 2018 18:32:06 -0700
via NNSquad [Thanks, EU!]
http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313

  Ad-blocking tool Ghostery suffered from a pretty impressive,
  self-inflicted screwup Friday when the privacy-minded company accidentally
  CCed hundreds of its users in an email, revealing their addresses to all
  recipients.  Fittingly, the inadvertent data exposure came in the form of
  an email updating Ghostery users about the company's data collection
  policies. The ad blocker was sending out the message to affirm its
  commitment to user privacy as the European Union's digital privacy law,
  known as the General Data Protection Regulation (GDPR), goes into effect.
  The email arrived in inboxes with the subject line "Happy GDPR Day --
  We've got you covered!" In the body of the email, the company informed
  users, "We at Ghostery hold ourselves to a high standard when it comes to
  users' privacy, and have implemented measures to reinforce security and
  ensure compliance with all aspects of this new legislation."


Commentary: GDPR Misses the Point (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sun, 27 May 2018 13:30:02 -0400
http://fortune.com/2018/05/24/gdpr-data-privacy-cookies/


GDPR, Privacy, and CISSPforum vs "Community"

Rob Slade" <rmslade@shaw.ca>
Sun, 3 Jun 2018 12:08:40 -0700
The long running CISSPforum mailing list on Yahoo Groups is being closed by
ISC2, effective June 15, 2018.  An alternate mailing list, run by volunteer
CISSPs, has been created on groups.io.

Yeah, I know.  Those of you who don't have the CISSP cert don't care.  (Even
those who, like Peter, have been given an honorary CISSP may not care.)  But
the reason the CISSPforum is being closed is kind of interesting.

ISC2 itself isn't saying much about why.  But most people discussing it seem
to think it has to do with GDPR.  Yahoo has not had the greatest success
with security, so ISC2 may wish to limit it's exposure.

The thing is, if I want to give people instructions on getting to the new
CISSPforum, the easiest thing would be to send them to the page at
https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or
https://is.gd/lGXNgT if email mungs that and you want a shortened version).
Yes, you are correct.  That Web page is one of the postings on the new,
supposedly private, "community" that ISC2 has created to replace the
CISSPforum mailing list as a communications venue for the membership.

And, if I want to send you to the existing discussion of the various privacy
issues to do with the new "community," I can point you to
https://community.isc2.org/t5/Welcome/Welcome-lets-talk-about-ISC2-no-censorship-Closing-of-CISSP/td-p/11021/page/2
or http://is.gd/GgHckH Or, you can search for it yourself, on Google:
http://lmgtfy.com/%3Fq%3Dsee%2Bthe%2Bamazing%2Bdancing%2BCISSPs%2Band%2Ball%2Btheir%2Bdiscussions

You will be able to see all kinds of discussion on the new forum.  Do a
Google search with any term you want, and include site:community.isc2.org as
a term, and see what the amazing dancing CISSPs have said about it.  (There
is one area of the "community" that is not searchable, but it's fairly
small.)


German spy agency can keep tabs on Internet hubs: court (Phys)

José María Mateos <chema@rinzewind.org>
Sun, 3 Jun 2018 19:24:04 -0400
http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html

De-Cix, the world's largest Internet hub, says Germany's spy agency is able
to get a complete and unfiltered copy of the all data passing through its
fibre optic cables

Germany's spy agency can monitor major Internet hubs if Berlin deems it
necessary for strategic security interests, a federal court has ruled.

In a ruling late on Wednesday, the Federal Administrative Court threw out a
challenge by the world's largest Internet hub, the De-Cix exchange, against
the tapping of its data flows by the BND foreign intelligence service.

The operator had argued the agency was breaking the law by capturing German
domestic communications along with international data.

http://rinzewind.org/blog-es


Trendism and cognitive stagnation

John Ohno <john.ohno@gmail.com>
Sat, 26 May 2018 13:02:30 -0400
Originally posted here:
http://medium.com/%40enkiv2/trendism-cognitive-stagnation-21c8e003df83

Trendism & cognitive stagnation

(This is a follow-up to Against Trendism
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956)

Basing visibility on popularity is a uniquely awful version of *tyrrany of
the majority* because uncommon views become invisible, even if, were they to
start on an even playing field, they would become popular.

In this way, it encourages mental stasis: since ranking is based on an
immediate appraisal of how popular something already is, and visibility is
based therefore on past shallow popularity, there's no room for
rumination.

This is NOT an attribute of `technology' or `social media', but an attribute
of visibility systems based on immediate ranking. Visibility systems based
on ranking delayed by, say, three days, or with the top 25% most popular
posts elided, would be fine.

Our capacity to imagine new possibilities is based largely on our
familiarity with the bounds of possibility space—we can only
imagine views that are in the neighborhood of views we've heard
expressed in the past. So, making the already-unpopular invisible limits
imagination.

(There are hacks we can use to make it possible to imagine views nobody has
ever held. We can make random juxtapositions, impose meaning on them, and
then figure out a justification for them—like tarot reading. Or,
we can merely iterate from some basic idea, getting more and more extreme,
while internalizing the perspective of each iteration as something someone
could possibly believe in good faith. The former—the bibliomancy
approach—is common in experimental art, while the latter is
typical of dystopian science fiction.

But, these hacks are pretty limited. We need a starting place. If
we've only heard mainstream ideas, we're going to have a
hard time going off the beaten path with the dystopia approach, while we
will struggle with the bibliomancy approach because most ideas can only be
made to seem reasonable with the help of other ideas. Getting into uncharted
territories with either of these approaches is difficult unless
you've already filled out the middle of your possibility space with
other ideas, because in their absence you would need to independently
reinvent them.)

This is not a justification, in of itself, for banning metrics entirely.
After all, this kind of exponential distribution happens with ideas even
without the use of popularity signifiers: ideas spread, and popular ideas
have more opportunities to spread. Trendism merely accelerates the process
and widens the gap between the most popular ideas and everything else.

Sites like reddit use segmentation to prevent total ordering of popularity
from dominating, although this ultimately means that popular subreddits have
a disproportionate impact on this total ordering when it is seen.
http://redditp.com/r/all

Similarly, we have seen piecemeal attempts to limit the effects of trendism
for particular topics—the curation of trending topics at twitter and
facebook, for instance, or ad-hoc ranking demerits for particular tags on
lobste.rs.

However, we could be applying the measurements we already take to counteract
trendism rather than accelerating it: making popularity count less the
higher it gets, removing overly-popular content entirely, boosting the
visibility of mostly-unseen content, using information about organic reach
in sites like twitter to boost the synthetic reach of people who
don't have many followers (instead of boosting the synthetic reach
of the rich), systematically demoting posts that comment on trending topics,
spotlighting spotify tracks and youtube videos with zero views, and so on.

Where trendism devalues the function of recommendation systems as novelty
aggregators, these tools could be modified to be anti-trendist, pro-novelty,
and promote a cosmopolitanism that broadens our horizons in ways traditional
word-of-mouth never could. This is a unique capacity of recommendation
systems over curators: recommendation systems can recommend things nobody
has ever seen, and can recommend them on the grounds that nobody has seen
them.


Re: Securing Elections

Amos Shapir <amos083@gmail.com>
Mon, 28 May 2018 09:38:16 +0300
I don't wish to start a political argument, but from a practical POV, there
is merit to the US method of "the winner takes it all"—eventually, one
candidate wins, and incumbents should be let to do their job to the best of
their ability.  Compare that to relational methods in some European
countries, which have brought about unstable governments which are
reshuffled often (like in France before the 1968, or current Italy).

History has proven—from the resign of Nixon to the recent upheaval in
Armenia—that as long as freedom of expression and assembly are kept, the
public would eventually be able to express enough dissent to get rid of
corrupt politicians, no matter which system was used to elect them in the
first place.

Please report problems with the web pages to the maintainer

x
Top