The RISKS Digest
Volume 30 Issue 84

Friday, 28th September 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

The Plot to Subvert an Election
NYTimes
In Georgia, a legal battle over electronic vs. paper voting
WashPo
Wisconsin Officials Prepare for Potential Election Hackers
USNews
Here's the science behind the Brexit vote and Trump's rise
Michele Gelfand - The Guardian
Democrat pushes changes to protect senators' personal accounts from continued threats
WashPo
Electronic temporary registration
Phil Smith III
GM Recalls One Million Pickups and SUVs in U.S. for Crash Risk
WSJ
How Can AI Help to Prepare for Floods in a Climate-Changed World
SciAm
Major Japanese ramen chain's logo confuses Honda cars' AI
Master Blaster
Florence: At least 13 deaths reported as storm slogs across Carolinas
WashPo
EU Preliminarily Passes Horrific Articles 11 & 13
Lauren Weinstein
Seeing Is Now Not Believing Anymore: Researchers Come Out With Yet Another Unnerving, New Deepfake Method
Gizmodo
Google Knows Where You've Been, but Does It Know Who You Are?
NYT
Uber Glitch Stops Payments To Drivers, Prices Surge
Slashdot
Bay Area city blocks 5G deployments over cancer concerns
TechCrunch
Elon Musk said a Tesla could drive itself across the country by 2018. One just crashed backing out of a garage
LATimes
Phishing attacks are targeting students' financial aid, officials say
WashPo
Stealing From a Cashierless Store—Without You, or the Cameras, Knowing It
New York Times
New Research Can Identify Extremists Online, Even Before They Post Dangerous Content
ForensicMag
Weather Channel: Seeing Is Not Believing, Take 2
GatewayPundit
Bug in Bitcoin code also opens smaller cryptocurrencies to attacks
ZDNet
Quantum computing may *not* be better ...
Rob Slade
What cardiologists think about the Apple Watch's heart-tracking feature
WashPo
"This Windows file may be secretly hoarding your passwords and emails"
ZDnet
Bloat
Rob Slade
How to Keep Forever the Music, Movies or Ebooks You 'Buy' on Amazon or iTunes
Gabe Goldberg
Re: "Are Digital Devices Altering Our Brains?
Gene Wirchenko
Info on RISKS (comp.risks)

The Plot to Subvert an Election (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 20 Sep 2018 14:41:11 PDT
Unraveling the Russia Story So Far
Scott Shane and Mark Mazzetti
*The New York Times* Special Report, Section F, 20 Sep 2018

F2-F3. As the Trump campaign advanced, Russia stepped up efforts on three
   fronts: hacks and leaks, social media fakery, and outreach to Trump
   associates.

F4-F8. Vladimir Putin was nostalgic for Russia's lost superpower status and
   believed the United States had sought to undermine his presidency.

F9-F10. As hacked emails shook the Democratic Party, Russian online trolls
  reached an audience of nearly as many Americans as would vote in the
  election.

F11-12. President Trump has sown doubts about the federal investigation and
created a new affinity for Russia among his most devoted supporters.

There is also a remarkably comprehensive running timeline (across the tops
of pages F4 to F12), “showing the full scale of Russia's unprecedented
interference in the 2016 election—and its aftermath.''  This would be
an invaluable read for people who are deniers (other than those who measure
fine silk or value old European coins).


In Georgia, a legal battle over electronic vs. paper voting (WashPo)

Lauren Weinstein <lauren@vortex.com>
Sun, 16 Sep 2018 12:15:40 -0700
via NNSquad
https://www.washingtonpost.com/world/national-security/in-georgia-a-legal-battle-over-electronic-vs-paper-voting/2018/09/16/d655c070-b76f-11e8-94eb-3bd52dfe917b_story.html

  Logan Lamb, a cybersecurity sleuth, thought he was conducting an innocuous
  Google search to pull up information on Georgia's centralized system for
  conducting elections.  He was taken aback when the query turned up a file
  with a list of voters and then alarmed when a subsequent, simple data pull
  retrieved the birth dates, drivers' license numbers and partial Social
  Security numbers of more than 6 million voters, as well as county election
  supervisors' passwords for use on Election Day. He also discovered the
  server had a software flaw that an attacker could exploit to take control
  of the machine.  The unsecured server that Lamb exposed in August 2016 is
  part of an election system—the only one in the country that is
  centrally run and relies upon computerized touch screen voting machines
  for Georgia's 6.8 million voters—that is now at the heart of a legal
  and political battle with national security implications.


Wisconsin Officials Prepare for Potential Election Hackers (USNews)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 17 Sep 2018 9:23:44 PDT
Grigor Atanesian, Wisconsin Center for Investigative Journalism.
https://www.usnews.com/news/best-states/wisconsin/articles/2018-09-16/wisconsin=-officials-prepare-for-potential-election-hackers

  [Very long item.  Heavily PGN-excerpted.
  PLEASE READ THE ENTIRE ARTICLE IF YOU SEEK ELECTION INTEGRITY.]

Cybersecurity experts say Wisconsin and many other states have specific
potential vulnerabilities in their election systems, including the use of
private vendors to program and service voting machines.

Madison, Wis. (AP) A private vendor inadvertently introduces malware into
voting machines he is servicing.  A hacker hijacks the cellular modem used
to transmit unofficial Election Day results. An email address is
compromised, giving bad actors the same access to voting software as a local
elections official.  These are some of the potential vulnerabilities of
Wisconsin's election system described by cybersecurity experts.  [...]

In July, the Wisconsin Center for Investigative Journalism reported that
Russian hackers have targeted websites of the Democratic Party of Wisconsin,
the state Department of Workforce Development and municipalities including
Ashland, Bayfield and Washburn. Elections in this swing state are
administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin
Elections Commission.  Top cybersecurity experts from the United States,
Canada and Russia interviewed by the Center said that some practices and
hardware components could make voting in Wisconsin open to a few types of
malicious attacks, and that Russian actors have a record of these specific
actions.  And it is not just Wisconsin—this is a nationwide threat, the
National Academy of Sciences, Engineering and Medicine stated in its newly
released report, Securing the Vote.  [...]

Former longtime Legislative Audit Bureau manager Karen McKim, a coordinator
for the Madison-based grassroots group Wisconsin Election Integrity, said
many Wisconsin elections officials do not realize "how very much is
completely outside their control.  They really, truly, do believe that if
they keep the individual voting machines unconnected from the Internet and
do pre-election testing, that the software is safe," said McKim, whose group
advocates for measures to secure Wisconsin's elections.  [...]

Dane County Clerk Scott McDonell said large counties in Wisconsin such as
his "typically code their own elections," but "the small ones are
outsourcing.  If I were being paranoid," he added, "I would worry about the
outsourced ones."  [...]

Computer scientist J. Alex Halderman, who was part of the team that pushed
for the 2016 recount of the presidential vote in Wisconsin, told the
U.S. Senate Intelligence Committee that private vendors can make elections
systems vulnerable.  "Attackers could target one or a few of these companies
and spread malicious code to election equipment that serves millions of
voters," Halderman, director of the University of Michigan's Center for
Computer Security and Society, testified in 2017.  [...]

Harri Hursti, an international expert on election cybersecurity and
co-founder of the Voting Machine Hacking Village at the annual DEFCON hacker
conference, agreed. He said that "it is hard to make the claim that anything
using any kind of USB devices can be air-gapped," or physically isolated
from attack.  "USB memory cards are mini-computers," Hursti said, "and we
have known for years how to reprogram those to carry malicious content over
air gaps and extract confidential information."  [...]

Experts said another potential vulnerability is associated with the use of
modems in voting machines across Wisconsin to transmit unofficial Election
Day results.  In some cases, those modems are transmitting results over the
Internet, Haas, the former Elections Commission administrator, acknowledged
in 2016 testimony during the legal battle over Wisconsin's presidential
recount.  [...]

However, computer scientists say that existing defense measures can be
overrun. According to *The New Yorker*, such concerns have prompted four
states—New York, Maryland, Virginia and Alabama—to prohibit the use of
machines with modems to transmit election results.  [...]

Another practice criticized by the computer scientists is the use of
cellular technology to transmit unofficial election results. Cellular
networks' security liabilities were detailed in a 2017 U.S. Department of
Homeland Security report, which called for enhanced protections when
governments use cellular technology.  [...]

In February, two Princeton University computer science professors, Andrew
Appel and Kyle Jamieson, published a blog describing possible scenarios to
hack modems used in DS200 paper ballot tabulators, including erecting fake
cellphone towers near voting locations like police do with Stingray devices.
"If your state laws, or a court with jurisdiction, say not to connect your
voting machines to the Internet, then you probably shouldn't use telephone
modems either," they said.  [...]

But even discrepancies between initially reported unofficial results and the
outcome of the election may achieve Russia's goal of sowing discord,
according to FireEye's McNamara.  He is among those cautioning against
becoming too focused on the vulnerabilities of America's vote-tallying
systems. McNamara said the Kremlin's goal may be simpler: "Attacking the
confidence of electoral process itself."  [...]


Here's the science behind the Brexit vote and Trump's rise (Michele Gelfand, The Guardian)

"Dave Farber" <farber@gmail.com>
Mon, 17 Sep 2018 18:53:42 +0900
https://www.theguardian.com/commentisfree/2018/sep/17/science-behind-brexit-vote-trump


Democrat pushes changes to protect senators' personal accounts from continued threats (WashPo)

Monty Solomon <monty@roscom.com>
Thu, 20 Sep 2018 07:27:19 -0400
Sen. Ron Wyden (D-Ore.) is trying to expand the Senate Sergeant at Arms'
mandate to provide protection for senators' and staffers' personal accounts
and devices, as well as their official ones.

https://www.washingtonpost.com/powerpost/democrat-pushes-changes-to-protect-senators-personal-accounts-from-continued-threats/2018/09/19/57ff1678-bc69-11e8-8792-78719177250f_story.html


Electronic temporary registration

Phil Smith III <phs3@akphs.com>
Tue, 11 Sep 2018 21:41:17 -0400
I got a loaner/rental from a car dealership today, and rather than printing
out a contract, they sent me a text message with a link to a bare-bones PDF
that, to be honest, I could have forged in about 15 seconds. But I suppose a
car thief wouldn't bother.

In any case, the risk is that I get pulled over and have no cell service (or
my phone has died because I left the charging cord in my car). What would I
do—ask the cop to follow me until I got service??

A small risk, but seems like maybe they're trying too hard to be all high-tech.

Interesting: the host in the link was an amazonaws host.


GM Recalls One Million Pickups and SUVs in U.S. for Crash Risk (WSJ)

Monty Solomon <monty@roscom.com>
Tue, 18 Sep 2018 09:26:02 -0400
Defect is latest example of problems generated by the growing use of
software to control a car's mechanical functions

https://www.wsj.com/articles/gm-recalls-one-million-pickups-and-suvs-in-u-s-for-crash-risk-1536845725


How Can AI Help to Prepare for Floods in a Climate-Changed World? (Scientific American)

Richard Stein <rmstein@ieee.org>
Thu, 13 Sep 2018 13:13:10 -0700
https://www.scientificamerican.com/article/former-fema-chief-uses-ai-to-prepare-for-hurricanes-and-rising-seas/

Predicting greater flood potential can be applied to determine insurance
eligibility. Application may force families, communities, or businesses to
relocate as rates adjust to accommodate storm surge or inundation risks.


Major Japanese ramen chain's logo confuses Honda cars' AI

Gene Wirchenko <genew@telus.net>
Sun, 16 Sep 2018 20:37:35 -0700
Master Blaster
https://soranews24.com/2018/09/17/major-japanese-ramen-chains-logo-confuses-honda-cars-ai/

Motorist and Twitter user Yukiesu (@yuk381) posted a scene from his driver
seat in front of a Tenkaippin ramen store. In it, despite just sitting in
the parking lot, a warning on his dashboard is indicating that the car sees
a "Do Not Enter" sign.


Florence: At least 13 deaths reported as storm slogs across Carolinas (WashPo)

Monty Solomon <monty@roscom.com>
Sun, 16 Sep 2018 10:58:16 -0400
With road conditions changing rapidly, officials advised travelers to check
back frequently ” especially because satellite navigation systems were still
directing drivers to dangerous stretches of roadway.

https://www.washingtonpost.com/news/post-nation/wp/2018/09/16/florence-several-deaths-reported-as-storm-swamps-carolinas/


EU Preliminarily Passes Horrific Articles 11 & 13—Here's How to Fight Back!"

Lauren Weinstein <lauren@vortex.com>
Wed, 12 Sep 2018 09:36:50 -0700
Lauren's Blog
https://lauren.vortex.com/2018/09/12/eu-preliminarily-passes-horrific-articles-11-13-heres-how-to-fight-back

By a vote of 438 to 226, the massively confused and lobbyists-owned EU
Parliament has preliminary passed horrific Article 11 and Article 13, aimed
at turning ordinary users into the slaves of government-based Internet
censorship and abuse.

The war isn't over, however. These articles now enter a period of
negotiation with EU member states, and then are subject to final votes next
year, probably in the spring.

So now's the time for the rest of the world to show Europe some special
"tough love"—to help them understand what their Internet island universe
will look like if these terrible articles are ever actually implemented.

Article 11 is an incredibly poorly defined "link tax" aimed at news
aggregators. If Article 11 is implemented, the reaction by most aggregators
who have jurisdictional exposure to the EU (e.g., EU-based points of
presence) will not be to pay the link taxes, but rather will be to
completely cease indexing those EU sites.

Between now and the final votes next year, news aggregation sites should
consider temporarily ceasing to index those EU sites for various periods of
time at various intervals, to give those sites a taste of what happens to
their traffic when such indexing stops, and what their future would look
like under Article 11.

Then we have Article 13's massive, doomed-to-disaster content filtering
scheme, which would be continually inundated with false matches and fake
claims (there are absolutely no penalties under Article 13 for submitting
bogus claims). While giant firms like Google and Facebook would have the
resources to implement Article 13's mandates, virtually nobody else
could. And even the incredibly expensive filtering systems built by these
largest firms have significant false positive error rates, frequently block
permitted content, and cost vast sums to maintain.

A likely response to Article 13 by many affected firms would be to geoblock
EU users from those company's systems.  That process can begin now on a
"demonstration" basis. The IP address ranges for EU countries can be easily
determined in an automated manner, and servers programmed to present an
explanatory "Sorry about that, Chief—You're in the EU!" message to EU
users instead of the usual services.  As with the Article 11 protest
procedure noted above, these Article 13 IP blocks would be implemented at
various intervals for various durations, between now and the final votes
next year.

The genuinely sad part about all this is that none of it should be
necessary. Article 11 and 13 mandates will never work as their proponents
hope, and if deployed will actually do massive damage not only to EU (and
other) users at large, but to the very constituencies that have lobbied for
passage of these articles!

And that's a lose-lose situation in any language.

  [Gene Wirchenko noted this item by David Meyer: "The EU's new Copyright
  Directive really is that bad": New rules will make it harder to share
  links and content. So can it be stopped?  13 Sep 2018
  https://www.zdnet.com/article/the-eus-new-copyright-directive-really-is-that-bad/


Seeing Is Now Not Believing Anymore: Researchers Come Out With Yet Another Unnerving, New Deepfake Method (Gizmodo)

geoff goodfellow <geoff@iconia.com>
Fri, 14 Sep 2018 10:07:57 -1000
https://gizmodo.com/deepfake-videos-are-getting-impossibly-good-1826759848

*Deepfakes*, ultra-realistic fake videos manipulated using machine learning,
are getting pretty convincing

And researchers continue to develop new methods to create these types of
videos, for better or, more likely, for worse.  The most recent method comes
from researchers at Carnegie Mellon University, who have figured out a way
to automatically transfer the style of one person to another...

https://gizmodo.com/it-was-only-a-matter-of-time-before-internet-trolls-mad-1822463473
https://gizmodo.com/researchers-come-out-with-yet-another-unnerving-new-de-1828977488


Google Knows Where You've Been, but Does It Know Who You Are? (NYT)

Monty Solomon <monty@roscom.com>
Wed, 12 Sep 2018 10:14:19 -0400
https://www.nytimes.com/2018/09/12/magazine/google-maps-location-data-privacy.html

How looking at the location data that the company collects about you lets
you see yourself in a whole new way.


Uber Glitch Stops Payments To Drivers, Prices Surge (Slashdot)

Lauren Weinstein <lauren@vortex.com>
Sat, 15 Sep 2018 15:41:42 -0700
NNSquad
https://tech.slashdot.org/story/18/09/15/2147254/uber-glitch-stops-payments-to-drivers-prices-surge

  Now the San Diego Reader reports the issue "is forcing San Diego drivers
  off the road," with the shortage of drivers triggering surge pricing
  throughout the entire region as much as triple the usual rate. Surge
  pricing is also hitting riders in Dallas, according to another Uber
  driver's tweet, who complains "It's a shame that a $48 billion 'tech'
  company can't get it together.

   [Also noted by Gabe Goldberg.  PGN]


Bay Area city blocks 5G deployments over cancer concerns (TechCrunch)

Gabe Goldberg <gabe@gabegold.com>
Sun, 16 Sep 2018 10:30:42 -0400
The city council of Mill Valley, a small town located just a few miles north
of San Francisco, voted unanimously late last week to effectively block
deployments of small-cell 5G wireless towers in the city's residential
areas.

Through an urgency ordinance, which allows the city council to immediately
enact regulations that affect the health and safety of the community, the
restrictions and prohibitions will be put into force immediately for all
future applications to site 5G telecommunications equipment in the
city. Applications for commercial districts are permitted under the passed
ordinance.   The ordinance was driven by community concerns over the health
effects of 5G wireless antennas. According to the city, it received 145
pieces of correspondence from citizens voicing opposition to the technology,
compared to just five letters in support of it ” a ratio of 29 to 1.  While
that may not sound like much, the city's population is roughly 14,000,
indicating that about 1% of the population had voiced an opinion on the
matter.

https://techcrunch.com/2018/09/10/bay-area-city-blocks-5g-deployments-over-cancer-concerns/


Elon Musk said a Tesla could drive itself across the country by 2018. One just crashed backing out of a garage (LATimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 16 Sep 2018 10:33:48 -0400
When Mangesh Gururaj's wife left home to pick up their child from math
lessons one Sunday this month, she turned on her Tesla Model S and hit
"Summon," a self-parking feature that the electric automaker has promoted as
a central step toward driverless cars.

But as the $65,000 sedan reversed itself out of the garage, Gururaj said,
the car bashed into a wall, ripping off its front end with a loud crack. He
said the damaged Tesla looked like it would have kept driving if his wife
hadn't hit the brakes.

No one was hurt, but Gururaj was rattled: The car had failed disastrously,
during the simplest of maneuvers, using one of the most basic features from
the self-driving technology he and his family had trusted countless times at
higher speeds.

http://www.latimes.com/business/la-fi-hy-tesla-self-driving-20180913-story.html


Phishing attacks are targeting students' financial aid, officials say (WashPo)

Monty Solomon <monty@roscom.com>
Sun, 16 Sep 2018 12:05:12 -0400
The agency warned that attackers may be refining a scheme to redirect
federal student aid money to private bank accounts, preparing for times when
large volumes of aid are disseminated, and said the phishing attempt is a
serious threat.

https://www.washingtonpost.com/education/2018/09/15/education-department-warns-that-students-financial-aid-are-being-targeted-phishing-attacks/


Stealing From a Cashierless Store—Without You, or the Cameras, Knowing It (New York Times)

Richard Stein <rmstein@ieee.org>
Fri, 14 Sep 2018 07:43:59 -0700
https://www.nytimes.com/2018/09/13/technology/standard-market-retail-automation-behavioral-data.html

"The goal is to predict, and prevent, shoplifting, because unlike Amazon's
Go stores, which have a subway turnstile-like gate for entry and exit,
Standard Market has an open door, and the path is clear."

This 24/7 shop got at least one thing right: there are no locks on the
doors!


New Research Can Identify Extremists Online, Even Before They Post Dangerous Content (ForensicMag)

"Dave Farber" <farber@gmail.com>
Fri, 14 Sep 2018 11:53:30 +0900
https://www.forensicmag.com/news/2018/09/new-research-can-identify-extremists-online-even-they-post-dangerous-content

New research has found a way to identify extremists, such as those
associated with the terrorist group ISIS, by monitoring their social media
accounts, and can identify them even before they post threatening content.

The research, "Finding Extremists in Online Social Networks," which was
recently published in the INFORMS journal Operations Research, was conducted
by Tauhid Zaman of the Massachusetts Institute of Technology; Lieutenant
Colonel Christopher E. Marks, U.S. Army; and Jytte Klausen of Brandeis
University

The number and size of online extremist groups using social networks to
harass users, recruit new members, and incite violence is rapidly
increasing. While social media platforms are working to combat this (in
2016, Twitter reported it had shut down 360,000 ISIS accounts) they
traditionally rely heavily on users' reports to identify these accounts.

In addition, once an account has been suspended, there is little that can be
done to prevent a user from opening up a new account, or multiple accounts.

"Social media has become a powerful platform for extremist groups, ranging
from ISIS to white nationalist "alt-right" groups," said Zaman. "These
groups use social networks to spread hateful propaganda and incite violence
and terror attacks, making them a threat to the general public."

Identifying extremists before they pose a threat online

The researchers collected Twitter data from approximately 5,000 "seed" users
who were either known ISIS members or who were connected to many known ISIS
members as friends or followers. They obtained their names through news
stories, blogs, and reports released by law enforcement agencies and think
tanks.

In addition to reviewing the content of 4.8 million tweets from these users'
timelines (including text, links, hash tags, and mentions), they also
tracked account suspensions, as well as any suspensions of their friends and
followers accounts.

For the purpose of this study, the researchers focused on the account
networks forged by known ISIS and Al Qaeda sympathizers and known foreign
fighters and content that had been flagged by Twitter as terrorist in
nature.

Using statistical modeling of extremist behavior with optimized search
policies and actual ISIS user data, the researchers developed a method to
predict new extremist users, identify if more than one account belongs to
the same user, as well as predict network connections of suspended extremist
users who start a new account.

In addition, by tracking and comparing data on screen names, user name,
profile images and banner images, the researchers were also able to identify
70 percent of additional Twitter profiles held by extremist users, with only
a 2 percent incidence of misclassifying profiles.

"We created a new set of operational capabilities to deal with the threat
posed by online extremists in social networks," said Marks. "We are able to
predict who is an extremist before they post any content, and then able to
predict where they will re-enter the network after they are suspended. In
short, we can automatically figure out who is an extremist and keep them of
the social network."

While the study was conducted using data from accounts belonging to ISIS
extremists on Twitter, their methodology can be applied to any extremist
group and any social network.

"Users that engage in some form of online extremism or harassment will have
very similar behavioral characteristics in social networks," said
Klausen. "They will connect to a specific set of users which form their
extremist group. They will create new accounts which will resemble their old
accounts after being suspended, and when the return to the social network
following a suspension, there is a high probability they will reconnect with
certain former friends."


Weather Channel: Seeing Is Not Believing, Take 2 (GatewayPundit)

geoff goodfellow <geoff@iconia.com>
Sat, 15 Sep 2018 11:31:49 -1000
Whoops!  Weather Channel Caught in Fake News Scam—Blown Reporter Did Not
Expect Kids in Shorts to Spoil Shot?

https://www.thegatewaypundit.com/2018/09/whoops-weather-channel-caught-in-fake-news-scam-wind-blown-reporter-did-not-expect-kids-in-shorts-to-spoil-shot-video/


Bug in Bitcoin code also opens smaller cryptocurrencies to attacks (ZDNet)

Gene Wirchenko <genew@telus.net>
Wed, 19 Sep 2018 18:53:33 -0700
Catalin Cimpanu for Zero Day | 19 Sep 2018
Simple denial of service bug can crash unpatched Bitcoin network nodes and
may also affect many Bitcoin-based cryptocurrency offshoots.  The Bitcoin
team fixed today a severe vulnerability in the software that underpins the
entire Bitcoin network.

https://www.zdnet.com/article/bug-in-bitcoin-code-also-opens-smaller-cryptocurrencies-to-attacks/


Quantum computing may *not* be better ...

Rob Slade <rmslade@shaw.ca>
Wed, 19 Sep 2018 18:30:23 -0700
I have been studying quantum computing, in terms of its implications for
security, for some time now.
itsecurity.co.uk/2016/09/security-implications-quantum-computing/
Sometimes the news is good.
https://community.isc2.org/t5/Industry-News/Quantum-computers-really-are-better/m-p/11746#M1140
or
https://is.gd/tkLyQF
Oftentimes people get it wrong.
https://community.isc2.org/t5/Tech-Talk/Cryptography-need-to-go-down-the-rabbit-hole-suggestions/m-p/13293/highlight/true#M386
or
https://is.gd/70hYhU

But this news is extremely disturbing.
https://www.scientificamerican.com/article/reimagining-of-schroedingers-cat-breaks-quantum-mechanics-mdash-and-stumps-physicists1/
or https://is.gd/Ylj3jM If the implications of this thought experiment are
true, then quantum computers may be impossible.  (Or, if possible, then
subject to extremely weird sorts of race conditions that make Intel
architectures seem positively reliable ...)
https://community.isc2.org/t5/Industry-News/Foreshadowing-the-end-of-computing-as-we-know-it/m-p/13822#M1456
or https://is.gd/sFO1MV


What cardiologists think about the Apple Watch's heart-tracking feature (WashPo)

Richard Stein <rmstein@ieee.org>
Wed, 19 Sep 2018 15:22:47 -0700
https://www.washingtonpost.com/technology/2018/09/14/what-cardiologists-think-about-apple-watchs-heart-tracking-feature

"But there is also concern that widespread use of electrocardiograms without
an equally broad education initiative could burden an already taxed
health-care system. Heart rhythms naturally vary, meaning that it's likely
that Apple Watch or any heart monitor could signal a problem when there
isn't one—and send someone running to the doctor for no reason."

"The FDA has cleared Apple's device as a Class II medical device, meaning
that it is intended to diagnose or treat a medical condition and poses a
minimal risk to use. (Other Class II devices include some powered
wheelchairs and pregnancy kits, according to the FDA website.)  In its
letter to Apple clearing the feature, the FDA listed as a risk factor the
potential for mistakenly flagging a problem, prompting unneeded treatment."

Hypochondriacs take note: This watch is for you.


"This Windows file may be secretly hoarding your passwords and emails" (ZDnet)

Gene Wirchenko <genew@telus.net>
Wed, 19 Sep 2018 19:03:29 -0700
Catalin Cimpanu for Zero Day | 19 Sep 2018

A little-known Windows feature will create a file that stores text extracted
from all the emails and plaintext-files found on your PC, which sometimes
may reveal passwords or private conversations.

If you're one of the people who own a stylus or touchscreen-capable Windows
PC, then there's a high chance there's a file on your computer that has
slowly collected sensitive data for the past months or even years.

This file is named WaitList.dat, and according to Digital Forensics and
Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on
touchscreen-capable Windows PCs where the user has enabled the handwriting
recognition feature [1, 2] that automatically translates stylus/touchscreen
scribbles into formatted text.

The handwriting to formatted text conversion feature has been added in
Windows 8, which means the WaitList.dat file has been around for years.

"In my testing, population of WaitList.dat commences after you begin using
handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the
switch' (registry key) to turn the text harvester functionality (which
generates WaitList.dat) on."

"Once it is on, text from every document and email which is indexed by the
Windows Search Indexer service is stored in WaitList.dat.  Not just the
files interacted via the touchscreen writing feature," Skeggs says.

https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/


Bloat

Rob Slade <rmslade@shaw.ca>
Wed, 19 Sep 2018 12:20:30 -0700
Before I "upgraded" to Windows 10 (yeah, I seriously regret it ...) my
editor of choice was Word Perfect.  Version 4.2.  For those of you not old
enough to understand that, it was written in 1985.  I used it for 30 years.
It worked just fine.

It was, as far as I know, the last commercial program to be code optimized.

So I have great sympathies with this fellow who is disenchanted with our
current bloated software practices.  http://tonsky.me/blog/disenchantment/

Lest you think this is just another rant from an old IT curmudgeon, it does
have a security point.  Complexity is the enemy of security.  It's not just
that now, in order to run these bloated applications, we have to have
multi-core CPUs that are subject to race conditions
https://community.isc2.org/t5/Industry-News/The-Spectre-of-multi-core-CPUs/m-p/10827
or https://is.gd/Asvvhx or give away secret information.
https://community.isc2.org/t5/Industry-News/Foreshadowing-the-end-of-computing-as-we-know-it/m-p/13822
or https://is.gd/O2Jfrb It's having to have 150 megabyte programs just to
draw a keyboard on a screen.  (Yes, I know we get autocorrect thrown in.
Not everyone considers that a benefit.)  http://www.damnyouautocorrect.com/
When we used to have viruses that clocked in at hundreds of bytes (and, yes,
I know even malware has gotten bloated these days) how much damage can you
do with that much space to hide in?

It follows that their demolitions of the White House, Los Angeles, Sydney
Opera House, and so on were probably not intended as conquering tactics,
merely assertions of good taste - Verity Stob victoria.tc.ca/techrev/rms.htm

http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade


How to Keep Forever the Music, Movies or Ebooks You 'Buy' on Amazon or iTunes

Gabe Goldberg <gabe@gabegold.com>
Mon, 17 Sep 2018 20:02:36 -0400
More griping...
http://screencrush.com/you-dont-own-your-itunes-movies/
https://theoutline.com/post/6167/apple-can-delete-the-movies-you-purchased-without-telling-you

And the real story:
https://www.cnet.com/news/no-apple-didnt-delete-that-guys-movies-heres-what-really-happened/

Bottom line:

Though his tweets went viral
<https://twitter.com/drandersgs/status/1039270646243414016> he did chat with
Apple Support, the company didn't delete or actively "remove" the movies
that disappeared from Anders Gonçalves da Silva's iTunes library and his
devices. It seems to have been a more complicated mix-up, based on the fact
that da Silva moved his residence from one country to another.


Re: "Are Digital Devices Altering Our Brains? (RISKS-30.83)

Gene Wirchenko <genew@telus.net>
Wed, 19 Sep 2018 10:41:08 -0700
Let me add to the mix.

In one of the courses on my Bachelor of Computing Science, we were required
to give a presentation.  Mine was entitled "The Worldwide Web / An
Invitation to Stupidity".  I found a lot of material.

Please report problems with the web pages to the maintainer

x
Top