The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 36

Monday 12 August 2019

Contents

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
WiReD
This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'
WiReD
"New Windows malware can also brute-force WordPress websites"
Catalin Cimpanu
Getting physical: warshipping
Fortune
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
VICE
Inside the Hidden World of Elevator Phone Phreaking
WiReD
Popular kids' tablet patched after flaws left personal data vulnerable
Danny Palmer
Watch a Drone Take Over a Nearby Smart TV
WiReD
5G Wireless Networks Are Not Harmful to Health, FCC Says
Fortune
Phishing attack: Students' personal information stolen in university data breach
Danny Palmer
Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects Touchscreen Controls
USNI News
This High-Tech Solution to Disaster Response May Be Too Good to Be True
The New York Times
Scam pulse-monitoring app returns to Apple Store
Ben Lovejoy
He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
Bloomberg
GDPR's unintended consequences
The Register
Black Hat: GDPR privacy law exploited to reveal personal data
BBC News
Password policy recommendations: Here's what you need to know.
HPE
Re: Russian hackers are infiltrating companies via the office printer
Kelly Bert Manning
Climate change: how the jet stream is changing your weather
FT
Re: AI Predictive Policing
George Jansen
Re: Hawley/SMART Act
Rob Slade
Dimitri Maziuk
Re: Apple's Siri overhears your drug deals and sexual activity
Amos Shapir
Re: Siemens contractor pleads guilty to planting logic bomb in company, spreadsheets
Martin Ward
Researchers wrest control of one of world's most secure industrial controllers
The Times of Israel
Writing about writing
Rob Slade
Info on RISKS (comp.risks)

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Aug 2019 23:36:06 -0400
But Boeing counters that it has both "additional protection mechanisms" in
the CIS/MS that would prevent its bugs from being exploited from the ODN,
and another hardware device between the semi-sensitive IDN—where the
CIS/MS is located—and the highly sensitive CDN. That second barrier, the
company argues, allows only data to pass from one part of the network to the
other, rather than the executable commands that would be necessary to affect
the plane's critical systems.

"Although we do not provide details about our cybersecurity measures and
protections for security reasons, Boeing is confident that its airplanes are
safe from cyberattack," the company's statement concludes.

Boeing says it also consulted with the Federal Aviation Administration and
the Department of Homeland Security about Santamarta's attack. While the DHS
didn't respond to a request for comment, an FAA spokesperson wrote in a
statement to WIRED that it's "satisfied with the manufacturer'
s assessment
of the issue."

https://www.wired.com/story/boeing-787-code-leak-security-flaws/

...or not.


This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 10 Aug 2019 23:24:51 -0400
Automatic license plate reader cameras are controversial enough when law
enforcement deploys them, given that they can create a panopticon of transit
throughout a city. Now one hacker has found a way to put a sample of that
power—for safety, he says, and for surveillance—into the hands of
anyone with a Tesla and a few hundred dollars to spare.

https://www.wired.com/story/tesla-surveillance-detection-scout/


"New Windows malware can also brute-force WordPress websites" (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Wed, 07 Aug 2019 10:53:43 -0700
Catalin Cimpanu for Zero Day | 7 Aug 2019
Avast discovers strange new malware strain that besides stealing and
mining cryptocurrency on infected hosts, it also launches brute-force
attacks on WordPress sites.
https://www.zdnet.com/article/new-windows-malware-can-also-brute-force-wordpress-websites/


Getting physical: warshipping (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 10 Aug 2019 23:46:31 -0400
IBM researchers are hyping a new hacking technique called "warshipping" that
involves breaking into corporate networks using a cheap Wi-Fi device sent in
the mail.
<https://click.newsletters.fortune.com/?qs=8ca880a24f65b13bbf1097ec6804d32f1ffb7de5935835a13584039deae81cfe53c9ee23603bed92fc636294f47dfb2778c1a3aa2eeb7fc6>
A hacker has turned a Tesla vehicle into a mobile surveillance station
capable of storing facial imagery and license plate numbers. Elevator "
phone freaking is the latest hacker fad.
<https://click.newsletters.fortune.com/?qs=8ca880a24f65b13b7662e50aa5a2d43d15fba0902b481d798855677ffbd570785ab461d582afc4e165f52882da362bd2502daba18beb92f3>
<https://click.newsletters.fortune.com/?qs=8ca880a24f65b13b6e83f3afdc450e002267ca04e8cbf3f0e32231b5db7100e9038d360436e6baeeb540aa22fe1f438db6cf381e823afe53>"

...from Fortune magazine newsletter.


These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (VICE)

Gabe Goldberg <gabe@gabegold.com>
Mon, 12 Aug 2019 17:53:56 -0400
It looks like an Apple lightning cable. It works like an Apple lightning
cable.  But it will give an attacker a way to remotely tap into your
computer.

https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer


Inside the Hidden World of Elevator Phone Phreaking (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 10 Aug 2019 23:22:02 -0400
Author writes:

  The first time I called into an elevator, I picked up my iPhone and dialed
  the number-labeled on my list as the Crown Plaza Hotel in Chicago”and
  immediately heard two beeps, then a recording of a woman's voice, who told
  me to press one to talk. When I did, I was suddenly in aural space filled
  with the hum of motors and the muffled twanging of steel cables under
  tension. "Hello, can anyone hear me?" I asked the void. The void did not
  respond.

  I hung up and tried another number on my list: A Hilton hotel in Grand
  Rapids, Michigan. After just one ring I heard a series of four tones and
  was immediately listening to the inside of another elevator. I heard a
  chime, perhaps a signal that it had reached a floor, followed by the
  rumble of what might have been a door opening. "Hi, is anyone in here?"  I
  asked. This time I heard a few muffled voices, then a woman answered:
  "There are people in here, yes."

https://www.wired.com/story/elevator-phone-phreaking-defcon/


Popular kids' tablet patched after flaws left personal data vulnerable (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Wed, 07 Aug 2019 10:31:38 -0700
Danny Palmer, ZDNet, 7 Aug 2019
Researchers also found security holes that gave away personal data and
credit card information of children's parents.
https://www.zdnet.com/article/popular-kids-tablet-patched-after-flaws-left-personal-data-vulnerable/

selected text:

Security vulnerabilities in a popular children's tablet could have allowed
attackers to collect sensitive information about its young users, as well as
enabling hackers to steal their parents' names, address and credit card
details.

In addition to this, researchers found that the Pet Chat protocol didn't
require any authentication between devices, meaning anyone running Pet Chat
within 100ft of a user could send messages to the child's device, albeit in
the set phrases allowed by Pet Chat, something that could potentially put
the child at risk.


Watch a Drone Take Over a Nearby Smart TV (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 12 Aug 2019 17:58:31 -0400
For all the focus on locking down laptops and smartphones, the biggest
screen in millions of living rooms remains largely unsecured
<https://www.wired.com/2017/03/worried-cia-hacked-samsung-tv-heres-tell/>,
even after years of warnings
<https://www.wired.com/2017/02/smart-tv-spying-vizio-settlement/>. Smart TVs
today can fall prey to any number of hacker tricks—including one
still-viable radio attack, stylishly demonstrated by a hovering drone.

At the Defcon hacker conference Sunday, independent security researcher
Pedro Cabrera showed off, in a series of hacking proof of concept attacks,
how modern TVs—and particularly smart TVs that use the Internet-connected
HbbTV standard implemented in his native Spain, across Europe, and much of
the rest of the world—remain vulnerable to hackers. Those techniques can
force TVs to show whatever video a hacker chooses, display phishing messages
that ask for the viewer's passwords, inject keyloggers that capture the
user's remote button presses, and run cryptomining software. All of those
attacks stem from the general lack of authentication in TV networks'
communications, even as they're increasingly integrated with Internet
services that can allow a hacker to interact with them in far more dangerous
ways than in a simpler era of one-way broadcasting.

"The lack of security means we can broadcast with our own equipment anything
we want, and any smart TV will accept it," Cabrera says. "The transmission
hasn't been at all authenticated. So this fake transmission, this channel
injection, will be a successful attack."

At the Defcon hacking conference in Las Vegas, a security researcher showed
how easy it is to compromise a smart TV with a DJI quadcopter.  See for
yourself.  Harald Sund/Getty Images

https://www.wired.com/story/smart-tv-drone-hack/


5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Fri, 9 Aug 2019 15:36:27 -0400
The Feds Try To End the Debate Over 5G Health Concerns' Data Sheet

It's the question everyone wants to go away: are 5G wireless networks safe
or are they a risk to human health?

On Thursday, the Federal Communications Commission and the Food and Drug
Administration tried to put the question to bed once more. The FCC announced
it would hold its radio frequency exposure limits for cell phones, cellular
towers, and other wireless gear at current levels. The use of some new
frequencies as part of the 5G rollout did not change the situation, the
agency said. After a review of the scientific record and consultations with
health agencies, “we find it appropriate to maintain the existing radio
frequency limits, which are among the most stringent in the world for cell
phones,'' Julius Knapp, chief of the FCC's Office of Engineering and
Technology, said. That came backed with excerpted comments from Jeffrey
Shuren, director of the Food and Drug Administration's Center for Devices
and Radiological Health. The “available scientific evidence to date does
not support adverse health effects in humans due to exposures at or under
the current limit'' and “[n]o changes to the current standards are
warranted at this time,'' Shuren explained in a letter cited in part by the
FCC.

That's also the same conclusion that the scientific association the
Institute of Electrical and Electronics Engineers, or IEEE, came to back in
February, when it completed a review of recommended exposure limits and also
agreed to maintain them at current levels.

But the announcements are unlikely to end the debate
<https://fortune.com/2019/05/22/health-concerns-5g-cellphones-cancer/>.
Worriers can point to a few studies and the decision by the World Health
Organization's International Agency for Research on Cancer to classify
cellular radio waves as a possible carcinogen back in 2011. And countries
like Belgium and Switzerland have delayed 5G networks over health concerns.
On the other side, research from the American Cancer Society and the
National Institutes of Health, among others, have concluded there are no
risks.  And so round it goes. The WHO has a vast, new study underway that,
perhaps, will offer a more definitive result.  For a truly deep dive, check
out the page maintained by the National Cancer Institute on cell phones and
cancer research
<https://www.cancer.gov/about-cancer/causes-prevention/risk/radiation/cell-phones-fact-sheet>.

https://fortune.com/2019/08/09/the-feds-try-to-end-the-debate-over-5g-health-concerns-data-sheet/


Phishing attack: Students' personal information stolen in university data breach (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Wed, 07 Aug 2019 10:26:47 -0700
Danny Palmer, ZDNet, 23 Jul 2019

University says it has fallen victim to a "a sophisticated and malicious
phishing attack"—and students are being warned to look out for suspicious
emails.
https://www.zdnet.com/article/phishing-attack-students-personal-information-stolen-in-university-data-breach/

Hackers have stolen personal data of prospective and current students at
Lancaster University after gaining access to databases that contained
personal information—with victims now the targets of additional
cyberattacks.

Names, addresses, telephone numbers, and email addresses have been
compromised by cyberattackers who gained unauthorised entry to undergraduate
students' application records for 2019 and 2020. The university has over
13,000 students, but there's currently no figure on the number of people who
have been caught up in the attack.


Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects Touchscreen Controls (USNI News)

Gabe Goldberg <gabe@gabegold.com>
Mon, 12 Aug 2019 17:51:04 -0400
SAN DIEGO “ The Navy will begin reverting destroyers back to a physical
throttle and traditional helm control system in the next 18 to 24 months,
after the fleet overwhelmingly said they prefer mechanical controls to
touchscreen systems in the aftermath of the fatal USS John S. McCain
(DDG-56) collision.

The investigation into the collision showed that a touchscreen system that
was complex and that sailors had been poorly trained to use contributed to a
loss of control of the ship just before it crossed paths with a merchant
ship in the Singapore Strait. After the Navy released a Comprehensive Review
related to the McCain and the USS Fitzgerald (DDG-62) collisions, Naval Sea
Systems Command conducted fleet surveys regarding some of the engineering
recommendations, Program Executive Officer for Ships Rear Adm. Bill Galinis
said.

https://news.usni.org/2019/08/09/navy-reverting-ddgs-back-to-physical-throttles-after-fleet-rejects-touchscreen-controls

Nice work on testing design, getting user input...

...and funny juxtaposition:

https://www.wired.com/story/gesture-controls-phones-samsung-lg-google/


This High-Tech Solution to Disaster Response May Be Too Good to Be True (The New York Times)

Richard Stein <rmstein@ieee.org>
Sat, 10 Aug 2019 09:52:00 -0700
https://www.nytimes.com/2019/08/09/us/emergency-response-disaster-technology.html

Emergency response simulation, for sale, adopted by several municipalities
(and at least on country—Japan) to optimize first responder resource
allocation and prioritization. The `One Concern' AI platform relies on
residential census data.

As noted in the NY Times piece:

"But when T.J. McDonald, who works for Seattle's office of emergency
management, reviewed a simulated earthquake on the company's damage
prediction platform, he spotted problems. A popular big-box store was grayed
out on the web-based map, meaning there was no analysis of the conditions
there, and shoppers and workers who might be in danger would not receive
immediate help if rescuers relied on One Concern's results.

"'If that Costco collapses in the middle of the day, there's going to be a
lot of people who are hurt,' he said."

The US census collects household income data. This component might be
accorded greater algorithmic weight. Similarly, what would happen to
disaster response prioritization if crime statistics, such as homicide rate,
were integrated? Or if there's an EPA superfund site in the locality?

Algorithmic bias remains a significant risk to public safety and health.
Trust that dedicate public servants, like Mr. McDonald, are vigilant and
accountable to direct emergency response where and when disaster strikes.


Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)

George Mannes <gmannes@gmail.com>
Wed, 7 Aug 2019 12:05:06 -0400
  [Fiendishly clever, or cleverly fiendish:]

  https://9to5mac.com/2019/08/07/scam-heartrate-app/

Ben Lovejoy
Scam heart rate app is back in the App Store, trying to steal $85/year

A scam heart rate app that tried to con iPhone users out of $89/year is now
back in the App Store under a new name, some eight months after Apple
removed the original version.

The app specifically targets people who own iPhones with Touch ID.

What the app does is ask users to place their finger on the Home button,
supposedly to take a heart-beat reading. In reality, the app dims the
display brightness its minimum to hide the content—which is actually
Apple's dialogue requesting authorization for a recurring in-app purchase.
If users place a registered Touch ID finger on the Home button, that
completes the purchase.

Apple removed the app in November of last year following our report, but
Brazil's Mac Magazine reports that it has now returned. ...

 Now the app presents itself as `Pulse Heartbeat' and its developer is
registered as BIZNES-PLAUVANNYA, PP.

The in-app purchase is now for 340 Brazilian reals, which is equivalent to
around US$85. As before, the app is targeting Portuguese speakers. ...

The reality [no pun intended?] is that the app review process is a manual
one, and prone to human error. Scammers will usually submit an innocuous app
and then update it with rogue code after approval. Although Apple reviews
updates too, there is a general belief that this review is less thorough
than for a new app.

The report does show that even in a curated app store, there are still
risks. ...


He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Sat, 10 Aug 2019 00:44:45 -0400
Avoiding digital snoops takes more than throwing money at the problem,
but that part can be really fun.

https://www.bloomberg.com/news/features/2019-08-08/i-tried-hiding-from-silicon-valley-in-a-pile-of-privacy-gadgets


GDPR's unintended consequences (The Register)

Steven Klein <steven@klein.us>
Fri, 9 Aug 2019 13:33:14 -0400
GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens.  But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her.  ...  Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>


Black Hat: GDPR privacy law exploited to reveal personal data (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Aug 2019 17:51:23 -0400
About one in four companies revealed personal information to a woman's
partner, who had made a bogus demand for the data by citing an EU privacy
law.

The security expert contacted dozens of UK and US-based firms to test how
they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account
logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings
at the Black Hat conference in Las Vegas.

It is the first known test of its kind to exploit the EU's General Data
Protection Regulation (GDPR), which came into force in May 2018.

"Generally if it was an extremely large company—especially tech ones --
they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

https://www.bbc.com/news/technology-49252501

  [Also noted by others. PGN]


Password policy recommendations: Here's what you need to know. (HPE)

Gabe Goldberg <gabe@gabegold.com>
Tue, 6 Aug 2019 19:42:26 -0400
Complexity, uniqueness, and periodic change have long been the top best
practices for passwords, but new recommendations have led to changes around
password policies.

https://www.hpe.com/us/en/insights/articles/password-policy-recommendations-heres-what-you-need-to-know-1908.html


Re: Russian hackers are infiltrating companies via the office printer (RISKS-31.35)

Kelly Bert Manning <bo774@freenet.carleton.ca>
Thu, 8 Aug 2019 13:06:33 -0400
Russia may be a new player, but I first became concerned about printer
hacking when I read the manuals for the shiny new IP connected Lexmark
printers that replaced PC connected and IBM SNA printers back in the 1990s.
I contacted IT security to note that the printers came from the factory with
a standard remote admin login ID and password, suggesting that it might be
wise to change those.

The response was Move Along, Nothing to Worry About Here, even from BC
Ministry of Health IT security.

Fast forward a couple of years and all Lexmark printers in the Ministry have
to be disconnected, shut down and purged of a Lexmark Virus.

Things like that happened often enough that new staff were advised to always
stay on my right side, although my view was that sometimes I found it a
challenge to be influential and persuasive, in addition to being correct.
White Hat Social Engineering, persuading and influencing people to make the
correct choice, can be as important as having the best analysis, solution or
mitigation.


Climate change: how the jet stream is changing your weather (FT)

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 6 Aug 2019 14:25:36 -1000
*Northern Atlantic current is shifting course—with implications for crops
and sea levels*

EXCERPT:

At the summit of the Greenland ice cap the temperature rarely rises above
zero degrees centigrade—the elevation is 3,200m and the ice below is more
than a mile thick.

But last Friday, as the sun beat down, a small weather station laden with
sensors captured something highly unusual: the temperature crept past zero
and up to 3.6C—the highest since records began three decades ago.  As
temperatures rose across the massive ice sheet, which blankets an area five
times the size of Germany, around 60 per cent of the surface started to
melt, one of the largest ever recorded.

Scientists know of only three prior occasions in the past 800 years when
there has been melting at the very top of the ice cap, which is kept chilled
by the large volume of ice beneath. But this seems to be getting more
frequent—it is now the second time this decade it has happened.

“The last time we saw melting at the summit, in 2012, we thought it was the
extreme of the extremes, and wouldn't happen again so quickly,'' says Konrad
Steffen, a professor of climate and cryosphere at ETH Zurich, who operates a
network of 18 monitoring stations across the ice sheet.  “But now we are
facing more of these extremes.;;

Prof Steffen's data shows that between July 30 and August 2 a heatwave in
Greenland produced several record highs across the ice sheet, including at
East Grip, the second highest monitoring station.  “If you start melting at
the top of the ice sheet, we are going to lose [the] Greenland ice sheet
long-term,''he adds.

The immediate trigger for the heatwave was a shift in atmospheric currents
high above the earth's surface: the North Atlantic Jet Stream, a fast
current of wind that blows from west to east, had formed a buckle that was
trapping warm air over Greenland. The same pattern had caused a
record-setting heatwave in Europe a few days earlier, before shifting over
to sit on top of the Greenland ice sheet.

It's not just Greenland's weather that is governed by the jet stream.
Across Europe and North America, it controls extreme weather conditions of
all kinds, from winter cold snaps, to heatwaves, to storms...

https://www.ft.com/content/591395fe-b761-11e9-96bd-8e884d3ea203


Re: AI Predictive Policing

George Jansen <gjansen@aflcio.org>
Tue, 6 Aug 2019 18:36:29 -0400
When this started making the news, I found myself thinking of entry 66 in
Notebook F of Lichtenberg's *The Waste Books*:

  "If physiognomy becomes what Lavater expects it to become, children will
  be hanged before they have perpetrated the deeds that deserve the gallows;
  a new kind of confirmation will thus be performed every year. A
  physiognomical *auto-da-fe*."

(There are slighting references to Lavater elsewhere in *The Waste Books,
*which NYRB has brought back into print:
https://www.nyrb.com/collections/all/products/the-waste-books?variant=3D1094932745)


Re: Hawley/SMART Act (Stein/Goldberg, RISKS-31.35)

Rob Slade <rmslade@shaw.ca>
Tue, 6 Aug 2019 15:44:21 -0700
Saints preserve us from "well-intentioned" politicians.  This time around
it's Josh Hawley, who wants to save us from social media addiction.  I don't
know anything about him.  Wikipedia seems to indicate that he's a nice guy
(except for that bit about not wanting people to have health care).  OK, I'm
with him so far.  But the way he wants to do it is to make a simple fix.
(Saints preserve us from "simple" solutions to complex problems.)  He wants
to limit how much "feed" you can get from a social media site on one go.
Also limit your time on any given site to half an hour a day.  (Ah, gee,
Dad!)

Right.  I think I see the problem here.  You see, Hawley is a lawyer.
Lawyers have to go to law school, so they are fairly smart.  And they help
people with problems, so they like to fix problems.  All good so far.  The
problem is that lawyers get used to thinking they are smarter than other
people (which is generally true), and that they can fix pretty much any
problem (which is not true).  In particular, they tend to start thinking
they can start fixing problems they don't know anything about, especially
when they pupate out of the larval (lawyer) stage and into full-grown
politicians.

See, having a limit on how much socmed you can get in one go probably won't
solve anything.  And it's going to be a nuisance for many.  Yesterday I had
a meeting downtown.  So, since I use Twitter for news, I went to my favorite
bus stop, fired up Twitter, scrolled down as far as I could go, hopped on
the 210 when it came, and noted which stories I wanted to read (later) all
the way to the meeting.  Which usually takes an hour.  It would have been
annoying to be limited to enough to cover just a few blocks.  Not very
effective use of my time.

(Nor, when I come to think of it, very possible.  I mean, I was only "on"
Twitter for the few minutes it took to load the feed.  Is he going to make
Twitter, and all other apps, cut off after being on screen for 30 minutes?
How's that going to work for people with perceptual disabilities, who need
more time to read things?)

And the sweet young thing beside me, following all of her friends and their
latest "haul" videos, is not going to be limited by having to refresh the
screen every few entries.  She's doing that anyway.  It just means that
she's going to be refreshing the screen at some point when she should be
watching for that car coming through the intersection where she's crossing
the street.  Plus, after she gets finished with Instagram, she'll be onto
Whatapp, and then Facebook, and then ... well, you get the picture.

Sorry, Josh.  You haven't solved anything.


Re: Hawley/SMART, Act (Stein/Goldberg, RISKS-31.35)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 6 Aug 2019 16:24:21 -0500
> ... infinite scroll would be illegal, as would autoplay videos.

Great! I will once again be able to see how much content there is on a page
by just looking at the scroll bar. And it won't distract my eyes and waste
bandwidth on the junk I never wanted to see in the first place.


Re: Apple's Siri overhears your drug deals and sexual activity (RISKS-31.35)

Amos Shapir <amos083@gmail.com>
Wed, 7 Aug 2019 18:00:03 +0300
In other words, never discuss SIRIous matters (or a TV SERIes, etc, etc..)
when Siri is present.


Re: Siemens contractor pleads guilty to planting logic bomb in company, spreadsheets (RISKS-31.35)

Martin Ward <martin@gkc.org.uk>
Fri, 9 Aug 2019 12:03:57 +0100
Two quotes from the ZDNet article:

> But while Tinley's files worked for years, they started malfunctioning
> around 2014.  Every time the scripts would crash, Siemens would call
> Tinley, who'd fix the files for a fee.

It seems that if you work for Siemens, the poorer the quality of the work
you produce, the more you will get paid.  Just don't try to get too clever
and use automation to emulate poor quality work: or at least, if you do,
don't hand over the administrative password. You don't want your customer to
gain control over the software which runs *their* business!

If you are wondering why there is so much poor quality software
out there: an ecosystem which gives higher rewards for poorer quality
might possibly be a contributor!

At least this particular contractor didn't try to use plausibly deniable
bug injection: cf the "Underhanded C Contest"
https://en.wikipedia.org/wiki/Underhanded_C_Contest


Researchers wrest control of one of world's most secure industrial controllers (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Aug 2019 23:31:31 -0400
"Siemens is aware of the research from Technion, Haifa and Tel-Aviv
University to be presented at BlackHat USA 2019," Siemens said in an emailed
statement to The Times of Israel.

In response, the firm recommended that users of the controller SIMATIC
S7-1200/S7-1500 enable the feature `access protection' to prohibit
unauthorized modifications of the devices. Siemens also recommended to
follow and implement the defense-in-depth approach for plant operations, and
to configure the environment according to its operational guidelines for
Industrial Security.

https://www.timesofisrael.com/researchers-wrest-control-of-one-of-worlds-most-secure-industrial-controllers/

Good response, "prohibit unauthorized modifications of the devices".


Writing about writing

Rob Slade <rmslade@shaw.ca>
Thu, 8 Aug 2019 14:44:49 -0700
I came across a post on the ISC2 blog.  It's an article by Chris Veltsos
(*Dr.* Chris Veltsos, if you please, or, to his friends, Dr. Infosec) on
"Writing Cybersecurity Articles--Getting Through the Tough Times."  As the
title somewhat implies, it's about how to get through writer's block when
writing about infosec.
https://blog.isc2.org/isc2_blog/2019/08/writing-cybersecurity-articles-getting-
through-the-tough-times.html

I'm really not sure how to take this.

First off, if you work in infosec, you pretty much automatically have the
best inspiration in the world.  There is always something new happening in
infosec.  There is always something new happening that is applicable to
infosec.  Techies, in various fields, are always arguing about which field
in high tech is the fastest moving.  I figure infosec has a lock on it:
whatever is happening, in whatever tech field, has security implications.

As a bit of background, I've published four books.  (Or six, depending on
how you count them.)  Over the years I've written monthly columns for at
least three periodicals.  For twenty years I had a project doing books
reviews in technical literature.  (Always at least weekly: often daily.)
I've abandoned a number of blogs.  Since I got into infosec I have *never*
run out of things to write about.  I don't have the *time* to write about
everything I want to.  (I desperately want voice recognition to get good
enough to take dictation.)

I don't understand "writer's block."  I don't understand dry spells.
(Fatigue, I could understand ...)

So, then, to the specifics of what Chris has to say about it.

He says you need motivation.  (And aqueducts, apparently.)  Oh, come on.
You work in infosec.  You are saving people's privacy, money, jobs.  Your
colleagues, your friends, your family.  How is that not enough motivation?
(Yeah, sure, the stupid things your colleagues, friends, and family do is
sometimes depressing.  So, take some time to yell at them via your writing
...)

He says you need to think about why you are writing.  Sorry, isn't that the
same thing as your motivation?  (Oh, unless you are just writing for
self-promotion.  Yeah, I could see how that could get pretty dry at times
...)

He says you need to think about your writing "environment."  Yeah, I hear
about that all the time.  Saw a movie last night that had a writer who
couldn't write without everything just so in the "environment."  Again,
while I understand that having the building collapsing around you could be a
distraction, I don't understand this "environment" business.  I've written
at home, on planes, in airports, on trains, at work between demands, on the
bus, in coffee shops and restaurants, in hotels, and while waiting to be
called to testify in court.  You're writing about infosec.  It needs to be
done.

He says you should think about pen and paper, if a computer doesn't do it
for you.  OK, if necessary.  I mostly use a computer, or laptop, or
something with a keyboard.  I've used tablets and smartphones.  (I *hate*
soft keyboards.)  I've used pen (or even pencil) and paper.  (My handwriting
is terrible.  Always has been.)  (But I've always wanted to try out those
pens that save what you've written ...)  I've used whiteboards, blackboards,
chalk, or a piece of burnt stick on a rock.  Whatever works.

His last three suggestions are, basically, give it a rest and come back to
it.  OK.  I've often got multiple bits on the go, so I might leave one for a
time and concentrate on others.

But I'm writing about infosec.  There's too much to leave it for long ...

Please report problems with the web pages to the maintainer

Top