Prev

RISKS Digest 30.38

Monday 17 July 2017

A Solar Eclipse Could Wipe Out 9,000 Megawatts of Power Supplies

Bloomberg <geoff@cs.hmc.edu>

Date: Sun, Jul 16, 2017 at 6:29 PM

[via Dave Farber]

... a recurring but unexplained phenomenon keeps shutting down *all* solar power in the country for as much as 14 hours at a time. Scientists have not yet named the frightening event, although some have suggested adapting the French term "La nuit" or German's "Der Nacht".

Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/

Massachusetts tax system blocks payments, sends refunds in error

MassLive <monty@roscom.com>

Date: Sat, 15 Jul 2017 11:14:30 -0400

http://www.masslive.com/business-news/index.ssf/2017/07/massachusetts_tax_system_blocks_payments.html

The AlphaBay Takedown Sends Dark Web Markets Reeling

WiReD <monty@roscom.com>

Date: Sat, 15 Jul 2017 19:34:40 -0400

https://www.wired.com/story/alphabay-takedown-dark-web-chaos/

Not since the days of the now-legendary Silk Road has a single site dominated the dark web's black market as completely, and for as long, as the online bazaar known as AlphaBay. And with the news that the site has been torn down by a law enforcement raid--and one of its leaders found dead in a Thai prison—the dark web drug trade has fallen into a temporary state of chaos.

https://www.wired.com/story/alphabay-takedown-dark-web-chaos/

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts

UpGuard <lauren@vortex.com>

Date: Fri, 14 Jul 2017 07:51:23 -0700

via NNSquad https://www.upguard.com/breaches/verizon-cloud-leak

The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra'anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation's largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.--another NICE Systems partner that services customers across Europe and Africa. Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket's URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts--an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

How Fake News Goes Viral -- Here's the Math

Scientific American <lauren@vortex.com>

Date: Fri, 14 Jul 2017 07:56:21 -0700

NNSquad https://www.scientificamerican.com/article/how-fake-news-goes-viral-mdash-heres-the-math/

Models similar to those used to track disease show what happens when too much information hits social media networks.

While Some Cry 'Fake,' Spotify Sees No Need to Apologize

The New York Times <monty@roscom.com>

Date: Sat, 15 Jul 2017 09:40:04 -0400

Spotify's playlists are dotted with hundreds of songs done by composers under pseudonyms, but the company says it is just soliciting music to meet demand. https://www.nytimes.com/2017/07/14/business/media/while-some-cry-fake-spotify-sees-no-need-to-apologize.html

Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network'

Gizmodo <lauren@vortex.com>

Date: Mon, 17 Jul 2017 10:37:03 -0700

via NNSquad http://gizmodo.com/nearly-90-000-sex-bots-invaded-twitter-in-one-of-the-la-1796985630

Last week, Twitter's security team purged nearly 90,000 fake accounts after outside researchers discovered a massive botnet peddling links to fake "dating" and "romance" services. The accounts had already generated more than 8.5 million posts aimed at driving users to a variety of subscription-based scam websites with promises of—you guessed it—hot Internet sex.

Elon Musk says preventing a 'fleet-wide hack' is Tesla's top security priority

Electrek <lauren@vortex.com>

Date: Mon, 17 Jul 2017 08:39:48 -0700

via NNSquad https://electrek.co/2017/07/17/tesla-fleet-hack-elon-musk/?utm_content=buffer304a1&utm_medium=social&utm_source=plus.google.com&utm_campaign=buffer

He followed with an interesting example of what someone could do with that kind of access: "In principles, if someone was able to say hack all the autonomous Teslas, they could say - I mean just as a prank - they could say 'send them all to Rhode Island' [laugh] - across the United States... and that would be the end of Tesla and there would be a lot of angry people in Rhode Island." And that's like a best case scenario. Musk continued with what Tesla is doing to try to prevent that: "We gotta make super sure that a fleet-wide is basically impossible and that if people are in the car, that they have override authority on whatever the car is doing. If the car is doing something wacky, you can press a button that no amount of software can override and ensure that you gain control of the vehicle and cut the link to the servers."

But governments will demand access to data from and control over autonomous vehicles, both individually and en masse, no matter what Musk or other manufacturers want. Autonomous vehicles represent the greatest potential for government control over individuals in the history of mankind.

Weekend Video Extra: A Prescient Warning re: AI and Robotics, from 1956!

Lauren Weinstein <lauren@vortex.com>

Date: Sat, 15 Jul 2017 09:27:56 -0700

https://www.youtube.com/watch?v=qtpRMsDuH74

Your pacemaker is spying on you

Mark Thorson <eee@sonic.net>

Date: Fri, 14 Jul 2017 21:45:35 -0700

It seems to me that any allegation that the pacemaker data is evidence of anything should require, at a minimum, establishment of a cause --> effect relationship published in peer-reviewed literature. Lacking that, it's just like tarot cards or something. http://www.bbc.com/news/technology-40592520

Leaping Kangaroos

Anthony Thorn <anthony.thorn@atss.ch>

Date: Sat, 15 Jul 2017 21:47:58 +0200

I am reluctant to question an Australian's statement about kangaroos, but surely a taller object would appear to be nearer than it really is?

Paper ballots

Tom Donilon <neumann@csl.sri.com>

Date: Sun, 16 Jul 2017 18:12:37 PDT

Tom Donilon, National Security Advisor 2010-2013, advocates for paper ballots in his opinion piece https://www.washingtonpost.com/opinions/russia-will-be-back-heres-how-to-hack-proof-the-next-election/2017/07/14/f085e870-67d5-11e7-a1d7-9a32c91c6f40_story.html?utm_term=.1be864cac68d

Tom Donilon, *The Washington Post*, 14 Jul 2017 Russia will be back. Here's how to hack-proof the next election. Russian President Vladimir Putin and President Trump meet at the G-20 summit in Hamburg on July 7. (Evan Vucci/Associated Press) [PGN-ed]

Tom Donilon was national security adviser to President Barack Obama from 2010 to 2013. In 2016, he chaired the President's Commission on Enhancing National Cybersecurity.

We now know that Russian President Vladimir Putin ordered a comprehensive effort to interfere with the 2016 presidential election. This mission involved the cybertheft and strategic publication of politically sensitive emails, the placement and amplification of misinformation on social media, overt propaganda and efforts to penetrate the systems of dozens of state election authorities.

This is not speculation or political posturing; it is the public and high-confidence conclusion of the U.S. intelligence community. And it is wholly consistent with past Soviet and Russian use of active measures -- intelligence operations meant to shape an adversary's political decisions -- with the strategic goal of undermining the integrity of and confidence in the West. Modern technology has only increased the speed, scale and efficacy of such actions. This would be alarming even as a one-time occurrence, but as former FBI director James B. Comey recently warned, They will be back.

The fact is that, so far, Putin has paid too small a price to meaningfully deter him in the future.

Here are five concrete steps the United States should take to meet this ongoing threat to our democracy:

First, President Trump must unequivocally acknowledge Russia's attack on the 2016 election and clearly state that any future attack on our democratic institutions will not be tolerated. [...]

Second, the Department of Homeland Security and the Election Assistance Commission (EAC) should lead a process to develop election baseline cybersecurity guidelines and help states implement these best practices. [...]

Third, we must develop a better system for sharing information between state and federal officials. While the U.S. election system is decentralized, the threats against it are not confined to state borders. [...]

Fourth, we must engage in a national policy discussion about the roles and responsibilities of our social media platforms and the steps they should take to protect our democracy from malign interference. [...]

Fifth, the United States should work within international forums to establish the principle that an attack on election systems violates the principles of noninterference and sovereignty and would justify a robust response. [...]

These are steps we can take to help secure the future of our democratic institutions in the cyber-age. We are on notice. We must act now.

To avoid cyberattacks, Israel urged to manually count election results

Haaretz <peter.neumann@sri.com>

Date: Mon, 17 Jul 2017 14:28:10 -0700

Middle East Monitor (Israel), Jul 14 2017 [PGN-ed] <https://www.middleeastmonitor.com/category/region/middle-east/israel/>

*Haaretz* reported yesterday that Israel's National Cyber Authority is expected to recommend the manual counting of votes in future elections in order to prevent cyberattacks, following recent attempts to meddle with elections in the West,

Formed 18 months ago, the authority is working on a defence plan against possible meddling in Israeli elections through cyberattacks similar to what recently took place in the United States, France and Ukraine. It will recommend that votes continue to be counted manually in Israel, as they always have, even if this is an outdated method.

However, *Haaretz* noted that other aspects of the election campaign and preparations for Election Day are also exposed to cyberattacks and need protection. Citing cyberexperts, they report that Israel is aware that countries and groups seek to disrupt Israeli elections, and that there is a growing risk they might succeed in their endeavour.

UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials

The Washington Post <monty@roscom.com>

Date: Sun, 16 Jul 2017 23:05:06 -0400

https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html

Re: Western tech firms bow to Russian demands to share cybersecrets

Martyn Thomas <martyn@thomas-associates.co.uk>

Date: Sat, 15 Jul 2017 16:31:43 +0100

Maybe I have forgotten the context of Youngman's email but I don't understand what point he is making. ALL engineering depends on mathematics, because math-based methods are far more likely to lead to dependable systems than using math-free methods. What methods would he recommend?

All reasoning depends on axioms. Does Youngman eschew reasoning?

https://www.gresham.ac.uk/professorships/it-professorship/

Re: DIY devices let car owners add autonomous features to vehicles

Simon Wright <simon@pushface.org>

Date: Sat, 15 Jul 2017 08:34:23 +0100

> Risks (totally unmentioned, and often left to the imagination of RISKS > readers) might include (for example), ...

And probably invalidating your insurance.

Re: Funny how these articles are all the same

Jonathan Levine <jonathan.canuck.levine@gmail.com>

Date: Sat, 15 Jul 2017 16:29:30 -0600

No surprise here. Tapscott, a "futurist" (and now with his son), has a well-established history as an uncritical Internet cheerleader, and he's simply applying his MO to the Next Big Thing. Hard to sell books and get lecturing gigs otherwise.

Re: Press kits or other publications on thumb drives?

Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Sat, 15 Jul 2017 17:47:11 -0400 (EDT)

> "How do you check out shrink-wrapped commercial thumb drives?"

The commercial antivirus installed on my home computer automatically scans any portable media connected via a USB port. The scan continues unless stopped explicitly.

Doing away with auto run was a good start.

That said, scanning only works for detectable malware.

Custom or low volume malware may evade scans for a long time, unless the people using it get stupid or the check monitors patterns of access to storage and network.

Michael Haephrati and his "clients" got caught when he used his custom malware to hack ex-relatives after a bitter divorce, then posted draft novel excerpts written by one of them on the web.

Ironically the novel portrayed police investigating IT crimes as unresponsive and ineffective. In life Israeli Law Enforcement action was timely and very effective. Life is not compelled to imitate Art.

http://www.networkworld.com/article/2344015/security/four-private-investigators-in-the-israeli-trojan-fiasco-sentenced--finally-.html https://www.theguardian.com/world/2005/may/31/israel https://en.wikipedia.org/wiki/Amnon_Jackont#Trojan_horse_exposure

Review: "Twitter and Tear Gas," by Zeynep Tufekci

Bruce Schneier <schneier@schneier.com>

Date: Sat, 15 Jul 2017 00:25:08 -0500

Bruce Schneier, CTO, IBM Resilient https://www.schneier.com/crypto-gram.html>.

Book Review: "Twitter and Tear Gas," by Zeynep Tufekci

There are two opposing models of how the Internet has changed protest movements. The first is that the Internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt (2011), and Ukraine (2013). The second is that it has made them more ineffectual. Derided as "slacktivism" or "clicktivism," the ease of action without commitment can result in movements like Occupy petering out in the US without any obvious effects. Of course, the reality is more nuanced, and Zeynep Tufekci teases that out in her new book "Twitter and Tear Gas."

Tufekci is a rare interdisciplinary figure. As a sociologist, programmer, and ethnographer, she studies how technology shapes society and drives social change. She has a dual appointment in both the School of Information Science and the Department of Sociology at University of North Carolina at Chapel Hill, and is a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University. Her regular "New York Times" column on the social impacts of technology is a must-read.

Modern Internet-fueled protest movements are the subjects of "Twitter and Tear Gas." As an observer, writer, and participant, Tufekci examines how modern protest movements have been changed by the Internet—and what that means for protests going forward. Her book combines her own ethnographic research and her usual deft analysis, with the research of others and some big data analysis from social media outlets. The result is a book that is both insightful and entertaining, and whose lessons are much broader than the book's central topic.

"The Power and Fragility of Networked Protest" is the book's subtitle. The power of the Internet as a tool for protest is obvious: it gives people newfound abilities to quickly organize and scale. But, according to Tufekci, it's a mistake to judge modern protests using the same criteria we used to judge pre-Internet protests. The 1963 March on Washington might have culminated in hundreds of thousands of people listening to Martin Luther King Jr. deliver his "I Have a Dream" speech, but it was the culmination of a multi-year protest effort and the result of six months of careful planning made possible by that sustained effort. The 2011 protests in Cairo came together in mere days because they could be loosely coordinated on Facebook and Twitter.

That's the power. Tufekci describes the fragility by analogy. Nepalese Sherpas assist Mt. Everest climbers by carrying supplies, laying out ropes and ladders, and so on. This means that people with limited training and experience can make the ascent, which is no less dangerous—to sometimes disastrous results. Says Tufekci: "The Internet similarly allows networked movements to grow dramatically and rapidly, but without prior building of formal or informal organizational and other collective capacities that could prepare them for the inevitable challenges they will face and give them the ability to respond to what comes next." That makes them less able to respond to government counters, change their tactics—a phenomenon Tufekci calls "tactical freeze"—make movement-wide decisions, and survive over the long haul.

Tufekci isn't arguing that modern protests are necessarily less effective, but that they're different. Effective movements need to understand these differences, and leverage these new advantages while minimizing the disadvantages.

To that end, she develops a taxonomy for talking about social movements. Protests are an example of a "signal" that corresponds to one of several underlying "capacities." There's narrative capacity: The ability to change the conversation, as Black Lives Matter did with police violence and Occupy did with wealth inequality. There's disruptive capacity: The ability to stop business as usual. An early Internet example is the 1999 WTO protests in Seattle. And finally, there's electoral or institutional capacity: The ability to vote, lobby, fund raise, and so on. Because of various "affordances" of modern Internet technologies, particularly social media, the same signal—a protest of a given size—reflects different underlying capacities.

This taxonomy also informs government reactions to protest movements. Smart responses target attention as a resource. The Chinese government responded to 2015 protesters in Hong Kong by not engaging with them at all, denying them camera-phone videos that would go viral and attract the world's attention. Instead, they pulled their police back and waited for the movement to die from lack of attention.

If this all sounds dry and academic, it's not. "Twitter and Tear Gas" is infused with a richness of detail stemming from her personal participation in the 2013 Gezi Park protests in Turkey, as well as personal on-the-ground interviews with protesters throughout the Middle East—particularly Egypt and her native Turkey—Zapatistas in Mexico, WTO protesters in Seattle, Occupy participants worldwide, and others. Tufekci writes with a warmth and respect for the humans that are part of these powerful social movements, gently intertwining her own story with the stories of others, big data, and theory. She is adept at writing for a general audience, and—despite being published by the intimidating Yale University Press—her book is more mass-market than academic. What rigor is there is presented in a way that carries readers along rather than distracting.

The synthesist in me wishes Tufekci would take some additional steps, taking the trends she describes outside of the narrow world of political protest and applying them more broadly to social change. Her taxonomy is an important contribution to the more-general discussion of how the Internet affects society. Furthermore, her insights on the networked public sphere has applications for understanding technology-driven social change in general. These are hard conversations for society to have. We largely prefer to allow technology to blindly steer society or—in some ways worse -- leave it to unfettered for-profit corporations. When you're reading "Twitter and Tear Gas," keep current and near-term future technological issues such as ubiquitous surveillance, algorithmic discrimination, and automation and employment in mind. You'll come away with new insights.

Tufekci twice quotes historian Melvin Kranzberg from 1985: "Technology is neither good nor bad; nor is it neutral." This foreshadows her central message. For better or worse, the technologies that power the networked public sphere have changed the nature of political protest as well as government reactions to and suppressions of such protest.

I have long characterized our technological future as a battle between the quick and the strong. The quick—dissidents, hackers, criminals, marginalized groups—are the first to make use of a new technology to magnify their power. The strong are slower, but have more raw power to magnify. So while protesters are the first to use Facebook to organize, the governments eventually figure out how to use Facebook to track protesters. It's still an open question who will gain the upper hand in the long term, but Tufekci's book helps us understand the dynamics at work.

This essay originally appeared on Vice Motherboard. https://motherboard.vice.com/en_us/article/43dx3j/twitter-and-tear-gas-review

The book: https://www.twitterandteargas.org/ https://www.amazon.com/Twitter-Tear-Gas-Fragility-Networked/dp/0300215126/

Tufekci: https://twitter.com/zeynep https://www.nytimes.com/column/zeynep-tufekci