[27792] in RISKS Forum
Risks Digest 28.74
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Wed Jul 1 04:39:00 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Wed, 1 Jul 2015 1:38:55 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Wednesday 1 July 2015 Volume 28 : Issue 74
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.74.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Israel's comptroller: Biometric database full of flaws (Hanan Cohen)
Most Internet anonymity [VPN service] software leaks users' details (QMUL)
The latest RISKS items from TechWeekEurope (Werner U)
*The Washington Post* to Deploy More Secure HTTPS Across Site
(Gabe Goldberg)
WiFi Offloading is Skyrocketing (Werner U)
The sharp elbows of driverless cars (Mark Thorson)
"Sad day for developers: SCOTUS denies Google's appeal on APIs"
(Simon Phipps)
"Microsoft quietly pushes 17 new trusted root certificates to all
Windows systems" (Woody Leonhard)
"Tap your iPad to order: Restaurant automation nobody needs"
(Galen Gruman)
Automation dependency: Children of the Magenta (Henry Baker)
The Future of Car Keys? Smartphone Apps, Maybe (NYTimes)
ISIS and the Lonely Young American (NYTimes)
Leap Second problem (Bob Frankston)
Growing opposition to the Leap Second (oMark Thorson)
California mandatory vaccination harbinger of anti-virus software?
(Henry Baker)
Analyses of root causes? (Martyn Thomas)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 28 Jun 2015 08:34:50 +0300
From: Hanan Cohen <hanan@info.org.il>
Subject: Israel's comptroller: Biometric database full of flaws
Report says there is not enough information to determine whether the data-
gathering system is even worthwhile. Meanwhile, Interior Minister Shalom
orders extension of the trial period of the project.
http://www.haaretz.com/news/israel/.premium-1.662605
------------------------------
Date: Tue, 30 Jun 2015 07:57:36 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Most Internet anonymity [VPN service] software leaks users' details
QMUL via NNSquad
http://www.qmul.ac.uk/media/news/items/se/158459.html
The study of fourteen popular VPN providers found that eleven of them
leaked information about the user because of a vulnerability known as
'IPv6 leakage'. The leaked information ranged from the websites a user is
accessing to the actual content of user communications, for example
comments being posted on forums. Interactions with websites running HTTPS
encryption, which includes financial transactions, were not leaked. The
leakage occurs because network operators are increasingly deploying a new
version of the protocol used to run the Internet called IPv6. IPv6
replaces the previous IPv4, but many VPNs only protect user's IPv4
traffic. The researchers tested their ideas by choosing fourteen of the
most famous VPN providers and connecting various devices to a WiFi access
point which was designed to mimic the attacks hackers might use.
------------------------------
Date: Sun, 28 Jun 2015 23:05:16 +0200
From: Werner U <werneru@gmail.com>
Subject: The latest RISKS items from TechWeekEurope
(btw, the need for collaboration was the main point I made in a talk at the
FIRST-conference in St.Louis in the early 90's)
IBM Security CTO: Cloud Security Needs Collaboration
<http://www.techweekeurope.co.uk/security/ibm-security-cto-cloud-collaboration-171387>
WATCH: Cloud security needs to go beyond transparency to keep up with
global coordinated attacks, according to IBM's Martin Borrett
Ben Sullivan <http://www.techweekeurope.co.uk/author/bsullivan>, June 26,
2015, 4:02 pm
Third Of British Firms Targeted By Ransomware
<http://www.techweekeurope.co.uk/e-regulation/british-firms-ransomware-171347>
New study reveals alarming number of British firms have been held to ransom
by hackers
Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
2015, 2:29 pm
Apple iPhones Hit With Blue Screen Of Death Bug
<http://www.techweekeurope.co.uk/mobility/apple-iphones-blue-screen-death-bug-171316>
T-Mobile users in the US take to the Internet to share their anger at
mystery outage
Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
2015, 11:21 am
Seven-Day Healthcare? Good Luck Without Mobile
<http://www.techweekeurope.co.uk/mobility/mobile-apps/mubaloo-mobile-healthcare-smartphones-171384>
Mubaloo's Alana Saunders tells us why the NHS needs to embrace mobile
technology in order to provide a fuller service to patients
Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
2015, 3:38 pm
Apple Co-Founder Wozniak Predicts AI Will Treat Humans As Pets
<http://www.techweekeurope.co.uk/e-innovation/apple-ai-humans-pets-171372>
Steve Wozniak changes his mind about artificial intelligence and predicts
benevolent machines
Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
2015, 2:32 pm
Have Password Management Services Been Hacked To Death?
http://www.techweekeurope.co.uk/security/password-management-hacked-171367
The recent LastPass breach has dented users' confidence in password
management firms
Duncan Macrae <http://www.techweekeurope.co.uk/author/dmacrae>, June 26,
2015, 12:54 pm
Cisco Patches Default SSH Key Virtual Appliance Vulnerabilities
<http://www.techweekeurope.co.uk/security/cisco-default-ssh-key-vulnerabilities-171354>
Cisco urges firms to download fix for flaw that could allow attackers to
gain access to systems and intercept traffic
Steve McCaskill <http://www.techweekeurope.co.uk/author/smccaskill>, June
26, 2015, 12:46 pm
Sophos IPO Values UK Security Firm at 1-billion pounds
http://www.techweekeurope.co.uk/security/sophos-ipo-security-london-171342
Eugene Kaspersky: Internet Of Things? More Like The Internet Of Threats
<http://www.techweekeurope.co.uk/networks/internet-of-things-security-kaspersky-171187>
Security icon sounds dire warning over the security of the Internet of
Things
Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 25,
2015, 1:53 pm
------------------------------
Date: Tue, 30 Jun 2015 17:37:00 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: *The Washington Post* to Deploy More Secure HTTPS Across Site
[Now if they'd only fix site navigation and search, it would be worthwhile
visiting...]
Washington, DC -- *The Washington Post* said on Tuesday it will become the
first major news publisher to deploy HTTPS, an Internet protocol that
encrypts data exchanged between browsers and websites, across both its
desktop and mobile sites. The company said the move will give site visitors
the same level of privacy and security as when they conduct e-commerce or
online banking. "We will be able to offer our more than 50 million readers
per month the peace of mind in knowing that their privacy and reading habits
are protected when they are on our site," said CIO Shailesh Prakash. The
Post's homepage, National Security section and The Switch technology policy
blog will be the first to move to HTTPS, with the rest of the site migrating
in the coming months.
https://www.washingtonpost.com/pr/wp/2015/06/30/the-washington-post-becomes-first-major-news-publisher-to-secure-website/
<http://m1e.net/c?47971208-s6soIDZjIiqZY%40316937987-oD3BSyWKJGO8M>
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Sun, 28 Jun 2015 16:42:52 +0200
From: Werner U <werneru@gmail.com>
Subject: WiFi Offloading is Skyrocketing
[ smurfed from SlashDot -- why in RISKS ? do read the comments... :-]
dkatana <http://mobile.slashdot.org/%7Edkatana> wrote on 25 Jun 2015
<http://mobile.slashdot.org/story/15/06/25/2157218/wifi-offloading-is-skyrocketing>
WiFi Offloading is skyrocketing. This is the conclusion of a new report from
Juniper Research, which points out that the amount of smartphone and tablet
data traffic on WiFi networks will will increase to more than 115,000
petabytes by 2019, compared to under 30,000 petabytes this year,
representing almost a four-fold increase. Most of this data is offloaded to
consumer's WiFi by the carriers, offering the possibility to share your home
Internet connection in exchange for "free" hotspots. [...] the growing
number of WiFi devices using unlicensed bands is seriously affecting network
efficiency. Capacity is compromised by the number of simultaneously active
devices, with transmission speeds dropping as much as 20% of the nominal
value. With the number of IoT and M2M applications using WiFi continuously
rising, that could become a serious problem soon."*
------------------------------
Date: Mon, 29 Jun 2015 13:17:48 -0700
From: Mark Thorson <eee@sonic.net>
Subject: The sharp elbows of driverless cars
Google's driverless car cut off Delphi's driverless car in Mountain View.
No collision occurred.
http://www.theguardian.com/technology/2015/jun/26/google-delphi-two-self-driving-cars-near-miss
------------------------------
Date: Tue, 30 Jun 2015 09:24:06 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Sad day for developers: SCOTUS denies Google's appeal on APIs"
(Simon Phipps)
Simon Phipps, InfoWorld, 29 Jun 2015
Supreme Court's decision is bad news for developers targeting the
U.S. market, who will now have to avoid any API not explicitly licensed as open
InfoWorld Tech Watch
http://www.infoworld.com/article/2941103/java/scotus-denies-google-appeal-on-apis.html
opening text:
In an unsurprising ruling today, the Supreme Court balanced a little of the
good it did last week by denying Google's appeal against Oracle in the
matter of the copyrightability of APIs. The case will now be returned to the
lower courts to hear Google's fair use defenses.
While the decision was foreshadowed by the amicus brief delivered by the
Solicitor General a month ago, it's still bad news for 21st century
developers and open communities. Denying the appeal gives corporations with
a 20th century mindset the ability to require permission from developers
seeking to innovate on top of their platforms. Instead of being able to just
assume that use -- especially re-implementation -- of an API is OK,
developers will now need to avoid any API that is not explicitly licensed as
open.
------------------------------
Date: Tue, 30 Jun 2015 09:27:00 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Microsoft quietly pushes 17 new trusted root certificates to
all Windows systems" (Woody Leonhard)
Woody Leonhard, InfoWorld, 29 Jun 2015
The aging foundation of Certificate Authorities shows yet another
crack as security experts are caught unaware
http://www.infoworld.com/article/2941594/security/microsoft-quietly-pushes-17-new-trusted-root-certificates-to-all-windows-systems.html
opening text:
Microsoft is under no obligation to notify you or ask your permission before
placing a new trusted root certificate on your Windows PC. That said, just
last year Microsoft was caught in the embarrassing position of yanking 45
bogus certificates issued under the root certificate authority of the
government of India's Controller of Certifying Authorities. Transparency in
distributing new trusted root certs is a good thing.
A certificate expert who goes by the Twitter handle @hexatomium said in an
article on GitHub over the weekend that Microsoft started pushing the new
trusted root certificates earlier this month to "all supported Windows
systems." It isn't clear how the root certs were pushed, but he does say
Microsoft "did not announce this change in any KB article or advisory."
------------------------------
Date: Tue, 30 Jun 2015 09:37:28 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Tap your iPad to order: Restaurant automation nobody needs"
(Galen Gruman)
Galen Gruman, InfoWorld, 30 Jun 2015
Self-checkout comes to the food court, with the same mixed experience
as at any self-checkout terminal
http://www.infoworld.com/article/2940565/ipad/tap-your-ipad-to-order-restaurant-automation-nobody-needs.html
opening text:
OTG, one of those companies that manages restaurants at airports, is very
proud of its iPad deployment at Newark Liberty International Airport in New
Jersey. More than 1,000 iPad Airs are in use at restaurant tables in the
airport's food courts, letting travelers order food directly and pay on the
spot -- no need to wait for a server to take your order or to process your
payment.
I had a chance to check out this deployment on a recent trip, and I'm not
sure OTG's pride is warranted. As we've seen in other automation efforts,
such as those self-checkout stands at supermarkets and home-improvement
stores, the reality is not as smooth as the promise. And the goal remains
to remove human labor on the vendor side and have the customer pick up at
least some of that work.
Gene's Comments: 1) Look at the failure modes in the article. This is
something that is not ready for general use. 2) Me pick up some of the
work? This clashes with that when I go out, I typically want to be pampered
a bit.
------------------------------
Date: Sun, 28 Jun 2015 13:33:15 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Automation dependency: Children of the Magenta
FYI -- "Semi-autonomous" cars are here today, so it is appropriate to
revisit what can go wrong due to "automation dependency".
Roman Mars's 31-minute podcast episode from "99% Invisible" discusses
"Children of the Magenta", who are airline pilots who become such slaves to
their autopilots that they allow their normal piloting skills to
deteriorate.
The real problem with the crash of Air France 447 wasn't the fact that its
air speed sensor failed, but the inability of these "Children of the
Magenta" pilots to respond.
"What's It Doing Now": The user has no good model of what the autopilot is
trying to do, but instead of simply disconnecting it, the pilot tries to
"understand" the autopilot. An emergency situation is no place to be
debugging your mental model of the autopilot.
The excellent video in which the phrase "Children of the Magenta" first
originated:
https://www.youtube.com/watch?v=pN41LvuSz10
1997 AA presentation about the Levels of Flight Deck Automation and how to
keep out of trouble
http://99percentinvisible.org/episode/children-of-the-magenta-automation-paradox-pt-1/
http://www.podtrac.com/pts/redirect.mp3/media.blubrry.com/99percentinvisible/cdn.99percentinvisible.org/wp-content/uploads/170-Children-of-the-Magenta-Automation-Paradox-pt.-1.mp3
Episode 170: Children of the Magenta (Automation Paradox, pt. 1)
Roman Mars, 23 Jun 2015
On the evening of 31 May 2009, 216 passengers, three pilots, and nine
flight attendants boarded an Airbus 330 in Rio de Janeiro. This flight, Air
France 447, was headed across the Atlantic to Paris. The take-off was
unremarkable. The plane reached a cruising altitude of 35,000 feet. The
passengers read and watched movies and slept. Everything proceeded normally
for several hours. Then, with no communication to the ground or air traffic
control, flight 447 suddenly disappeared.
Days later, several bodies and some pieces of the plane were found floating
in the Atlantic Ocean. But it would be two more years before most of the
wreckage was recovered from the ocean's depths. All 228 people on board had
died. The cockpit voice recorder and the flight data recorders, however,
were intact, and these recordings told a story about how Flight 447 ended up
in the bottom of the Atlantic.
The story they told was was about what happened when the automated system
flying the plane suddenly shut off, and the pilots were left surprised,
confused, and ultimately unable to fly their own plane.
[Long item -- just part one of two -- truncated for RISKS. PGN]
------------------------------
Date: Fri, 26 Jun 2015 23:19:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Future of Car Keys? Smartphone Apps, Maybe
http://www.nytimes.com/2015/06/26/automobiles/wheels/the-future-of-car-keys-smartphone-apps-maybe.html
Apps are increasingly performing the functions of keys, but experts say
there are still kinks to be worked out before, and if, physical keys become
extinct.
------------------------------
Date: Sun, 28 Jun 2015 13:32:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: ISIS and the Lonely Young American
http://www.nytimes.com/2015/06/28/world/americas/isis-online-recruiting-american.html
For months, Alex had been growing closer to a new group of friends online --
the kindest she had ever had -- who were teaching her what it meant to be a
Muslim.
------------------------------
Date: 30 Jun 2015 16:51:23 -0400
From: "Bob Frankston" <bob19-0501@bobf.frankston.com>
Subject: Leap second problem
Rather than write something long, I'll point out that he function
new timeSpan(2 Minutes).Seconds
cannot be implemented -- yet is in many libraries. Cannot, as in cannot by
definition.
There is no reason to break that function just because there are
applications which need a more precise calculation relative to the rotation
of the earth. Any programmer should know how to maintain a separate
correction factor for those applications.
So why break a fundamental function like a time span calculation for the
rare applications that need the extra precision?
Yes, I know that in 10,000 years it may matter but I have faith in our
ability to program around it by then - most likely by an approach like time
zones in which we simply create a standard correction factor for alarm
clocks.
http://Frankston.com
------------------------------
Date: Mon, 29 Jun 2015 16:51:37 -0700
From: Mark Thorson <eee@sonic.net>
Subject: Growing opposition to the Leap Second
More calls to abolish the Leap Second because it's alleged to cause problems
for computers.
http://the-japan-news.com/news/article/0002230145
I'm reminded of all those planes that fell out of the sky
when the date rolled over from 1999 to 2000. [!]
------------------------------
Date: Mon, 29 Jun 2015 18:21:29 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: California mandatory vaccination harbinger of anti-virus software?
FYI -- Whatever you may think of anti-vaxxers, the exact same arguments will
be made to *require* "anti-virus" programs on your computers in order to
connect to the Internet. Of course, since we know that
NSA/GCHQ/*insert-your-favorite-spy-or-cybercriminal-name-here* put a very
high priority on hacking anti-virus programs, these "vaccination" laws will
-- in effect -- *require* the installation of a *back door* onto your
computer. GAME OVER!
http://www.theguardian.com/us-news/2015/jun/29/california-vaccine-bill-jerry-brown
California mandatory vaccination bill heads to governor's desk
Jerry Brown has not said if he will sign measure which would ban `personal
belief' exemptions for vaccinating schoolchildren in wake of measles
outbreak
Rory Carroll, 29 June 2015
The California legislature has passed a bill mandating vaccinations for
children in public schools, moving the spotlight to Governor Jerry Brown,
who must now decide whether to sign into law one of the strictest
vaccination regimes in the United States.
The senate in Sacramento passed a final vote on Monday to ban exemptions
from state immunization laws based on religious or other personal beliefs, a
contentious measure taken months after a measles outbreak at Disneyland
infected more than 150 people in the US and Mexico.
The law would require nearly all public schoolchildren to be vaccinated
against diseases including measles and whooping cough, with exemptions only
for children with serious health issues. Other unvaccinated children would
need to be homeschooled.
------------------------------
Date: Sat, 27 Jun 2015 11:02:37 +0100
From: Martyn Thomas <martyn@thomas-associates.co.uk>
Subject: Analyses of root causes
Can anyone give me a link to any published analyses that identify the most
common underlying errors in software (or systems) engineering that have led
to exploitable security vulnerabilities or to safety-related failures?
[Martyn, Try the NIST National Vulnerability Database, with CVE
Vulnerabilities and lots more. PGN]
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.74
************************
