[28670] in RISKS Forum
Risks Digest 29.17
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Dec 15 17:40:54 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 15 Dec 2015 14:40:41 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 15 December 2015 Volume 29 : Issue 17
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.17.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Former National Security Officials Urge Government to Embrace Risks of
Encryption (Ellen Nakashima)
What the government should've learned about backdoors from the
Clipper Chip (Sean Gallagher)
"Final cyber security bill paves way for the surveillance state"
(Caroline Craig)
Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs
With Firmware Update (TechDirt)
Personalized news hits home (Quealy and Sanger-Katz via Charles C Mann)
European Space Agency records leaked for amusement, attackers say (CSO)
FAA Wants Your Credit Card Number when you register your drones
(Lauren Weinstein)
Thai Man May Go to Prison [for 37 years] for Insulting King's Dog on
social media (NYTimes)
13 million MacKeeper users exposed after MongoDB door was left open
(Ars Technica)
Bangladesh extends social media ban, blocking Twitter and Skype
(Lauren Weinstein)
Hackers actively exploit critical vulnerability in sites running Joomla
(Ars Technica)
Small, community banks using machine learning to reduce fraud
(NetworkWorld)
Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy
(Scientific Computing)
British government admits selling Internet addresses to Saudi
Arabia and says it can't stop ISIS extremists using them
Your iPhone Is Ruining Your Posture -- and Your Mood (David Damerell)
Google links back to itself (Peter Houppermans)
A looming anniversary, and an offer (Gene Spafford)
Re: America's secret cyberarsenal (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 15 Dec 2015 10:59:57 -0800
From: Peter G Neumann <neumann@csl.sri.com>
Subject: Former National Security Officials Urge Government to Embrace
Rise of Encryption (Ellen Nakashima)
Ellen Nakashima, *The Washington Post*, 14 Dec 2015
https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html
[This is a remarkable article, suggesting (among other things) that law
enforcement needs to adapt to the use of encryption rather than expect
exceptional systemic access to decrypted and unencrypted information.
Mike McConnell notes that strong encryption is a greater strategic need.
Michael Chertoff notes that deliberately compromising security to make it
easier for law enforcement would run the risk of simply sending bad guys
elsewhere. Michael Hayden notes that backdoors and built-in keys would
drive the market away. Joel Brenner notes that the likelihood others will
gain access is quite high. All four of these men have held very high
positions in the U.S. Government. PGN-ed]
------------------------------
Date: Tue, 15 Dec 2015 12:16:13 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: What the government should've learned about backdoors from the
Clipper Chip (Sean Gallagher)
Sean Gallagher, Ars Technica, 15 Dec 2015
http://arstechnica.com/information-technology/2015/12/what-the-government-shouldve-learned-about-backdoors-from-the-clipper-chip/
This article revisits arguments Whit Diffie made at a Congressional hearing
22 years ago, relating to the key-escrow approach of the Clipper Chip -- all
of which seem relevant today, more or less as originally stated:
* The backdoor would put providers in an awkward position with other
governments and international customers, weakening its value.
* Those who want to hide their conversations from the government for
nefarious reasons can get around the backdoor easily.
* The only people who would be easy to surveil would be people who didn't
care about government surveillance in the first place.
* There was no guarantee someone else might not exploit the backdoor for
their own purposes.
------------------------------
Date: Tue, 15 Dec 2015 09:32:53 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Final cyber security bill paves way for the surveillance state"
(Caroline Craig)
Caroline Craig, InfoWorld, 11 Dec 2015
Closed-door negotiations in Congress threaten to strip privacy
provisions from final version of the merged cyber security bill
http://www.infoworld.com/article/3013728/government/final-cyber-security-bill-paves-way-for-the-surveillance-state.html
------------------------------
Date: Mon, 14 Dec 2015 15:58:37 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs
With Firmware Update (TechDirt via NNSquad)
https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml
Literally. Philips has just slapped fans like us in the face and kicked
interoperability out the door. Without any communication they delivered a
new firmware to the system that disables adding products that they don't
approve of. Basically they are banning other Zigbee Light Link products
despite the fact that they are a Connected Lighting Alliance member whose
mission is to promote interoperability. As it seems (and unless this is
just a huge mistake on Philips' side), they have without a warning turned
their open product into a walled garden. They have also destroyed the
value of the solutions that the customers have set up based on Philips'
promises.
------------------------------
Date: Tue, 15 Dec 2015 14:11:29 +0000 (UTC)
From: Charles C Mann <ccmann@comcast.net>
Subject: Personalized news hits home (Quealy and Sanger-Katz)
Kevin Quealy and Margo Sanger-Katz, *The New York Times* interactive, 15 Dec
2015, The Experts Were Wrong About the Best Places for Better and Cheaper
Health Care
http://www.nytimes.com/interactive/2015/12/15/upshot/the-best-places-for-better-cheaper-health-care-arent-what-experts-thought.html
While reading this interesting NYTimes article about health care costs, I
was surprised to have the article reach out and grab me by the collar.
Embedded in the article -- flowed into the text, not separate in any way --
was a sentence or two and a little graphic that told me about health care
costs in Springfield, MA, where it guessed I was reading from (I live about
half an hour away, so not a bad guess). I have attached a screen capture
and would be curious if the whole enterprise worked as well in other
geographic areas. [Omitted for RISKS. PGN]
This is the first time I can remember encountering anything like this in a
news story -- reaching out to tap the reader on the shoulder in the middle of
the article, as opposed to letting the reader click on something. To me, it
was at once useful and creepy. On the one hand, I was curious about the
results for my local area. On the other, I was creeped out by being reminded
of the giant eyeball on the other end that is watching me. [...]
[My own browsing of this *interactive* article focuses on San Mateo
County, California, which is where SRI is located. I think *The Times*
interactive folks have done quite a spectacular job, as the entire article
includes statistics related to *my* location. Moreover, from the graphic,
it appears that the article is prepared to be instantiated specifically to
at least 280 different locations (rough count). At this rate, it won't be
long until interactive *Times* articles are personalized down to each
county, or each city, or even each household... PGN]
------------------------------
Date: Mon, 14 Dec 2015 08:30:15 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: European Space Agency records leaked for amusement, attackers say
http://www.csoonline.com/article/3014507/security/european-space-agency-records-leaked-for-amusement-attackers-say.html
Along with database schemas and server stats, a second post by Anonymous
also included 8,107 names, email addresses, and passwords. A third post
exposed contact details for various ESA supporters and researchers. The
leaked data highlights a troubling problem with regard to passwords used
on the compromised domains. Of the 8,107 passwords exposed, 39 percent
(3,191) of them were just three characters long (e.g. 'esa', '469', '136',
etc.). The second largest set of passwords - 1,314 (16%) - were eight
characters long, and based on their construction would have been easily
cracked by most rule sets and dictionaries. Passwords such as trustno1,
rainbow6, password, 12345678, and those based on the person's name or
email address would be the first to fall.
------------------------------
Date: Mon, 14 Dec 2015 10:29:04 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: FAA Wants Your Credit Card Number when you register your drones
Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number
http://lauren.vortex.com/archive/001138.html
Oh goodie. The FAA has announced its ultra-rushed plan for a drone registry
-- they desperately wanted to get this on the books before Christmas. It's
worse than even the most vocal critics had anticipated:
https://www.faa.gov/uas/registration/faqs/
Over the next 60 days, the FAA is requiring that anyone who flies drones
outside (other than very small toy drones) must register on a web site (in
theory paper-based filing is possible, but the FAA obviously anticipates
most registrations to be over the web).
The FAA is also demanding your credit card number before you fly. In
fact, they demand $5 via credit card every three years. Forever. [...]
No need to worry though, right? All that required personal information --
name, physical/mailing address, credit card data, email address, etc. will
be in the warm embrace of a "third party contractor" who no doubt will take
really good care of it to meet the abysmal security and privacy practices of
the federal government.
The black hat hackers are already salivating over this one. Home
addresses! Credit cards! "Hey comrade, do they ship Porsches to Moscow?"
------------------------------
Date: Mon, 14 Dec 2015 18:21:00 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Thai Man May Go to Prison [for 37 years] for Insulting King's Dog
on social media
http://www.nytimes.com/2015/12/15/world/asia/thailand-lese-majeste-tongdaeng.html?emc=eta1
In a case brought in a Thai military court, the worker, Thanakorn
Siripaiboon, was charged with making a "sarcastic" Internet post related
to the king's pet. He also faces separate charges of sedition and
insulting the king. Mr. Thanakorn could face a total of 37 years in
prison for his social media posts, highlighting what has become a feverish
campaign to protect the monarchy and rebuff critics of the country's
military rulers.
------------------------------
Date: Tue, 15 Dec 2015 09:43:53 -0500
From: Monty Solomon <monty@roscom.com>
Subject: 13 million MacKeeper users exposed after MongoDB door was left open
http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-after-mongodb-door-was-left-open/
------------------------------
Date: Mon, 14 Dec 2015 14:32:22 -0800
From: Lauren Weinstein <privacy@vortex.com>
Subject: Bangladesh extends social media ban, blocking Twitter and Skype
https://thestack.com/security/2015/12/14/bangladesh-extends-social-media-ban-blocking-twitter-and-skype/
A month after temporarily blocking social media sites including Facebook
and WhatsApp, the Bangladeshi government has now taken steps to take down
Microsoft's online chat software Skype and social networking service
Twitter. Citing 'threats to national security', the government ordered
the blocking of the six leading social media apps in Bangladesh -
Facebook, Messenger, Line, WhatsApp, Viber and Tango. The decision came
after a supreme court ruling which sentenced two opposition leaders,
Salauddin Quader Chowdhury and Ali Ahsan Muhajid, to death, having found
them guilty of crimes committed in the 1971 war of independence from
Pakistan.
------------------------------
Date: Tue, 15 Dec 2015 09:37:22 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hackers actively exploit critical vulnerability in sites running Joomla
Attackers are actively exploiting a critical remote command-execution
vulnerability that has plagued the Joomla content management system for
almost eight years, security researchers said.
http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
------------------------------
Date: Tue, 15 Dec 2015 09:22:45 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Small, community banks using machine learning to reduce fraud
http://www.networkworld.com/article/2991925/security/small-community-banks-using-machine-learning-to-reduce-fraud.html
------------------------------
Date: Tue, 15 Dec 2015 09:25:52 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy
http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy
[Wow! 75 percent! That means in 25 percent of the cases, everyone is
likely to be falsely accused of something? PGN]
------------------------------
Date: Tue, 15 Dec 2015 11:00:41 -0800
From: Lauren Weinstein <privacy@vortex.com>
Subject: British government admits selling Internet addresses to Saudi
Arabia and says it can't stop ISIS extremists using them
``The government owns millions of unused IP addresses which we are selling to
get a good return for hardworking taxpayers. We have sold a number of these
addresses to telecoms companies both in the UK and internationally to allow
their customers to connect to the Internet. We think carefully about which
companies we sell addresses to, but how their customers use this Internet
connection is beyond our control.''
The government did not reveal how much money was made from selling the IP
addresses to the pair of Saudi firms, because it regards this information as
commercially sensitive.
The Saudi deal was first revealed after hackers claimed that a number of
Islamic State supporters' social media accounts are being run from Internet
addresses which could be linked to the Department of Work and Pensions.
http://www.mirror.co.uk/news/technology-science/technology/british-government-admits-selling-internet-7017287
------------------------------
Date: Tue, 15 Dec 2015 14:04:47 +0000
From: David Damerell <damerell@chiark.greenend.org.uk>
Subject: Your iPhone Is Ruining Your Posture -- and Your Mood (R 29 16)
The Dreaded iHunch? ... very effectively dealt with here:
http://steamtraen.blogspot.co.uk/2015/12/a-cute-story-to-be-told-and-self-help.html
starting with the observation that this is a tiny study from 2013, which has
not yet been peer-reviewed and yet is felt good enough for *The New York
Times*.
The risks of sensationalist newspaper articles based on dubious science will
be familiar to us, I'm sure - but having the sensationalist article written
by one of the authors of the dubious science is certainly more efficient
than the usual approach.
------------------------------
Date: Tue, 15 Dec 2015 09:24:37 +0100
From: Peter Houppermans <peter@houppermans.net>
Subject: Google links back to itself
Ah, why oh why would Google offer links that would point back to itself?
> A side note, Google appears to be (in some instances) not providing users
> direct links to articles - Google instead provides links to Google with
> search terms. Have others noticed this? And if so, can anyone speculate as
> to why?
You may want to look up what a chap by the name Gordon Welchman did during
WW II. What you're looking at is meta-data collection: tracking
relationships. Google is tracking whom you are sharing the link with so
they can establish a link between you and the originator. From such casual
events metrics and profiles are spun, and it's not just Google who does this
-- I find especially LinkedIn rather aggressive in this too.
I always strip links back to the actual resource before I forward them to
others as I find it uncivil to subject someone to unwanted (and mostly
undetected) tracking, and links I receive from third parties get the same
treatment before I use them.
To quote the late Spike Milligan, there is a lot of it about!
------------------------------
Date: Tue, 15 Dec 2015 11:05:16 -0500
From: Gene Spafford <spaf@purdue.edu>
Subject: A looming anniversary, and an offer
Next year is the 25th anniversary of the publication of Practical Unix
Security. The book has attracted quite a readership over the years.
As a celebration of the anniversary, and as a way of helping raise some
funds for two worthwhile non-profit organizations (EPIC and the ISSA
Foundation), we are making a special offer to get a copy of the book signed
by the authors.
We encourage people to participate --
if nothing else, to provide some support to two worthwhile organizations
supporting security & privacy work
(Details: http://ceri.as/puis).
------------------------------
Date: Mon, 14 Dec 2015 17:33:28 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: America's secret cyberarsenal (RISKS-29.16)
The most important link was omitted from my post:
http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.17
************************
