[29809] in RISKS Forum
Risks Digest 29.68
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Aug 11 17:54:04 2016
From: RISKS List Owner <risko@csl.sri.com>
Date: Thu, 11 Aug 2016 14:53:49 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Thursday 11 August 2016 Volume 29 : Issue 68
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.68.html>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
DoJ Official Tells 100 Fed Judges to Use Tor (Joseph Cox)
Delta Struggles to Take Flight After Global System Outage (ABC)
El Faro Cargo Ship VDR recovered (Al Mac)
Australia GPS coordinates moving -- for driverless cars (ABC Australia)
Millions of VW cars at risk: Wireless hack lets crooks clone Volkswagen
keys (Liam Tung)
Tesla Tampering (DefCon)
A New Hack Can Unlock 100 Million Volkswagens (Andy Greenberg)
Hack of Democrats' Accounts Was Wider Than Believed, Officials Say (NYT)
More on the DNC e-mail and WikiLeaks (PGN)
"Emailgate: How media mistakes created Hillary Clinton's fake, fake
identity" (David Gewirtz)
MICROS POS Breach (Krebs)
Monitors Are Vulnerable to Hijacking and Spying (Motherboad)
Irish Police systems hacked (Patrick O'Beirne)
Now even your sex toys are spying on you (Zack Whittaker)
Flawed Designs (ProPublica)
Susan Crawford on wireless vis-a-vis cable (BackChannel)
U.S. broadband: Still no ISP choice for many, especially at higher speeds
(Ars Technica)
Encryption's Quantum Leap: The Race to Stop the Hackers of Tomorrow
(Steve Ranger)
Samsung is all talk, no fix after researcher finds Pay flaw (Zach Whittaker)
New Nigerian Fraud Scheme Revealed -- by Self-Infection (IEEE Spectrum)
Facebook will bypass web adblockers, but offer ad targeting opt-outs
(TechCrunch)
"Secure Boot proves insecurity of backdoors" (Fahmida Y. Rashid)
Microsoft's giving you just 10 days now, not 31, to change your mind
about Windows 10 (Mark Hachman)
Microsoft researchers enable secure data exchange in the cloud (LW)
Once Taunted by Steve Jobs, Companies Are Now Big Customers of Apple (NYT)
"The Internet" vs "internet" and other sundry thoughts (PGN)
Re: How to hack an election in seven minutes (Ben Wofford)
Re: 8-inch floppies (Dimitri Maziuk)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 08 Aug 2016 07:26:47 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: DoJ Official Tells 100 Fed Judges to Use Tor (Joseph Cox)
FYI -- Particularly important for judges [who are hiding something]
Joseph Cox, Motherboard, 6 Aug 2016
Department of Justice Official Tells Hundred Federal Judges to Use Tor
https://motherboard.vice.com/read/department-of-justice-official-tells-hundred-federal-judges-to-use-tor
The US government has a complicated relationship with Tor. While the US is
the biggest funder of the non-profit that maintains the software, law
enforcement bodies such as the FBI are exploiting Tor browser
vulnerabilities on a huge scale to identify criminal suspects.
To add to that messy, nuanced mix, one Department of Justice official
recently personally recommended Tor to a room of over a hundred federal
judges.
Ovie Carroll, director for the Cybercrime Lab at the Department of Justice,
urged the judges to "use the TOR [sic] network to protect their personal
information on their computers, like work or home computers, against data
breaches, and the like," Judge Robert J. Bryan said in July, according to a
hearing transcript released on Friday.
"I was surprised to hear him urge the federal judges present," Bryan said.
Bryan was talking during a hearing on two motions to withdraw guilty pleas
in the FBI's recent mass hacking campaign. In February 2015, the FBI took
over a dark web child pornography site called Playpen, and deployed malware
in an attempt to identify the site's visitors. Bryan has resided over
several resulting cases from that investigation.
"I almost felt like saying, 'That's not a good way to protect your stuff,
because the FBI can go through it like eggshells,'" Bryan continues. Of
course, this isn't really true: although the FBI has had some notable
successes at identifying criminal suspects on the dark web with
technological means, it is not the norm.
It's worth remembering Carroll is not the only Justice Department or US law
enforcement official to endorse Tor. According to emails obtained by
Motherboard, one FBI agent was also an advocate of Tor.
Indeed, it would be exceptionally foolish to assume that every law
enforcement or justice official would automatically be antagonistic towards
Tor. By its very nature, Tor is a dual-use technology; it can be used to
protect individual privacy, circumvent censorship, and obfuscate metadata.
But it can also be used by some pedophiles to remain one step ahead of the
cops.
Also, if Judge Bryan's comments are accurate, Carroll's advice may not have
been that robust anyway. Tor is not really useful for protecting personal
information on computers, or necessarily mitigating the damage from data
breaches: those just aren't the sort of things that Tor protects against.
Regardless, it's still noteworthy to see this advice coming from a
Department of Justice official.
------------------------------
Date: Mon, 8 Aug 2016 07:33:59 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Delta Struggles to Take Flight After Global System Outage (ABC)
http://abcnews.go.com/Health/wireStory/delta-grounds-flights-due-systems-problems-41198955
Delta Air Lines delayed or canceled hundreds of flights Monday after its
computer systems crashed, stranding thousands of passengers on a busy
travel day. About six hours into the outage, the airline said that
limited flights were resuming but that were delays and cancelations were
continuing. The Atlanta-based airline said that a power outage at a
facility in Atlanta at around 2:30 a.m. Eastern started the cascading
meltdown.
[Also:
Delta Air Lines Computer Failure Hobbles Service]
http://www.nytimes.com/2016/08/09/business/delta-air-lines-delays-computer-failure.html
------------------------------
Date: Tue, 9 Aug 2016 14:53:49 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: El Faro Cargo Ship VDR recovered
Remember the cargo ship that sank off US east coast Oct 2015 during
Hurricane Joaquin? The operators knew this bad weather was in the forecast,
and that the ship was experiencing engine troubles, not yet fixed, but they
deliberately gambled, sending the ship into harm's way, at risk of engine
failure during the worst kind of storm imaginable, according to news media
stories at the time.
A series of efforts to recover the ship's black box, called a Voyage Data
Recorder (VDR) from wreckage over 15,000 feet down on ocean floor, finally
paid off. US efforts included: NTSB; US Navy; US Coast Guard; Woods Hole
Oceanographic Institute; National Science Foundation (NSF); University of
Rhode Island; and Phoenix International.
More info, found so far, on NTSB web page about the El Faro continuing
investigation:
http://www.ntsb.gov/investigations/Pages/2015_elfaro_jax.aspx
------------------------------
Date: Tue, 9 Aug 2016 17:46:27 -0700
From: Mark Thorson <eee@sonic.net>
Subject: Australia GPS coordinates moving -- for driverless cars
GPS coordinates for Australia need to be updated so applications like
driverless cars can work.
http://www.abc.net.au/news/2016-07-28/why-it-matters-that-australias-coordinates-are-moving/7668014
------------------------------
Date: Thu, 11 Aug 2016 10:27:24 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Millions of VW cars at risk: Wireless hack lets crooks clone
Volkswagen keys
Liam Tung, ZDNet, 11 Aug 2016
Researchers find flaws in the keyless entry system used in around 100
million vehicles from the Volkswagen Group.
http://www.zdnet.com/article/millions-of-vw-cars-at-risk-wireless-hack-lets-crooks-clone-volkswagen-keys-at-100m/
selected text:
If you own a Volkswagen with keyless entry, it's likely to be vulnerable to
a remote-cloning attack, according to new research.
The researchers argue that, given their findings, insurance companies may
need to accept that cases that look like insurance fraud, such as a laptop
stolen from a locked car without any physical traces of a break-in, can
plausibly be an actual theft.
------------------------------
Date: Wed, 10 Aug 2016 11:38:05 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Tesla Tampering
At DefCon, researchers demonstrated how they could hack the sensors to cause
a Tesla to hit an object it would otherwise avoid. *Business Insider*
reported this, as noted in today's local *Daily Post*.
------------------------------
Date: Wed, 10 Aug 2016 14:52:36 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: A New Hack Can Unlock 100 Million Volkswagens (Andy Greenberg)
Andy Greenberg, Wired, 08.10.16 4:29 pm.
https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
In 2013, when University of Birmingham computer scientist Flavio Garcia
and a team of researchers were preparing to reveal a vulnerability that
allowed them to start the ignition of millions of Volkswagen cars and
drive them off without a key, they were hit with a lawsuit that delayed
the publication of their research for two years. But that experience
doesn't seem to have deterred Garcia and his colleagues from probing more
of VW's flaws: Now, a year after that hack was finally publicized, Garcia
and a new team of researchers are back with another paper that shows how
Volkswagen left not only its ignition vulnerable but the keyless entry
system that unlocks the vehicle's doors, too. And this time, they say, the
flaw applies to practically every car Volkswagen has sold since 1995.
------------------------------
Date: Thu, 11 Aug 2016 03:58:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hack of Democrats' Accounts Was Wider Than Believed, Officials Say
http://www.nytimes.com/2016/08/11/us/politics/democratic-party-russia-hack-cyberattack.html
A Russian cyberattack is now thought to have breached the private email
accounts of more than 100 party officials and groups.
------------------------------
Date: Wed, 10 Aug 2016 11:31:59 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: More on the DNC e-mail leak
Supplementing previous claims by "security experts" in U.S. intelligence
(and Democratic officials) that the Russians hacked the DNC e-mails, Julian
Assange is suggesting that the e-mails were leaked to WikiLeaks by Seth
Conrad Rich, a DNC staffer who was murdered in Washington DC on 8 Jul 2016.
A front-page blurb (with no further story inside) in today's *Daily Post* (a
free weekday paper for the Palo Alto area) notes that "Rich's death has been
explained away as a robbery, but his assailant left his watch, money, credit
cards and phone. [PGN-ed]
------------------------------
Date: Wed, 10 Aug 2016 10:22:24 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Emailgate: How media mistakes created Hillary Clinton's fake,
fake identity" (David Gewirtz)
[With the Internet, you can make mistakes bigger and faster than ever!
Or spread rumours.]
David Gewirtz for ZDNet Government, 5 Mar 2015
The media creates mythology. David Gewirtz looks at how the AP created a
new, completely false Hillary Clinton myth about a fake identity, how it's
sticking, and where it all went wrong.
http://www.zdnet.com/article/emailgate-how-media-mythology-created-hillary-clintons-fake-fake-identity/
opening text:
There is more to the Hillary Clinton personal email story than just Hillary
Clinton and her personal email use.
It's also a story about a trusted news establishment that broke a story in
the morning about the leading presumptive presidential candidate using a
fake identity, let it run through an entire day's news cycle, and then
changed that story in the same article later that evening -- without ever
releasing an update or correction.
[Reminder: the DNC e-mail hack and the Hillary e-mail hack are different
cases, although they have the common genesis in poor system security. PGN]
------------------------------
Date: Tue, 9 Aug 2016 23:27:23 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: MICROS POS Breach (Krebs)
Krebs on Security reported a data breach with Oracle's MICROS Point of Sale
System. <http://krebsonsecurity.com/>
<http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-s ale-division/>
MICROS is very popular in the hospitality industry, hotels, food and
beverage sales. In 2014 they had 330,000 sites in 180 nations.
Oracle has called on 100% of the sites to change 100% of their passwords,
for 100% of their accounts.
------------------------------
Date: Mon, 8 Aug 2016 19:11:58 +0200
From: Werner U <werneru@gmail.com>
Subject: Monitors Are Vulnerable to Hijacking and Spying (Motherboad)
(Motherboard via SlashDot)
[ ...time to return to pen and paper ?!! ]
One Billion Monitors Vulnerable to Hijacking and Spying
<https://hardware.slashdot.org/story/16/08/07/1546208/one-billion-monitors-vulnerable-to-hijacking-and-spying>
"We can now hack the monitor and you shouldn't have blind trust in those
pixels coming out of your monitor..." a security researcher tells
Motherboard.
"If you have a monitor, chances are your monitor is affected."
A Slashdot reader quotes a Motherboard's article:
> if a hacker can get you to visit a malicious website or click on a
> phishing link, they can then target the monitor's embedded computer,
> specifically its firmware... the computer that controls the menu to
> change brightness and other simple settings on the monitor.
> The hacker can then put an implant there programmed to wait... for
> commands sent over by a blinking pixel, which could be included in
> any video or a website.
> Essentially, that pixel is uploading code to the monitor.
<https://slashdot.org/motherboard.vice.com/read/hackers-could-break-into-your-monitor-to-spy-on-you-and-manipulate-your-pixels>
> At that point, the hacker can mess with your monitor...
>
> [T]his could be used to both spy on you, but also show you stuff
> that's actually not there. A scenario where that could dangerous
> is if hackers mess with the monitor displaying controls for a power
> plant, perhaps faking an emergency. The researchers warn that this
> is an issue that could potentially affect one billion monitors, given
> that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher
told *Motherboard*, which added "we shouldn't consider monitors as
untouchable, unhackable things."
------------------------------
Date: Tue, 9 Aug 2016 08:35:09 +0100
From: "Patrick O'Beirne" <obeirne.p.r@gmail.com>
Subject: Irish Police systems hacked
(Translator's note: Garda = Civic Guard, i.e., police, plural Gardai)
http://www.rte.ie/news/2016/0808/807804-garda-it-security/
Garda IT system restored following attempted hack. Gardai revealed last
week that a new strain of malware had been found on their systems. They
stressed that no data was compromised and that its main database, PULSE, and
the Garda website were not affected. The Garda Computer Crime Unit is
continuing its investigation into the incident.
The malware involved was referred to as "zero day", meaning it was not
previously known.
------------------------------
Date: Thu, 11 Aug 2016 10:32:28 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Now even your sex toys are spying on you" (Zack Whittaker)
IoT meets Rule 34?
Zack Whittaker, ZDNet, Aug 2016
Is nothing sacred in this world?
http://www.zdnet.com/article/now-even-your-sex-toys-are-spying-on-you/
selected text:
Dubbed the "number one couple's vibrator," the We-Vibe 4 Plus is the latest
in Internet-connected sex toys. It connects wirelessly to a smartphone over
Bluetooth so a user or their partner can control the vibration intensity and
mode. It also comes with Internet connectivity so that a long-distance
partner can control the device from anywhere.
The trouble is, it's spilling your sexual secrets to its manufacturer.
[and presumably is easily hacked by someone who has also hacked the
camera on your laptop? PGN]
------------------------------
Date: Thu, 11 Aug 2016 01:11:38 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Flawed Designs
https://www.propublica.org/article/looks-can-kill-the-deadly-results-of-flawed-design?utm_source=pardot
I wear a hearing aid.
With it (working correctly), I hear my auto chiming, then I check visual
clues to figure out what it is complaining about. Without the hearing aid,
all I have are the visual clues, which I might not notice as rapidly as I
would like.
If a hearing aid is not working correctly, we do not know it. We might not
be hearing bird song, but there might not be any birds around sining. A
mosquito makes a buzzing ound. We might not hear that, but who knows
there's an insect around, unless it is prominent in our vision. We only
hear rainfall, depending on which direction it is arriving. So if a hearing
aid is down, that may not be immediately obvious.
When is a hearing aid not working correctly? There are several possible
causes. We may be overdue to change the battery. We may be overdue to
clean the ear wax out of the tubes. So is there a technology to alert a
hearing aid user: ``Hey, your hearing aid is malfunctioning.''
When leaving home, push a button, hear some musical tinkle, or not -- tell
us to do extra checking.
That design would not work effectively for me, as I have Tinitus, where
intermittently I am hearing some sound, which is a common sound in my life:
Air conditioner fan; alarm clock; door bell; phone ringing, etc. except that
sound is a hearing hallucination.
If the musical tone test was often played, it would get added to tinnitus
repertoire of intermittent surprises.
I do not know what association triggers a tinnitus episode.
------------------------------
Date: Thu, 11 Aug 2016 08:52:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Susan Crawford on wireless vis-a-vis cable
BackChannel via NNSquad
The Next Generation of Wireless -- "5G" -- Is All Hype.
https://backchannel.com/the-next-generation-of-wireless-5g-is-all-hype-1790239b8ca8#.13g0n83nf
The meaning seems obvious -- our current communications system is 4G, so
of course we must already have the next generation in line. Telecom
executives play on this perception. Lowell McAdam, the CEO of Verizon,
says 5G is "wireless fiber." (And I thought fiber was fiber.) SK Telecom
says it will soon be able to transfer holograms and enable virtual reality
over 5G networks that are 100 times faster than current 4G LTE
connections. Noise about 5G is incessant and triumphant, a constant
drumbeat of predictions crowing about the arrival any day now of seemingly
costless, ubiquitous, instantaneous, unlimited connectivity. The promises
are as lofty as those made for cold fusion. But the science behind that
"breakthrough" turned out to be a bust. Likewise, the "5G" story is far
more complex, calculated, and contingent than anyone in the carriers' PR
departments wants you to know.
------------------------------
Date: Wed, 10 Aug 2016 09:47:54 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: U.S. broadband: Still no ISP choice for many, especially at higher
speeds
http://arstechnica.com/information-technology/2016/08/us-broadband-still-no-isp-choice-for-many-especially-at-higher-speeds/
The latest Federal Communications Commission statistics show that
Americans still have little choice of high-speed broadband providers. On
the surface, the numbers appear to show that the broadband market has
gotten slightly less competitive since 2013. But what has really happened
is the FCC is collecting more granular data that better illustrates the
lack of choice for most Americans. Things are probably getting a little
better as providers boost speeds and new entrants like Google Fiber and
municipal ISPs offer service. But the FCC's improved statistical analysis
shows how far there is to go.
------------------------------
Date: Mon, 8 Aug 2016 12:14:55 -0400 (EDT)
From: "ACM TechNews" <technews-editor@acm.org>
Subject: Encryption's Quantum Leap: The Race to Stop the Hackers of Tomorrow
(Steve Ranger)
Steve Ranger, ZDNet, 2 Aug 2016 via ACM TechNews, Monday, August 8, 2016
Researchers are looking into the construction of new quantum-proof
cryptography in order to thwart quantum-based schemes that future hackers
could potentially use to crack sensitive data. "If large-scale quantum
computers are ever built, they will be able to break many of the public-key
cryptosystems currently in use," warns the U.S. National Institute of
Standards and Technology (NIST). "This would seriously compromise the
confidentiality and integrity of digital communications on the Internet and
elsewhere." NIST is requesting comments on a new process to find and assess
public-key cryptographic algorithms that quantum computers cannot decrypt.
NIST's goal is to create systems that are resistant to both quantum and
classical computers, as well as interoperable with existing communications
protocols and networks. The agency is investigating preliminary evaluation
criteria for quantum-resistant public-key cryptography standards, which is
slated for finalization by year's end. NIST then will start accepting
proposals for such encryption, digital signatures, and key exchange
algorithms, with a deadline in late 2017, followed by three to five years of
public scrutiny before their acceptance as standards.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-10d12x2f8d0x073912&
------------------------------
Date: Wed, 10 Aug 2016 09:58:37 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Samsung is all talk, no fix after researcher finds Pay flaw"
Zack Whittaker for Zero Day, How secure is "secure enough"?, ZDNet, 9 Aug 2016
http://www.zdnet.com/article/all-talk-little-action-samsung-shows-how-not-to-do-security/
selected text:
In security, how a company responds to a potential flaw matters. Samsung
may learn that lesson as it dueled on social media after a researcher
revealed a flaw in Samsung Pay. Or as one security researcher told me this
afternoon, "it's a pity that Samsung's going for security-by-public-denial."
------------------------------
Date: Mon, 8 Aug 2016 18:15:21 +0200
From: Werner U <werneru@gmail.com>
Subject: New Nigerian Fraud Scheme Revealed -- by Self-Infection
(IEEE Spectrum via SlashDot)
<https://yro.slashdot.org/story/16/08/06/1634220/nigerian-scammers-infect-themselves-with-own-malware-reveal-new-fraud-scheme>
"A pair of security researchers recently uncovered a Nigerian scammer ring
that they say operates a new kind of attack...after a few of its members
accidentally infected themselves with their own malware," reports IEEE
Spectrum. "Over the past several months, they've watched from a virtual
front-row seat as members used this technique to steal hundreds of thousands
of dollars from small and medium-sized businesses worldwide." Wave723
writes:
> Nigerian scammers are becoming more sophisticated, moving on from former
> 'spoofing' attacks in which they impersonated a CEO's email from an
> external account. Now, they've begun to infiltrate employee email
> accounts to monitor financial transactions and slip in their own routing
> and account info...The researchers estimate this particular ring of
> criminals earns about US $3 million from the scheme.
After they infected their own system, the scammers' malware uploaded
screenshots and all of their keystrokes to an open web database, including
their training sessions for future scammers and the re-routing of a $400,000
payment. Yet the scammers actually "appear to be 'family men' in their late
20s to 40s who are well-respected, church-going figures in their
communities," according to the article. SecureWorks malware researcher Joe
Stewart says the scammers are "increasing the economic potential of the
region they're living in by doing this, and I think they feel somewhat of a
duty to do this."
------------------------------
Date: Tue, 9 Aug 2016 07:16:49 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Facebook will bypass web adblockers, but offer ad targeting opt-outs
TechCrunch via NNSquad
https://techcrunch.com/2016/08/09/facebook-will-bypass-web-adblockers-but-offer-ad-targeting-opt-outs/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Facebook is making the HTML of its web ads indistinguishable from organic
content so it can slip by adblockers. But in exchange for taking away this
option for controlling ads from people, its allowing them to opt-out of ad
targeting categories and Custom Audience customer lists uploaded by
advertisers. Today all desktop users will see an announcement atop the
News Feed explaining that while web adblockers may no longer work, they
can visit their Ad Preferences settings to block ads from particular
businesses.
It should be noted that Google has *long* offered detailed controls to users
over both local and third-party ad targeting, at:
https://www.google.com/settings/ads
------------------------------
Date: Thu, 11 Aug 2016 09:45:27 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Secure Boot proves insecurity of backdoors" (Fahmida Y. Rashid)
Fahmida Y. Rashid, InfoWorld, 11 Aug 2016
Microsoft's Secure Boot prevents unauthorized software from running
on Windows systems, but a leaked superpolicy bypasses those restrictions
http://www.infoworld.com/article/3106079/security/secure-boot-proves-insecurity-of-backdoors.html
selected text:
Microsoft's mistake with Secure Boot and its secret policy is a perfect
illustration of why it's too dangerous to create encryption systems with a
secure backdoor. Someone will inevitably make a mistake, and users are left
vulnerable while the company scrambles for a fix.
"This is a perfect real-world example about why your idea of backdooring
cryptosystems with a 'secure golden key' is very bad!" the researchers said
in a pointed message to the FBI.
[PGN notes other sources:]
http://appleinsider.com/articles/16/08/10/oops-microsoft-leaks-its-golden-key-unlocking-windows-secure-boot-and-exposing-the-danger-of-backdoors
http://arstechnica.co.uk/security/2016/08/microsoft-secure-boot-firmware-snafu-leaks-golden-key/
------------------------------
Date: Mon, 08 Aug 2016 09:55:39 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Microsoft's giving you just 10 days now, not 31, to change your mind
about Windows 10 (Mark Hachman)
Mark Hachman, Senior Editor, PCWorld, 5 Aug 2016
The new policy means that you have until August 12 to decide whether you
like Windows 10.
http://www.pcworld.com/article/3104919/windows/microsofts-giving-you-just-10-days-now-not-31-to-change-your-mind-about-windows-10.html
opening text:
Microsoft has hidden a new downgrade policy within the Windows 10
Anniversary Update: Once you've installed it, you'll only have 10 days to
downgrade to an earlier version or build, rather than the 31 days provided
before.
Historically, Microsoft had given users a full month to roll back any
updates, including upgrades to Windows 10. Supersite for Windows reported
this week, however, that it was unable to downgrade to an earlier build
after a 10-day limit had expired, though it wasn't exactly clear what builds
the limit applied to.
We asked Microsoft for clarification, and it boils down to this: Applying
the Anniversary Update triggers the new policy. According to Microsoft, it
doesn't matter whether you've upgraded to Windows 10 from Windows 8 or
Windows 7, or whether you simply updated your PC from an earlier version of
Windows 10. Once you've installed the Anniversary Update, you have 10 days
to back out, not 31, before the AU becomes "permanent."
"T]his new 10-day behavior is for all upgrades and updates to the
Anniversary Update," the representative said in an email.
------------------------------
Date: Tue, 9 Aug 2016 21:03:31 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Microsoft researchers enable secure data exchange in the cloud
https://www.microsoft.com/en-us/research/microsoft-researchers-enable-secure-data-exchange-cloud/?tduid=(ab98ed1e001ac82e561d59468b39dda4)(256380)(2459594)(TnL5HPStwNw-9G8wAMniIj98.mEDeTS.3A)()
In the future, machine learning algorithms may examine our genomes to
determine our susceptibility to maladies such as heart disease and cancer.
Between now and then, computer scientists need to train the algorithms on
genetic data, bundles of which are increasingly stored encrypted and
secure in the cloud along with financial records, vacation photos and
other bits and bytes of digitized information. And there the data sits,
full of potential but ultimately of little use to anyone but its owner.
That's because encrypted data must first be decrypted before it can be
used. But decrypted data is vulnerable to malicious attacks, which
creates a tradeoff between data usability and security. New research from
Microsoft aims to unlock the full value of encrypted data by using the
cloud itself to perform secure data trades between multiple willing
parties in a way that provides users full control over how much
information the exchange reveals.
[Gnomes in the Genomes? PGN]
------------------------------
Date: Tue, 9 Aug 2016 08:18:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Once Taunted by Steve Jobs, Companies Are Now Big Customers of Apple
Corporations are turning to Apple's products for their tight-knit hardware and software, advanced security and intuitive interfaces.
http://www.nytimes.com/2016/08/08/technology/once-taunted-by-steve-jobs-companies-are-now-big-customers-of-apple.html
------------------------------
Date: Thu, 11 Aug 2016 9:33:19 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: "The Internet" vs "internet" and other sundry thoughts (Re: R 29 67)
I concede that my mini-editorial in RISKS-29.67 might have been a little
over the top. I have certainly overgeneralized with respect to the British
usage, for I know Brits and others who agree with me that coined-word
acronyms composed of proper nouns and proper names deserve initial caps.
However, let's see what we might agree upon. Here's my current thinking.
[Contributions of others are mostly indented. Square brackets surround my
interspersed annotations.]
Regarding "The Internet", there is a big difference between The Internet
specifically and any one of a variety of possibly less comprehensive
internet(works) of networks.
Regarding initial capitalization of proper nouns and proper names, Lauren
Weinstein observes the difference between "The U.S. Congress" and just plain
"congress". (However, perhaps we should refer to the former as the
U.S. congress, considering its "improper" recalcitrance as an impediment to
progress.)
Dictionary.com distinguishes among abbreviations (U.S.), acronyms (OPEC,
loran, snafu) that are pronounceable words, and initialisms (FBI, CIA) that
are not pronounceable. However, an *initialism* may actually become an
acronym when the word becomes part of the language. The difference lies in
how the literal string is pronounced (see below).
The word "acronym" seems to be defined in many different ways. Here's one
that is not quite right:
* From WordNet (r) 3.0 (2006):
acronym (n1):
a word formed from the initial letters of the several words in the name
* Dictionary.com has this definition of "initialism":
Initialism:
a set of initials representing a name, organization, or the like, with
each letter *pronounced separately*, as FBI for Federal Bureau of
Investigation.
There are various quirks here. Some acronyms use letters other than the
initial letters; also, it is not clear what constitutes a "name" or a "word"
-- and in what language. Also, "initials" usually refers specifically to
the first letters of names, as in PGN, which leaves a question of whether to
omit particles in multi-word complex names that are often lower-cased (von,
de la, prepositions, and so on).
Here are two self-defining acronyms:
ACRONYM -- Abbreviated Coded Rendition Of Name Yielding Meaning (acronym)
ACRONYM -- Abbreviation by CROping Names that Yield Meaning (acronym
if you ignore the "initial letter" restriction)
These are examples of "Backronyms" -- in that the expansion has been
constructed from the word, rather than the other way around.
Then there are the issues with upper-case versus lower-case, which began
here with "The Internet" as a proper name, and considered further below.
Dictionary.com gives the example of "Wac" for the Women's Army Corps, rather
than "WAC" (as an acronym). It would seem more logical that the case of a
letter in an acronym should reflect the case of each letter being
acronymized -- as in WAC, the "CRO" in ACRONYM above, or "DoD" for the
Department of Defense). Thus, "loran" and "snafu" seem natural as
all-lower-case acronyms because the expansion has all lower-case letters.
The same should be true of initialisms (e.g., DoD)! Gee whiz, it seems
"DoD" could be an abbreviation, an acronym if you confusedly pronounced it
as "dod", but certainly an initialism (D.o.D). Note that "US" would be an
acronym (although very confusing if pronounced "us" when it really refers to
those of *us* in the U.S. (which is why we prefer "U.S."). It is also an
abbreviation -- but should never be lower-cased! In general, pronounceable
two-letter acronyms are terrible without the periods, but F.B.I. as an
initialism with periods would seems like overkill, because there is no
ambiguity with "FBI". Pronounceable three-letter acronyms (TLAs) that are
lower-cased and words with a completely different meaning would also seem to
be very bad. But the recursive acronym GNU is really lovely ("GNU is Not
Unix").
Delightfully, Jay Ashworth <jra@baylink.com> recalls the following
definition, probably from his high-school English: an acronym is
"something that has been adopted as a full-fledged word into the parent
language, which started life as an initialism." Maybe that's useful, but
not definitive -- as there seem to be some corner cases. Jay also offered
this pithy thought: "The confusion comes because unpronounceable
initialisms -- those which must be pronounced as their component letters
-- nearly never get promoted to actual acronym words."
All of this reminds me (noted in RISKS-29.67) of the difference between ACL
(access-control list, generally pronounced "ackle" but not a word) and RNG
(random-number generator, generally pronounced "R.N.G." Thus ACL and RNG
are both acronyms (if you were to pronounce the latter as "orange"), whereas
RNG is *also* more widely thought of as an initialism. Thus, my pun about
"comparing ACLs and RNGs" is even more of type mismatch than it might seem.
Furthermore, certain acronyms may also be considered to be initialisms
depending on how they are (mis)pronounced. Also, what about "gif" and "GIF"
for graphics interface format, pronounced as gif (respecting that the g in
graphics is hard, but nevertheless pronounceable) or jif (odlly, which
actually is a slang word), or G.I.F., according to your upbringing. Thus,
"gif" could be an acronym, or an initialism, or both!
Here's an example of how pronunciation might make a difference:
VERA, or V.E.R.A. -- Virtual Entity of Relevant Acronyms (a pronounceable
word/name as an acronym in some languages, or initialism, respectively)
Here are some further replies to my previous posting:
* Martyn Thomas <martyn@thomas-associates.co.uk> notes:
*Hart's Rules* has "Internet" as the preferred spelling.
I'd back OUP over AP as the arbiter.
* Peter Simpson <PSimpson@continuuminnovation.com>
My son learned this in the Army: an Acronym is a pronounceable sequence of
initial letters. e.g.: NASA, vs an "Initialism" -- which is not
pronounceable. e.g.: NFPA.
[The military is of course very dependent on acronyms and initialisms, and
perhaps *could not exist* without them. However, it is certainly curious
that I am devoting space in RISKS as a consequence of the dispute over "The
Internet" vs "the internet" (as opposed to the perfectly sensible "an
internet". PGN]
* "Richard S. Russell" <RichardSRussell@tds.net>
My own pet peeve about TLAs (three-letter abbreviations [actually
a three-letter acronym and three initialisms in the present context.
PGN]) involves redundancy [in the N, D, M, and P (albeit "plait" in
French) to be explicit. PGN]:
*PIN* number, *GED* diploma", *ATM* machine, and *please RSVP*
are all overkill -- which hasn't seemed to slow anybody down any.
* Richard Russell also added:
One additional trivium: The Bush/Cheney Administration had approved the
name Operation Iraqi Liberation for its 2003 invasion of Iraq until
someone pointed out what the acronym would be [OIL], whereupon it was
changed to Operation Iraqi Freedom [OIF, an initialism!].
* Stephen-Payne@deshaw.com :
I heartily agree that not capitalising acronyms is weird. It can stir up a
lot of emotion, not least of all, in myself.
Stephen suggested and heartily "recommends this book for when one's blood
doth boil over abuse of the written word":
Language Myths, Laurie Bauer (Editor), Peter Trudgill (Editor),
ISBN-13: 978-0140260236 ISBN-10: 0140260234
* "Wendy M. Grossman" <wendyg@pelicancrossing.net>
... I think ["the internet"] wrong, too. But as a freelance, I note that
just about every publication I write for wants "internet" and refusing to
observe house style makes more work for copy editors, and you just make
your work that bit less salable.
... But the reality if you are anyone writing for the media is that there
are bigger battles to fight over what gets published, and this is not one
worth fighting. Save it for when the AP style book comes up for review.
[Note: Wendy lives in England.]
* "Denning, Dorothy (CIV)" <dedennin@nps.edu>
I always write "the Internet," but for the fun of it, I googled (or should
I write "Googled"?) "define internet" (intentionally using lower case
"i"). The top returns (including Dictionary.com, Merriam-Webster, Oxford)
used *uppercase* "I," though Dictionary.com noted that "While the
uppercase form Internet may still be preferred in formal writing, the
lowercase form internet is regularly used in media, especially
technology-related publications, and in most informal writing such as
email and text messages."
* Peter Simpson <PSimpson@continuuminnovation.com>:
The Internet should always be capitalized...if only because of this episode
of The IT Crowd:
https://www.youtube.com/watch?v=3Dxtke8aB0mxk
* "David Harley" <david.a.harley@gmail.com>:
Like U.S. publishing bodies in general, let alone the AP, even show
respect for British usage, let alone 'cave in' to it? And where did you
get your curious notion of what British usage is?
Strangely, despite having been a 'brit' for all of my 67 years, I agree
that 'the Internet' is not only grammatically but logically correct. Nor
can I find much love in my heart for the current trend towards lower-case
brand names, or 'downcasing' of acronyms and initialisms, while N.S.A. and
S.R.I. just look silly, as does Darpa. But why on earth are you blaming
the British for it? In nearly fifty years of authoring and editing, I've
had my share of battles with copy editors and copywriters who prioritized
someone's view of 'readability' over 'real' English, but I've never had a
publishing drone on either side of the Atlantic insist on nsa or nasa, let
alone any horrible hybrids. And certainly none of the UK newspapers and
magazines I read follow that usage.. Perhaps I read the wrong periodicals
and books, though as far as I can see even the tabloids don't seem to go
this route...
As for Argentyne, there's an etymological justification for that
pronunciation (not to mention rulings by Merriam-Webster), though
personally I'd say Argentinian and restrict my use of argentine to its
archaic meaning. Hopefully you didn't mean to give the impression that we
spell it like that.
* Jay Ashworth added this:
Concerning Argent'y'ne, it's worth noting that the demonym for a people is
actually a separate word from the name of their country, and is often
different -- sometimes wildly different -- and that's even before we get
to "which language are you saying it in?"]
* Continuing with David Harley's comments:
Perhaps I'm missing some subtle satirical point here, but from my side of
the Atlantic, this looks like irresponsible abuse of editorial privilege
to air a gratuitous anti-British rant based on misinformation. For a
minute there, I thought I was on Facebook.
Incidentally, my website <http://www.csl.sri.com/hyphen.html> has a rant on
hyphenation that began from noting the French word "email" and suggesting
that "e-mail" might be preferable for how you might be receiving RISKS,
because we have a slew of really ambiguous words when prefixed with an "e",
such as "I am e-numerate because I can enumerate." [Yes, I can equip you
with an e-quip.] (I clearly lost the battle on that rant.)
Indeed. as I said at the beginning of this message, I concede that my
mini-editorial in RISKS-29.67 was rather over the *top*. So I am running
this follow-up near the *bottom* of RISKS-29.68. Many thanks to all of you
who have responded. It was educational for me, at least, in trying to make
some sense out of all this. I hope this has not bored you -- it actually
seems better than just pedantic. However, if you wish, you may throw sundry
(sun-dry?) tomatoes at me. PGN
------------------------------
Date: Wed, 10 Aug 2016 09:05:33 +0200
From: Erling Kristiansen <erling.kristiansen@xs4all.nl>
Subject: Re: How to hack an election in seven minutes (Ben Wofford)
Several European countries have abandoned electronic voting in favor of
paper ballots exactly due to the concerns exposed in the article (and some
talk about Internet voting, but that's another story).
What's wrong with paper ballots, anyway? I see two *wrongs* (!):
* There is no profit to be made by tech companies supplying equipment.
* The media will be unhappy having to wait a few more hours for the results.
------------------------------
Date: Tue, 9 Aug 2016 12:30:08 -0500
From: Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Subject: Re: 8-inch floppies (Jacobson, RISKS-29.67)
One wonders how many North Korean Russian Iranian Chinese hackers even
know what a Series 1 is, much less how to hack into one.
------------------------------
Date: Tue, 10 May 2016 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> OFFICIAL ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html --> VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.68
************************
