[30225] in RISKS Forum
Risks Digest 30.04
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Dec 20 18:02:59 2016
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 20 Dec 2016 14:53:30 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2016 Volume 30 : Issue 04
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.04>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
U.S. House Encryption Working Group report (PGN)
Project Wycheproof -- Crypto Check Libraries (Google)
Russian Hackers Stole Millions a Day With Bots and Fake Sites (Vindu Goel)
UK Police must be given power to shut websites (The Standard via
Chris Drewe)
Rail Crossing Warnings Are Sought for Mapping Apps (The New York Times)
California DMV Calls Uber's San Francisco Self-Driving Cars Illegal
(Bloomberg)
The states of texting and driving in the U.S. (Ars Technica)
Inside LeakedSource and Its Database of Hacked Accounts (WiReD)
Integrity and correctness of Internet information (sur-behoffski)
Re: SHAME ON YOU, GOOGLE! (Martin Ward)
Re: U.S. feds cyberattack U.S. states (Dick Mills)
Re: Audi Cars Now Talk To Stop Lights In Vegas (Anthony Youngman)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 20 Dec 2016 13:40:49 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: U.S. House Encryption Working Group report
The U.S. House Judiciary Committee and House Energy and Commerce Committee
Encryption Working Group has released its Year-End Report. It makes four
specific observations:
1. Any measure that weakens encryption works against the national interest.
2. Encryption technology is a global technology that is widely and
increasingly available around the world.
3. The variety of stakeholders, technologies, and other factors create
different and divergent challenges with respect to encryption and the
``going dark'' phenomenon, and therefore there is no one-size-fits-all
solution to the encryption challenge.
4. Congress should foster cooperation between the law enforcement community
and technology companies.
https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf
These observations are pithy and relevant to other nations as well. The
Keys Under Doormats report (RISKS-28.75) appears to have had considerable
influence on the committee, and is cited on the first text page of their
report.
[Reminder: The subsequent published version of that report is available
online: Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh,
Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau,
Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier,
Michael Specter, Daniel J. Weitzner, Keys Under Doormats: Mandating
Insecurity by Requiring Government Access to All Data and Communications,
published in the Journal of Cybersecurity, vol 1 no 1, Oxford University
Press, 17 November 2015.
http://www.cybersecurity.oxfordjournals.org/content/1/1/69
The authors received the 2016 Pioneer Award (given annually by the
Electronic Freedom Foundation) for the paper.]
------------------------------
Date: Mon, 19 Dec 2016 19:17:09 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Project Wycheproof -- Crypto Check Libraries (Google)
GoogleBlog via NNSquad
https://security.googleblog.com/2016/12/project-wycheproof.html
We're excited to announce the release of Project Wycheproof, a set of
security tests that check cryptographic software libraries for known
weaknesses. We've developed over 80 test cases which have uncovered more
than 40 security bugs (some tests or bugs are not open sourced today, as
they are being fixed by vendors). For example, we found that we could
recover the private key of widely-used DSA and ECDHC implementations. We
also provide ready-to-use tools to check Java Cryptography Architecture
providers such as Bouncy Castle and the default providers in OpenJDK.
------------------------------
Date: Tue, 20 Dec 2016 12:56:52 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Russian Hackers Stole Millions a Day With Bots and Fake Sites
(Vindu Goel)
Vindu Goel, *The New York Times*, via NNSquad
http://mobile.nytimes.com/2016/12/20/technology/forgers-use-fake-web-users-to-steal-real-ad-revenue.html
In a twist on the peddling of fake news to real people, researchers say
that a Russian cyberforgery ring has created more than half a million fake
Internet users and 250,000 fake websites to trick advertisers into
collectively paying as much as $5 million a day for video ads that are
never watched. The fraud, which began in September and is still going on,
represents a new level of sophistication among criminals who seek to
profit by using bots -- computer programs that pretend to be people -- to
cheat advertisers.
------------------------------
Date: Tue, 20 Dec 2016 21:36:04 +0000
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: UK Police must be given power to shut websites (The Standard)
Item in London UK *The Standard* newspaper, 16 Dec 2016
http://www.standard.co.uk/news/crime/police-must-be-given-power-to-shut-websites-in-child-abuse-and-revenge-porn-fight-a3422131.html
Police need new powers to shut websites and curb access to social media to
fight the threat of child abuse and revenge porn attacks, a chief constable
said today. Stephen Kavanagh, the National Police Chiefs Council lead on
digital crime, said officers should also be ready to push the boundaries of
the law and sometimes go beyond what the regulations or courts accept to
protect the public from Internet offending. Mr Kavanagh said he was deeply
concerned at the scale of the problem and felt the privacy lobby had been
allowed to dominate discussions for too long at the expense of public
safety. He insisted that a tougher law enforcement response, including
updated legislation, was needed.
The Internet is a hugely witty broad set of opinions but that should
not be blurred with the ability to buy drugs or guns, harass, share
imagery without consent or, worse, engage in the industrialising of
child abuse imagery.
On powers to access Internet communications, Mr Kavanagh said critics were
wrong to label the legislation a Snoopers Charter and insisted existing
rules contained some of the best regulation of police intrusive powers in
the world. He said, however, that officers should be prepared to risk
occasionally stepping beyond the limits of the law and added: Police tend to
be too cautious about how they can use those powers to protect the public.
Um... what about sites outside the UK?
------------------------------
Date: Tue, 20 Dec 2016 07:43:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Rail Crossing Warnings Are Sought for Mapping Apps
http://www.nytimes.com/2016/12/19/technology/google-digital-maps-railroad-crossings-ntsb.html
The National Transportation Safety Board asked tech companies to add the
locations of grade crossings into digital maps and to provide alerts for
drivers.
------------------------------
Date: Tue, 20 Dec 2016 08:58:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: California DMV Calls Uber's San Francisco Self-Driving Cars Illegal
https://www.bloomberg.com/news/articles/2016-12-15/california-dmv-calls-uber-s-san-francisco-self-driving-cars-illegal
------------------------------
Date: Mon, 19 Dec 2016 08:54:28 -0500
From: Monty Solomon <monty@roscom.com>
Subject: The states of texting and driving in the U.S. (Ars Technica)
http://arstechnica.com/cars/2016/12/the-states-of-texting-and-driving-in-the-us/
------------------------------
Date: Tue, 20 Dec 2016 10:04:38 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Inside LeakedSource and Its Database of Hacked Accounts (WiReD)
https://www.wired.com/2016/12/inside-leakedsource-database-3-billion-hacked-accounts/
------------------------------
Date: Wed, 21 Dec 2016 06:22:13 +1030
From: sur-behoffski <sur_behoffski@grouse.com.au>
Subject: Integrity and correctness of Internet information
Here's the advice I give to people relating to interacting with Internet
resources:
"There's lots of information on the Internet. Some of it's even true!"
------------------------------
Date: Tue, 20 Dec 2016 13:21:05 +0000
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: SHAME ON YOU, GOOGLE! (Burton, RISKS-30.03)
> Either that or we all sit down and write competing web pages ...
If many people do this, then these hundreds of pages will all end up off the
top page of results since they will "split the vote".
To "game" Google so that your preferred answer to a question becomes the top
hit, you need to select *one* page with that answer and get as many people
as possible to link to that page.
Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
------------------------------
Date: Tue, 20 Dec 2016 13:29:57 -0500
From: Dick Mills <dickandlibbymills@gmail.com>
Subject: Re: U.S. feds cyberattack U.S. states (Al Mac, RISKS-30.03)
> The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS
> (Dept of Homeland Security).
It really gets dicey when this attribution is coupled with what is called
"active defense" or "hack back". That is when a hacking victim invades the
hacker's computers to investigate, or to deter, or to claw back stolen
information. Is hack-back a felony if the hacker is the US government?
What about when attribution goes to an enemy or allied foreign state?
I suspect that the reason that the US government seems so reluctant to
sanction foreign state hackers is that the US government is itself among the
worlds biggest hackers. If we retaliate, we invite others to do the same to
us, and we are said to have the most to lose.
Apropos The long history of the U.S. interfering with elections elsewhere:
https://www.washingtonpost.com/news/worldviews/wp/2016/10/13/the-long-history-of-the-u-s-interfering-with-elections-elsewhere
------------------------------
Date: Tue, 20 Dec 2016 19:34:59 +0000
From: Anthony Youngman <antlists@youngman.org.uk>
Subject: Re: Audi Cars Now Talk To Stop Lights In Vegas (Bos, RISKS-30.03)
On 20/12/16 00:21, RISKS List Owner wrote:
> Of course, there are already drivers who turn off their engines at traffic
> lights.
And there are vehicles that automatically turn themselves off now ...
I've recently started driving an "ecotec" van, and when I stop at the lights
and engage neutral (as drivers should!) the engine will stop of its own
accord. Pushing the clutch down to engage gear triggers an automatic
restart. imho (as a user of this technology) this is not a problem, as a
properly functioning car (yes, I know ...) would restart without the
driver's active intervention.
------------------------------
Date: Wed, 17 Aug 2016 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.04
************************
