[30480] in RISKS Forum
Risks Digest 30.21
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Apr 1 13:26:14 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 1 Apr 2017 10:26:04 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 1 April 2017 Volume 30 : Issue 21
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.21>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
News break (PGN)
US Congress rapes privacy, they are next (Misha Collins via
Alister Wm Macintyre)
Internet Noise, on purpose (Dan Schultz via Al Mac)
Volkswagen's Emissions Fraud May Affect Mortality Rate in Europe
(The New York Times)
NASA fireworks a damp squib? (David Damerell)
Re: NASA Fireworks (Kurt Seifried, Harlan Rosenthal)
Re: Risks from falsified Data (Robert P. Schaefer)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 1 Apr 2017 10:01:05 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: News break
The only news on this April Fool's day seems to be that there is no longer
any Fake News. All previous allegedly Fake News has now evidently been
declared to be genuine. This will greatly simplify fact checking.
This issue of RISKS is apparently the first one in recent history on this
particular day of the year that has no Intentionally Very Fake News.
------------------------------
Date: Thu, 30 Mar 2017 21:46:15 -0500
From: "Alister Wm Macintyre" <macwheel99@wowway.com>
Subject: US Congress rapes privacy, they are next
Misha Collins GoFundMe Campaign Aims To Purchase Congressional Browsing
History, 29 Mar 2017
The House of Representatives passed and agreed to the S.J.Res. 34 on March
28, 2017, just a scant five days after the measure passed in the Senate.
The joint resolution repeals privacy protections put into place by the
Obama administration and effectively makes it okay for Internet service
providers (ISPs) such as Verizon, Comcast, and Time Warner to collect and
sell their customers' personal browsing data.
In response, Supernatural star Misha Collins has started a GoFundMe
campaign aimed at raising enough money to purchase the personal browsing
data of all of the congressmen and women who voted in favor of the
bill. Misha started the fund right after the resolution was passed and it
has gained a huge amount of traction on social media. According to the
first update, Misha wrote the following as the goal for the fundraiser.
"Congress recently voted to strip Americans of their privacy rights by
voting for SJR34, a resolution that allows Internet Service Providers to
collect, and sell your sensitive data without your consent or knowledge.
Since Congress has made our privacy a commodity, let's band together to
buy THEIR privacy.
"This GoFundMe will pay to purchase the data of Donald Trump and every
Congressperson who voted for SJR34, and to make it publicly available.
"Game on, Congress"
"PS: No, we won't "doxx" people. We will not share information that will
impact the safety & security of their families (such as personal
addresses). However, all other details are fair game. It says so right in
the resolution that they voted to approve."
https://www.gofundme.com/BuyCongressData
http://www.inquisitr.com/4102308/misha-collins-gofundme-campaign-aims-to-purchase-congressional-browsing-history/
I predict the politicians will react to this by passing amendments :
* Privacy rules which apply only to the elected leaders, their top staff,
and the families of these people, also police, judges, military, and a few
other classes of government workers, like people working at NSA/CIA/FBI
etc., but continue the no privacy for the rest of the citizenry.
* Then maybe need a better way to identify exempted individuals, such as
granting judges the right to authorize privacy for victims of domestic
abuse, and people in the Witness Protection.
Journalists may have archived all info on the exempted classes, before my
first predicted amendment goes into action, so the politicians may need some
other law to demand that people who copied such info, delete it. Good luck
enforcing that. I predict the ISPs will make a fortune selling such info to
our foreign adversaries, such as North Korea, Iran, Russia. In the near
future we will see lists of bad stuff done by Congressmen & women, such as
pornography sites, then for each bad thing, a list of which of those in
Congress indulge in that.
Remember that after a future election that gives more power to Democrats,
this can be undone.
The Verge argues that even though Republicans rolled back Obama privacy
protections, other earlier laws have not yet been reversed, making this
project impractical.
http://www.theverge.com/2017/3/29/15115382/buy-congress-web-history-gop-fake
-internet-privacy
------------------------------
Date: Fri, 31 Mar 2017 01:54:11 -0500
From: "Alister Wm Macintyre" <macwheel99@wowway.com>
Subject: Internet Noise, on purpose (Dan Schultz)
[US Congress has authorized ISPs to snoop into our browsing history, then
sell that to advertisers & other 3rd parties without our knowledge or
consent.
Here is how to feed them garbage, and use other techniques to thwart or
mitigate surveillance against you.
I hope this garbage does not include any sites of interest to law
enforcement to go after users of those sites. AWM]
https://slifty.github.io/internet_noise/index.html
https://twitter.com/slifty?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor
https://iapp.org/news/a/internet-noise-website-helps-obscure-users-online-identity/
http://www.theverge.com/2017/3/30/15127360/internet-noise-browsing-tool-advertising-isp
[WIRED has an article about this, which it won't let me access, unless I
first turn off my ad blocker.]
[I need to rethink "noise-signal" ratio, now that noise is a good thing.]
Here is prior history of Internet noise:
https://www.youtube.com/watch?v=gsNaR6FRuO0
https://en.wikipedia.org/wiki/Internet_background_noise
------------------------------
Date: Fri, 31 Mar 2017 02:07:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Volkswagen's Emissions Fraud May Affect Mortality Rate in Europe
[Old item, not previously noted in RISKS. PGN]
http://www.nytimes.com/2017/03/06/science/volkswagen-emissions-scandal-air-pollution-deaths.html
Software that allowed the auto manufacturer to skirt environmental rules
could lead to 1,200 deaths because of excess air pollution, researchers
said.
------------------------------
Date: Thu, 30 Mar 2017 21:39:34 +0100
From: David Damerell <damerell@chiark.greenend.org.uk>
Subject: NASA fireworks a damp squib?
> Iowa Senator Chuck Grassley reported, in 2007, that $ 1.9 billion in
> hardware was stolen, thanks to hackers into NASA.
Well, no. Grassley reported that $1.9 billion in *data* was stolen, and
mentions (dismissively), the entirely sensible objection that the data was
not stolen when it was copied without permission since NASA still had the
data afterward.
One also wonders how this value was placed upon it; RISKS readers will be
familiar by the process where the net cost of unauthorised copying
mysteriously inflates until it threatens to exceed the world's total GDP.
------------------------------
Date: Thu, 30 Mar 2017 13:29:12 -0600
From: Kurt Seifried <kurt@seifried.org>
Subject: Re: NASA Fireworks (RISKS-30.20)
Er wot now? My first thought was "how do you physically steal that much
stuff, 1.9 billion is a huge amount of equipment. Luckily it wasn't
hardware, the URL cited says:
"One such investigation concerned the theft of approximately $1.9
billion-worth of International Traffic in Arms Regulations data."
To whit the NASA guy argued "Mr. Cobb dismissed worries over the theft of
this data because, in his view, the data wasn't "stolen," since NASA was
still technically in possession of the accessed information. "
I'd also be very curious to know how they arrived at this $1.9 billion price
tag for this data. Maybe they meant ITAR data regarding $1.9 billion in
hardware? The whole thing makes very little sense once you start looking
into it.
------------------------------
Date: Thu, 30 Mar 2017 13:58:57 -0500 (CDT)
From: Harlan Rosenthal <harlan.rosenthal@verizon.net>
Subject: Re: Risks from falsified Data (RISKS-30.20)
Are we counting:
* The Pentium floating-point bug?
* The Excel bugs?
* Compiler bugs (often activated by optimization)
------------------------------
Date: Fri, 31 Mar 2017 12:55:46 +0000
From: "Robert P. Schaefer" <rps@mit.edu>
Subject: Re: Risks from falsified Data (BBC, RISKS-30.20)
"There is an interesting article on the BBC website at that discusses an
alternative and much more subtle version of Malware. This involves
infiltrating systems and making changes to data which while being too small
to notice immediately result in system failure."
If you consider data to be the same as code and code to be the same as data,
then adding subtle malware is well known among nation states:
" the United States added a Trojan horse to gas pipeline control software
that the Soviet Union obtained from a company in Canada."
https://en.wikipedia.org/wiki/Trojan_horse_(computing)
https://en.wikipedia.org/wiki/At_the_Abyss
And of course more recently, stuxnet:
https://en.wikipedia.org/wiki/Stuxnet
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.21
************************
