[30838] in RISKS Forum
Risks Digest 30.33
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Jun 15 01:09:05 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Wed, 14 Jun 2017 22:08:52 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Wednesday 14 June 2017 Volume 30 : Issue 33
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.33>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Russian cyberhacks on the U.S. electoral system far wider than previously
known (Michael Riley on Bloomberg)
"Supreme Court to look at mobile privacy. Uh-oh." (Evan Schuman)
Microsoft warns of 'destructive cyberattacks, issues new Windows XP patches
(ZDNet)
Four Ways Your Location Is Being Tracked Everywhere You Go (MakeUseOf)
Hackers Hijacking Verified Accounts to Spread Fake News (Gizmodo)
Algo stock trading on "fake news"? (John Carney via Henry Baker)
WSJ ends Google users' free ride, then falls 44% in search results
(Columbian)
Turks Click Away, but Wikipedia Is Gone (The New York Times)
The tech world is rallying around a young developer who made a huge
embarrassing mistake (QZ)
Healthcare ransomware and how we can climb out of this mess (Kevin Fu)
Re: Software is forever (Arthur T.)
Precise Documentation (David Parnas via PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 13 Jun 2017 15:05:02 -0700
From: Peter G. Neumann <neumann@csl.sri.com>
Subject: Russian cyberhacks on the U.S. electoral system far wider than
previously known (Michael Riley on Bloomberg)
https://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections
Russia's cyberattack on the U.S. electoral system before Donald Trump's
election was far more widespread than has been publicly revealed, including
incursions into voter databases and software systems in almost twice as many
states as previously reported.
In Illinois, investigators found evidence that cyber intruders tried to
delete or alter voter data. The hackers accessed software designed to be
used by poll workers on Election Day, and in at least one state accessed a
campaign finance database. Details of the wave of attacks, in the summer and
fall of 2016, were provided by three people with direct knowledge of the
U.S. investigation into the matter. In all, the Russian hackers hit systems
in a total of 39 states, one of them said.
The scope and sophistication so concerned Obama administration officials
that they took an unprecedented step -- complaining directly to Moscow over
a modern-day red phone. In October, two of the people said, the White House
contacted the Kremlin on the back channel to offer detailed documents of
what it said was Russia's role in election meddling and to warn that the
attacks risked setting off a broader conflict.
Unwinding the Twists, Turns in Trump-Russia Probe: QuickTake Q&A
<https://www.bloomberg.com/politics/articles/2017-05-09/unwinding-the-twists-turns-in-trump-russia-probe-quicktake-q-a>
The new details, buttressed by a classified National Security Agency
document recently disclosed by the Intercept, show the scope of alleged
hacking that federal investigators are scrutinizing as they look into
whether Trump campaign officials may have colluded in the efforts. But they
also paint a worrisome picture for future elections: The newest portrayal of
potentially deep vulnerabilities in the U.S.'s patchwork of voting
technologies comes less than a week after former FBI Director James Comey
warned Congress that Moscow isn't done meddling. ``They're coming after
America. They will be back.''
Kremlin Denials
Russian officials have publicly denied any role in cyberattacks connected to
the U.S. elections, including a massive spear-phishing effort that
compromised Hillary Clinton's campaign and the Democratic National
Committee, among hundreds of other groups. President Vladimir Putin said in
recent comments to reporters that criminals inside the country could have
been involved without having been sanctioned by the Russian government.
[...]
[Truncated for RISKS. PGN]
------------------------------
Date: Tue, 13 Jun 2017 10:36:07 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Supreme Court to look at mobile privacy. Uh-oh." (Evan Schuman)
Evan Schuman, Computerworld, 13 Jun 2017
A criminal-case ruling favoring law enforcement would have implications for
companies facing civil complaints
http://www.computerworld.com/article/3200199/mobile-wireless/supreme-court-to-look-at-mobile-privacy-uh-oh.html
opening text:
Does the prospect of your company's worst enemies getting access to full
tracking information on your employees' mobile phones freak you out? If so,
you'll want to track something yourself: a case the U.S. Supreme Court just
agreed to consider.
Although the case involves criminal law and the question of whether police
need a court-issued search warrant for intimate mobile records, one former
federal prosecutor points out that the Court's ruling could open the door to
civil discovery and subpoena access. In other words, the ruling could make
such mobile data available to anyone who chooses to sue your company, for
any reason, whether the claim is legitimate or not.
------------------------------
Date: Tue, 13 Jun 2017 11:03:12 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Microsoft warns of 'destructive cyberattacks, issues new Windows XP
patches (ZDNet)
via NNSquad
http://www.zdnet.com/article/microsoft-warns-of-destructive-cyberattacks-issues-new-windows-xp-patches/
Citing an "elevated risk for destructive cyberattacks," Microsoft today
released an assortment of security updates designed to block attacks
similar to those responsible for the devastating WannaCry/WannaCrypt
ransomware outbreak last month. Today's critical security updates are in
addition to the normal Patch Tuesday releases, Microsoft said. They'll be
delivered automatically through Windows Update to devices running
supported versions, including Windows 10, Windows 8.1, Windows 7, and
post-2008 Windows Server releases. But in an unprecedented move,
Microsoft announced that it was also making the patches available
simultaneously for manual download and installation on unsupported
versions, including Windows XP and Windows Server 2003. Both of those
operating systems are still deployed by significant numbers of business
customers years after their official support lifecycles ended.
------------------------------
Date: Tue, 13 Jun 2017 19:06:11 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Four Ways Your Location Is Being Tracked Everywhere You Go
These days, it's common knowledge that your phone and computer are tracking
your location. Most people don't appear to care. They think the benefits of
location tracking outweigh the security and privacy implications.
You can make the argument they're right. Services such as Cortana and Google
Search are not as powerful if they can't monitor your movements. However,
you might be less aware of other ways some companies are tracking your
location. Often, they use underhand tactics and collate information without
you knowing. They are tracking you purely for self-interest.
Here are a few ways you probably don't realize your whereabouts are being
tracked.
http://www.makeuseof.com/tag/location-tracking/
------------------------------
Date: Sun, 11 Jun 2017 10:13:45 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Hackers Hijacking Verified Accounts to Spread Fake News (Gizmodo)
NNSquad
http://gizmodo.com/hackers-hijacking-verified-accounts-to-spread-fake-news-1795997941
https://www.accessnow.org/doubleswitch-attack/
Security research group Access Now has discovered a clever attack being
used against influential social media users as a means of disseminating
fake news. The "Doubleswitch" not only involves hijacking verified
accounts but makes it extremely difficult for the legitimate owner to
regain control of their handle.
------------------------------
Date: Wed, 14 Jun 2017 07:12:38 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Algo stock trading on "fake news"?
Lemme see.
Computer algorithms read company SEC reports, company press releases, etc.,
and automatically generate "human"-readable news stories. Other computer
algorithms read company SEC reports, twitter feeds, company press releases,
and "human-readable" news stories and -- before any human interaction --
near-instantaneously execute trades on various exchanges as a result. If
some news story really is "news" -- i.e., it contains new information that
could affect the price of one or more stocks -- then whichever algorithmic
trader can process it fastest and place trades earliest can reap enormous
rewards.
What could possibly go wrong?
"A lie can travel halfway round the world while the truth is putting on its
shoes." -- attributed to Mark Twain
"Buy the rumor, sell the news"
If someone can manufacture a fake news story and get it onto some social
media -- e.g., Twitter -- these "AI" traders will have traded tens of
millions of dollars worth of stock on this fake information during the
milliseconds, seconds, minutes or hours it will take for the truth to catch
up.
What are the chances that this sort of thing is going on right now? What
are the chances that some measurable fraction of the trading volume is
generated in this manner?
To cheat is human; to commit major fraud requires a fast computer. --
apologies to Bill Vaughan
http://www.cnbc.com/2017/06/13/death-of-the-human-investor-just-10-percent-of-trading-is-regular-stock-picking-jpmorgan-estimates.html
Just 10% of trading is regular stock picking, JPMorgan estimates
'Quantitative investing based on computer formulas and trading by machines
directly are leaving the traditional stock picker in the dust and now
dominating the equity markets, according to a new report from JPMorgan.'
'Kolanovic [global head of quantitative and derivatives research at
JPMorgan] estimates "fundamental discretionary traders" account for only
about 10 percent of trading volume in stocks. Passive and quantitative
investing accounts for about 60 percent, more than double the share a decade
ago, he said.'
'A subset of quantitative trading known as high-frequency trading accounted
for 52 percent of May's average daily trading volume of about 6.73 billion
shares, Tabb said. During the peak levels of high-frequency trading in
2009, about 61 percent of 9.8 billion of average daily shares traded were
executed by high-frequency traders.'
John Carney, CNBC, 23 Apr 2013
The Trading Robots Really Are Reading Twitter
http://www.cnbc.com/id/100666302
Let's call it the Twitter Skitter.
When the market briefly skidded after a hacked AP Twitter account reported
explosions at the White House, we saw the first real-time demonstration of
robo-trading riding on the back of social media.
The plunge in the market was so quick that it obviously was not the result
of individuals reading the phony news and deciding what action to take.
Computers were making the tradesor, more precisely, ending the trades. ...
The Twitter data stream has been available to high frequency traders since
at least 2009.
https://en.wikipedia.org/wiki/Algorithmic_trading
'"Computers are now being used to generate news stories about company
earnings results or economic statistics as they are released. And this
almost instantaneous information forms a direct feed into other computers
which trade on the news."'
'"Increasingly, people are looking at all forms of news and building their
own indicators around it in a semi-structured way," as they constantly seek
out new trading advantages said Rob Passarella, global director of strategy
at Dow Jones Enterprise Media Group. His firm provides both a low latency
news feed and news analytics for traders. Passarella also pointed to new
academic research being conducted on the degree to which frequent Google
searches on various stocks can serve as trading indicators, the potential
impact of various phrases and words that may appear in Securities and
Exchange Commission statements and the latest wave of online communities
devoted to stock trading topics.'
------------------------------
Date: Wed, 14 Jun 2017 09:53:38 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: WSJ ends Google users' free ride, then falls 44% in search results
(Columbian)
http://www.columbian.com/news/2017/jun/11/wsj-ends-google-users-free-ride-then-falls-44-in-search-results/
After blocking Google users from reading free articles in February, the
Wall Street Journal's subscription business soared, with a fourfold
increase in the rate of visitors converting into paying customers. But
there was a trade-off: Traffic from Google plummeted 44 percent. The
reason: Google search results are based on an algorithm that scans the
Internet for free content. After the Journal's free articles went behind a
paywall, Google's bot only saw the first few paragraphs and started
ranking them lower, limiting the Journal's viewership. Executives at the
Journal, owned by Rupert Murdoch's News Corp., argue that Google's policy
is unfairly punishing them for trying to attract more digital
subscribers. They want Google to treat their articles equally in search
rankings, despite being behind a paywall.
The ranking change is exactly what should have happened. A paywalled
article is less useful to the average Google search user than a free
article, so it's completely reasonable that this differential is
reflected in search results rankings. Sorry, WSJ, I'm playing the
world's tiniest violin for you.
------------------------------
Date: Sat, 10 Jun 2017 16:50:24 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Turks Click Away, but Wikipedia Is Gone (The New York Times)
NNSquad
https://www.nytimes.com/2017/06/10/world/europe/turkey-wikipedia-ban-recep-tayyip-erdogan.html?partner=rss&emc=rss
But beyond the problems it has created for the curious, Turkey's Wikipedia
ban is a reminder of something darker, government critics say: a wholesale
crackdown on free expression and access to information, amid wider
oppression of most forms of opposition. Wikipedia is just one of 127,000
websites blocked in Turkey, estimated Professor Akdeniz, who has led legal
challenges against the Wikipedia ban and other web restrictions. An
additional 95,000 pages, like social media accounts, blog posts and
articles, are blocked on websites that are not otherwise restricted,
Mr. Akdeniz said. Some of these sites are pornographic. But many contain
information and reporting that the government finds embarrassing. Sendika,
an independent news outlet, is now on the 45th iteration of its website.
The previous 44 were blocked.
------------------------------
Date: Sun, 11 Jun 2017 12:29:15 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The tech world is rallying around a young developer who made a huge
embarrassing mistake
``How screwed am I?'' asked a recent user on Reddit, before sharing a
mortifying story. On the first day as a junior software developer at a
first salaried job out of college, his or her copy-and-paste error
inadvertently erased all data from the company's production database.
https://qz.com/999495/the-tech-world-is-rallying-around-a-young-developer-who-made-a-huge-embarrassing-mistake/
[Even more embarrassing for the company if there were no backups! PGN]
------------------------------
Date: Mon, 12 Jun 2017 15:39:52 -0400
From: Kevin Fu <kevinfu@umich.edu>
Subject: Healthcare ransomware and how we can climb out of this mess
Prof. Thimbleby and I shared our thoughts on how hospitals can climb out of
the ransomware mess. Ransomware is just a symptom. Resolve the key root
causes within the healthcare delivery supply chain: manufacturing,
procurement, regulation, training, and governance.
http://www.healthcareitnews.com/blog/ransomware%E2%80%A8-how-we-can-climb-out-mess
Kevin Fu, Associate Professor, EECS Department, The University of Michigan
kevinfu@umich.edu web.eecs.umich.edu/~kevinfu/ Twitter @DrKevinFu
------------------------------
Date: Sun, 11 Jun 2017 01:34:21 -0400
From: "Arthur T." <Risks201706.10.atsjbt@xoxy.net>
Subject: Re: Software is forever (Paul Edwards, Risks 30.32)
> It's scary how many applications will not work on anything more modern
> than Windows XP, or rely on appallingly out-of-date and deprecated
> versions of Java.
The problem is not the application software.
There are programs written, compiled, and linked in the 1960s which can
still be run on the most modern of IBM's mainframes with the most current
operating system and program products installed.
The problem is that, unlike IBM mainframes, operating systems and important
products for PCs are not upwards compatible. This problem is not limited to
Windows. I find the fact that some programs required "appallingly
out-of-date" versions of Java to be a condemnation of current versions of
Java.
------------------------------
Date: Mon, 12 Jun 2017 10:57:26 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Precise Documentation (David Parnas)
[Dave Parnas has long been an advocate of better software. This article
makes a strong case for the role of precise documentation in trying to
attain better software. I consider this mandatory reading for designers
and implementers. PGN]
David L. Parnas, Precise Documentation: The Key to Better Software, in
*The Future of Software Engineering*, S. Nanz, (ed), Springer Berlin
Heidelberg, 2010, pp. 125--148,
DOI: 10.1007/978-3-642-15187-3_8
ISBN 978-3-642-15186-6 (Print)
ISBN 978-3-642-15187-3 (Online)
Abstract. The prime cause of the sorry `state of the art' in software
development is our failure to produce good design documentation. Poor
documentation is the cause of many errors and reduces efficiency in every
phase of a software product's development and use. Most software developers
believe that `documentation' refers to a collection of wordy, unstructured,
introductory descriptions, thousands of pages that nobody wanted to write
and nobody trusts. In contrast, Engineers in more traditional disciplines
think of precise blueprints, circuit diagrams, and mathematical
specifications of component properties. Software developers do not know how
to produce precise documents for software. Software developments also think
that documentation is something written after the software has been
developed. In other fields of Engineering much of the documentation is
written before and during the development. It represents forethought not
afterthought. Among the benefits of better documentation would be: easier
reuse of old designs, better communication about requirements, more useful
design reviews, easier integration of separately written modules, more
effective code inspection, more effective testing, and more efficient
corrections and improvements. This paper explains how to produce and use
precise software documentation and illustrate the methods with several
examples.
Here's another useful reference as well:
Carl Landwehr, J. Ludewig, R. Meersman, D.L. Parnas, P, Shoval, Y. Wand,
D. Weiss, and E. Weyuker, Software Systems Engineering programmes: a
capability approach, in Journal of Systems and Software, Vol. 125, March
2017, pp. 354--364, Article: JSS9898.
DOI: 10.1016/j.jss.2016.12.016
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.33
************************
