[30980] in RISKS Forum
Risks Digest 30.37
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Jul 14 22:25:06 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 14 Jul 2017 19:20:34 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 14 July 2017 Volume 30 : Issue 37
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.37>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
DIY devices let car owners add autonomous features to vehicles
(Carolyn Said via PGN)
Kaspersky in the crosshairs (Engadget)
Requested voter details may be gold for cybercriminals (John Wildermuth)
On the request for states to provide all personal info on voters
(The Washington Post)
FTC Halts Operation That Unlawfully Shared and Sold Consumers' Sensitive
Data (FTC)
Two Former Employees of House Member Indicted On Federal Charges in
Cyberstalking Case (DoJ)
The White House just posted the emails of critics without censoring
sensitive personal information (Vox via Lauren Weinstein)
Beware of a new scam involving "relatives" and gift cards (CBS)
Computerization and overnight train service (Mark Brader)
Why fact-checking 'fake news' stories is a waste of time (WeForum)
Web gets built-in copy protection hooks with a few key flaws (Engadget)
"Charging Phone Kills 14-Year-Old Girl in Bathtub" (Harriet Sinclair)
Funny how these articles are all the same... (Gabe Goldberg)
Woman's selfie causes $200,000 of damage to LA art exhibit (Pamela Ng)
FDA Deal Would Relax Rules on Reporting Medical Device Problems
(The New York Times)
Judges refuse to order fix for court software that put people in
jail by mistake (Ars Technica)
Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
(UpGuard)
Backdoor built in to widely used tax app seeded last week's
NotPetya outbreak (Ars Technica)
Hackers have been stealing credit card numbers from Trump's hotels for
months (The Washington Post)
Everybody lies: how Google search reveals our darkest secrets (The Guardian)
Re: Volvo admits its self-driving cars are confused by kangaroos
(Dave Horsfall)
Re: Western tech firms bow to Russian demands to share cybersecrets
(Anthony Youngman)
Press kits or other publications on thumb drives? (Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 12 Jul 2017 16:33:21 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: DIY devices let car owners add autonomous features to vehicles
Carolyn Said, San Francisco Chronicle, Business Report, C1, 7 Jul 2017
(PGN-ed)
The original goal of some developers was to provide kits to enable owners to
retrofit conventional cars to be self-driving. The article mentions Panda,
OpenPilot, Chffr, Cabana, Comma, Neodriven, and more. ``The adaptive
cruise-control from Honda Sensing is almost embarrassing in bumper-to-bumper
traffic; it drives just like a 16-year-old just learning.'' Fascinating
article, but lacking in assurance that nothing bad is likely to happen.
Risks (totally unmentioned, and often left to the imagination of RISKS
readers) might include (for example),
* Tinkering with (enhancing) the kits
* Disabling kit-provided safety features, intentionally or unintentionally?
* Providing new or augmented kits that can alter the hardware and software
of off-the-shelf kit-based hand-tinkered conventional cars, or in emerging
self-driving cars
* Disrupting surrounding vehicles (e.g., passing in heavy traffic, or
jamming communications of neighboring vehicles), circumventing rules and
regulations, and lots more.
------------------------------
Date: Fri, 14 Jul 2017 15:25:05 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Kaspersky in the crosshairs (Engadget)
via NNSquad
https://www.engadget.com/2017/07/14/kaspersky-in-the-crosshairs/ Kaspersky
is in what you might call "a bit of a pickle." The Russian cybersecurity
firm, famous for its antivirus products and research reports on active
threat groups is facing mounting accusations of working with, or for, the
Russian government. These accusations have been made in press and infosec
gossip for years. In the past month there's been more scuttlebutt in the
press, an NSA probe surfaced, and the Senate got involved by pushing for a
product ban. This week things reached a peak with fresh accusations from
Bloomberg and a surprising attack from the Trump administration. Which is
odd, considering how eager the current regime is to please and grease the
wheels of its Russian counterparts. Either way, Kaspersky is really in a
tight spot this time. The hammer dropped Tuesday when Bloomberg published
Kaspersky Lab Has Been Working With Russian Intelligence. It comes from
the same reporters who started 2015's "banyagate," in which Kaspersky Lab
Has Close Ties to Russian Spies alleged CEO Eugene Kaspersky colluded with
Russian intel in secret sauna meetings.
------------------------------
Date: Fri, 7 Jul 2017 7:49:57 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Requested voter details may be gold for cybercriminals
(John Wildermuth)
John Wildermuth, *San Francisco Chronicle*, front page, 7 Jul 2017
The article caption tells it all for RISKS readers.
"Kobach could be setting up a one-stop shop of personal information that
would be a treasure trove not only for shady online entrepeneurs, but also
for identity thieves and criminal hackers."
------------------------------
Date: Mon, 10 Jul 2017 17:43:57 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: On the request for states to provide all personal info on voters
https://www.washingtonpost.com/local/public-safety/trump-voting-panel-tells-states-to-hold-off-sending-data-while-court-weighs-privacy-impact/2017/07/10/c4c837fa-6597-11e7-a1d7-9a32c91c6f40_story.html
Trump voting panel tells states to hold off sending data while court weighs
privacy impact
President Trump's voting commission on Monday asked states and the District
to hold off submitting the sweeping voter data the panel had requested until
a federal judge in Washington decides whether the White House has done
enough to protect Americans' privacy.
The Electronic Privacy Information Center (EPIC), a watchdog group, has
asked U.S. District Judge Colleen Kollar-Kotelly to block the commission's
data request, arguing that the panel had not conducted the full privacy
impact statement required by federal law for new government electronic
data-collection systems.
Separately Monday, two civil liberties groups filed lawsuits to prevent the
commission from holding its first scheduled meeting next week, alleging that
the panel had been working in secret and in violation of government
regulations on public transparency.
The two new lawsuits add to the potential roadblocks faced by the
commission, whose request for voting information from more than 150 million
registered voters has drawn bipartisan criticism across the states as an
assault on privacy and states' rights and a stealth attempt at voter
suppression. [...]
------------------------------
Date: Fri, 7 Jul 2017 10:29:26 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FTC Halts Operation That Unlawfully Shared and Sold Consumers'
Sensitive Data (FTC)
Lead generation firm earned millions by falsely promising to match consumers
with low-rate loans
https://www.ftc.gov/news-events/press-releases/2017/07/ftc-halts-operation-unlawfully-shared-sold-consumers-sensitive
------------------------------
Date: Thu, 13 Jul 2017 20:31:36 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Two Former Employees of House Member Indicted On Federal Charges in
Cyberstalking Case (DoJ)
WASHINGTON – Two former staff employees of a member of the U.S. House of
Representatives have been indicted following an investigation into the
circulation of private, nude images and videos of the member and the
member's spouse, announced U.S. Attorney Channing D. Phillips and Matthew
R. Verderosa, Chief of the United States Capitol Police. ...
The indictment alleges that, during the course of his employment, McCullum
offered in March 2016 to assist the House member in repairing the member’s
malfunctioning, password-protected cellular iPhone by taking the device to a
local Apple store. According to the indictment, the House member provided
McCullum with the device solely to have the iPhone repaired. McCullum was
not given permission to take, copy, or distribute any of the contents of the
iPhone. The iPhone contained the private, nude images and videos.
https://www.justice.gov/usao-dc/pr/two-former-employees-house-member-indicted-federal-charges-cyberstalking-case
Well, of course -- what could go wrong?
------------------------------
Date: July 14, 2017 at 4:31:10 PM EDT
From: Lauren Weinstein <lauren@vortex.com>
Subject: The White House just posted the emails of critics without censoring
sensitive personal information
INCOMPETENT and ILLEGAL!
https://www.vox.com/policy-and-politics/2017/7/14/15973464/white-house-election-integrity-doxx
The White House just responded to concerns it would release voters'
sensitive personal information by releasing a bunch of voters' sensitive
personal information. Last month, the White House's "election integrity"
commission sent out requests to every state asking for all voters' names,
party IDs, addresses, and even the last four digits of their Social
Security numbers, among other information. The White House then said this
information would be made available to the public. A lot of people did
not like the idea, fearing that their personal information could be made
public. So some sent emails to the White House, demanding that it rescind
the request. This week, the White House decided to make those emails from
concerned citizens public through the commission's new website. But the
administration made a big mistake: It didn't censor any of the personal
information -- such as names, email addresses, actual addresses, and phone
numbers -- included in those emails. In effect, the White House just
released the sensitive personal information of a lot of concerned citizens
giving feedback to their government. That's made even worse by the fact
that the White House did this when the thing citizens were complaining
about was the possibility that their private information would be made
public. As of Friday afternoon, the emails are still uncensored and
available on the White House's website. They include all sorts of
feedback, from concerns about privacy to outright insults of the Trump
administration. One email just links to an image of the terrifying
pornographic meme Goatse. (Do not Google this if you value your eyes.)
------------------------------
Date: Fri, 7 Jul 2017 09:04:03 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Beware of a new scam involving "relatives" and gift cards (CBS)
In a new twist on an old phone scam, criminals are preying on family ties by
asking people to buy gift cards to help relatives they falsely claim are in
trouble.
http://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/
------------------------------
Date: Sun, 9 Jul 2017 00:11:51 -0400 (EDT)
From: msb@vex.net (Mark Brader)
Subject: Computerization and overnight train service
Once upon a time, if you were operating a train service and you decided
to extend its operating hours to run all night, your only concerns would
be finding the staff to operate it, and what to do about maintenance that
formerly occurred during the nightly downtime.
Last year the London Underground began two nights per week of all-night
operations on some lines, with continuous service from Friday morning
through Sunday evening. And according to Mark Curran in the June
issue of "Modern Railways" magazine:
| The greatest single cost in implementing Night Tube has been
| modifications to the signalling systems, which were not designed
| to operate through the end/beginning of the traffic day at 03:00.
| The next day's timetables are uploaded around this time and the
| signalling and control systems undertake various test routines.
|
| The typical issues were self-tests bringing all trains to
| a halt... loss of train control data... loss of any customer
| information on the train or platform, and extended periods when
| trains would need to be manually signalled.
|
| ...The ticketing system on the Underground was also not designed to
| operate through the end/beginning of the ticketing day at 04:30...
| a customer touching in at 04:15 and out at 04:45 would be charged
| two incomplete single journeys...
Of course the systems would not have been designed this way if overnight
service had already been contemplated when they were introduced.
------------------------------
Date: Mon, 10 Jul 2017 16:41:35 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Why fact-checking 'fake news' stories is a waste of time (WeForum)
via NNSquad
https://www.weforum.org/agenda/2017/07/why-fact-checking-fake-news-stories-is-a-waste-of-time
A new study suggests that fact-checking has little influence on what
online news media covers, and fact-checks of false news stories spreading
online--"fake news"--may use up resources newsrooms could better use
covering substantive stories.
Don't bother fact checking them. When they're clearly false by reasonable
objective measures, delete them -- or alternatively, de-rank them into
oblivion in search results and post surfacing algorithms.
------------------------------
Date: Sat, 8 Jul 2017 11:10:45 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Web gets built-in copy protection hooks with a few key flaws
via NNSquad
https://www.engadget.com/2017/07/08/w3c-approves-built-in-web-copy-protection-hook/
Like it or not, the web is getting some built-in padlocks. The World Wide
Web Consortium has decided to publish Encrypted Media Extensions, a
standard for hooking copy protection into web-based streaming video,
without making significant changes to a version agreed to in March. While
it's not perfect, the W3C argues (you still need to deal with a vendor's
content decryption module), it's purportedly better than the
make-it-yourself approach media providers have to deal with right now.
There do appear to be some improvements to the status quo for digital
rights management. However, there are more than a few detractors -- there
are concerns that the W3C simply ignored concerns in the name of
expediency.
This really has become necessary.
------------------------------
Date: Wed, 12 Jul 2017 19:38:55 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Charging Phone Kills 14-Year-Old Girl in Bathtub"
(Harriet Sinclair)
[There is something to be said for understanding the basics of technology. GW]
Harriet Sinclair, *Newsweek*, 11 Jul 2017
http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208
opening text:
A teenager has been killed after using her cell phone in the bath and
suffering an electric shock. Madison Coe, 14, died at her father's home in
Lovington, New Mexico, on Sunday in an accident her family said took place
when she either plugged in her phone or reached for a phone that was already
plugged into the wall while she was in the bath.
------------------------------
Date: Thu, 13 Jul 2017 17:34:05 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Funny how these articles are all the same...
https://www.linkedin.com/pulse/realizing-potential-blockchain-don-tapscott
...repeating "It's wonderful" with no details how it works. An
encryption-savvy colleague has said this quickly gets into the weeds -- but
how about clues on how (for example (quoting):
Realizing the Potential of Blockchain
Innovators are programming this new digital ledger to record anything of
value to humankind – birth and death certificates, marriage licenses, deeds
and titles of ownership, rights to intellectual property, educational
degrees, financial accounts, medical history, insurance claims, citizenship
and voting privileges, location of portable assets, provenance of food and
diamonds, job recommendations and performance ratings, charitable donations
tied to specific outcomes, employment contracts, managerial decision rights
and anything else that we can express in code.
---
It's always proof by assertion with NO insight how these wildly different
functions will be implemented. And regarding this idea -- give me a break,
put everyone's IoT online for sharing? What could go wrong with THAT? The
emperor may actually have a fine wardrobe but I'm awaiting the fashion show.
Paul Brody, principal and global innovation leader of blockchain technology
at Ernst & Young, thinks that all our appliances should donate their
processing power to the upkeep of a blockchain: “Thanks to the smartphone
business driving very low-cost systems, your lawnmower or dishwasher is
going to come with a CPU that is probably a thousand times more powerful
than it actually needs, so why not have the appliance mine? Not to make
money, but to contribute to the security and viability of the blockchain as
a whole,” he said.
------------------------------
Date: Fri, 14 Jul 2017 12:14:21 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Woman's selfie causes $200,000 of damage to LA art exhibit
(Pamela Ng)
Pamela Ng, Fox News, 14 Jul 2017
http://www.foxnews.com/tech/2017/07/14/womans-selfie-causes-200000-damage-to-la-art-exhibit.html
A woman taking a selfie at a Los Angeles art exhibit sent shockwaves
around the room after knocking over several displays, causing $200,000 in
damage.
The unidentified woman was at The 14th Factory for the "Hypercaine"
installation when she appeared to crouch down in front of one of the
displays for a photo and fall backwards, video of the incident shows.
------------------------------
Date: Thu, 13 Jul 2017 23:14:05 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FDA Deal Would Relax Rules on Reporting Medical Device Problems
The makers of cardiac defibrillators, insulin pumps, breast implants and
other devices will be able to delay the reporting of malfunctions under an
agreement headed to Congress.
https://www.nytimes.com/2017/07/11/health/fda-medical-device-problems-rules.html
------------------------------
Date: Wed, 28 Jun 2017 23:42:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Judges refuse to order fix for court software that put people in
jail by mistake (Ars Technica)
https://arstechnica.com/tech-policy/2017/06/appeals-court-public-defender-lacks-standing-in-dispute-over-court-software/
------------------------------
Date: Fri, 14 Jul 2017 09:49:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cloud Leak: How A Verizon Partner Exposed Millions of Customer
Accounts (UpGuard)
https://www.upguard.com/breaches/verizon-cloud-leak
------------------------------
Date: Mon, 10 Jul 2017 08:39:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Backdoor built in to widely used tax app seeded last week's
NotPetya outbreak
Operation that hit thousands was “thoroughly well-planned and well-executed.”
https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/
------------------------------
Date: Wed, 12 Jul 2017 21:53:50 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers have been stealing credit card numbers from Trump's hotels
for months
This is the third cybersecurity breach to hit the luxury hotel chain since 2014.
https://www.washingtonpost.com/news/business/wp/2017/07/11/hackers-have-been-stealing-credit-card-numbers-from-trumps-hotels-for-months/
------------------------------
Date: Sun, 9 Jul 2017 09:53:26 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Everybody lies: how Google search reveals our darkest secrets
(The Guardian)
https://www.theguardian.com/technology/2017/jul/09/everybody-lies-how-google-reveals-darkest-secrets-seth-stephens-davidowitz
------------------------------
Date: Wed, 12 Jul 2017 10:06:48 +1000 (EST)
From: Dave Horsfall <dave@horsfall.org>
Subject: Re: Volvo admits its self-driving cars are confused by kangaroos
(The Guardian)
A colleague told me that the vehicle determines the distance to the object
by the apparent height above ground from the camera's point of view, thus a
mid-air roo appears to be further away than it really is. And when it
lands...
Dave Horsfall, Unit 13, 79 Glennie St, North Gosford NSW 2250, Australia
------------------------------
Date: Fri, 7 Jul 2017 20:15:43 +0100
From: Anthony Youngman <antlists@youngman.org.uk>
Subject: Re: Western tech firms bow to Russian demands to share cybersecrets
(Ward, RISKS-30.35)
Unfortunately, formal methods also lead you to the proof that your formal
proof is worthless ... to many people believe (Godel's proof to the contrary
notwithstanding) that it is possible to guarantee that systems are bug-free.
A formal proof is mathematics. It is only as good as its axioms (which by
definition are unprovable). And, as we keep on discovering, all too often
reality has a habit of saying "you've got the wrong axioms". To say nothing
of Godel's proof that you can NOT get all your axioms right even within the
world of logic, let alone align them correctly with reality.
Then of course, there is the little problem that any program of any size
will likely exhibit knapsack complexity, ie an automated proof would take
longer than the universe has existed.
That's not to decry formal proofs, or even the attempt thereat. They are a
very useful tool, but you need to remember that they *guarantee* *nothing*
in reality.
[Reality guarantees nothing in reality either. It's the total system that
counts, including squirrels, cosmic rays, and whatever might bite you.
PGN]
------------------------------
Date: Thu, 13 Jul 2017 17:41:24 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Press kits or other publications on thumb drives? [RE:????]
Interesting comments on material distributed that way:
(E.g., "Blue Cross wants you to insert this USB card into your computer.
You'd be safer inserting it into your you-know-what.)
https://plus.google.com/+LaurenWeinstein/posts/4TS3iRwjXuo
...of course, how do you check out shrink-wrapped commercial thumb drives
products without potentially compromising your systems?
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.37
************************
