RISKS-LIST: Risks-Forum Digest Tuesday 15 December 2015 Volume 29 : Issue 17
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.17.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Former National Security Officials Urge Government to Embrace Risks of Encryption (Ellen Nakashima) What the government should've learned about backdoors from the Clipper Chip (Sean Gallagher) "Final cyber security bill paves way for the surveillance state" (Caroline Craig) Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update (TechDirt) Personalized news hits home (Quealy and Sanger-Katz via Charles C Mann) European Space Agency records leaked for amusement, attackers say (CSO) FAA Wants Your Credit Card Number when you register your drones (Lauren Weinstein) Thai Man May Go to Prison [for 37 years] for Insulting King's Dog on social media (NYTimes) 13 million MacKeeper users exposed after MongoDB door was left open (Ars Technica) Bangladesh extends social media ban, blocking Twitter and Skype (Lauren Weinstein) Hackers actively exploit critical vulnerability in sites running Joomla (Ars Technica) Small, community banks using machine learning to reduce fraud (NetworkWorld) Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy (Scientific Computing) British government admits selling Internet addresses to Saudi Arabia and says it can't stop ISIS extremists using them Your iPhone Is Ruining Your Posture -- and Your Mood (David Damerell) Google links back to itself (Peter Houppermans) A looming anniversary, and an offer (Gene Spafford) Re: America's secret cyberarsenal (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 15 Dec 2015 10:59:57 -0800 From: Peter G Neumann <neum...@csl.sri.com> Subject: Former National Security Officials Urge Government to Embrace Rise of Encryption (Ellen Nakashima) Ellen Nakashima, *The Washington Post*, 14 Dec 2015 https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html [This is a remarkable article, suggesting (among other things) that law enforcement needs to adapt to the use of encryption rather than expect exceptional systemic access to decrypted and unencrypted information. Mike McConnell notes that strong encryption is a greater strategic need. Michael Chertoff notes that deliberately compromising security to make it easier for law enforcement would run the risk of simply sending bad guys elsewhere. Michael Hayden notes that backdoors and built-in keys would drive the market away. Joel Brenner notes that the likelihood others will gain access is quite high. All four of these men have held very high positions in the U.S. Government. PGN-ed] ------------------------------ Date: Tue, 15 Dec 2015 12:16:13 PST From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: What the government should've learned about backdoors from the Clipper Chip (Sean Gallagher) Sean Gallagher, Ars Technica, 15 Dec 2015 http://arstechnica.com/information-technology/2015/12/what-the-government-shouldve-learned-about-backdoors-from-the-clipper-chip/ This article revisits arguments Whit Diffie made at a Congressional hearing 22 years ago, relating to the key-escrow approach of the Clipper Chip -- all of which seem relevant today, more or less as originally stated: * The backdoor would put providers in an awkward position with other governments and international customers, weakening its value. * Those who want to hide their conversations from the government for nefarious reasons can get around the backdoor easily. * The only people who would be easy to surveil would be people who didn't care about government surveillance in the first place. * There was no guarantee someone else might not exploit the backdoor for their own purposes. ------------------------------ Date: Tue, 15 Dec 2015 09:32:53 -0800 From: Gene Wirchenko <ge...@telus.net> Subject: "Final cyber security bill paves way for the surveillance state" (Caroline Craig) Caroline Craig, InfoWorld, 11 Dec 2015 Closed-door negotiations in Congress threaten to strip privacy provisions from final version of the merged cyber security bill http://www.infoworld.com/article/3013728/government/final-cyber-security-bill-paves-way-for-the-surveillance-state.html ------------------------------ Date: Mon, 14 Dec 2015 15:58:37 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update (TechDirt via NNSquad) https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml Literally. Philips has just slapped fans like us in the face and kicked interoperability out the door. Without any communication they delivered a new firmware to the system that disables adding products that they don't approve of. Basically they are banning other Zigbee Light Link products despite the fact that they are a Connected Lighting Alliance member whose mission is to promote interoperability. As it seems (and unless this is just a huge mistake on Philips' side), they have without a warning turned their open product into a walled garden. They have also destroyed the value of the solutions that the customers have set up based on Philips' promises. ------------------------------ Date: Tue, 15 Dec 2015 14:11:29 +0000 (UTC) From: Charles C Mann <ccm...@comcast.net> Subject: Personalized news hits home (Quealy and Sanger-Katz) Kevin Quealy and Margo Sanger-Katz, *The New York Times* interactive, 15 Dec 2015, The Experts Were Wrong About the Best Places for Better and Cheaper Health Care http://www.nytimes.com/interactive/2015/12/15/upshot/the-best-places-for-better-cheaper-health-care-arent-what-experts-thought.html While reading this interesting NYTimes article about health care costs, I was surprised to have the article reach out and grab me by the collar. Embedded in the article -- flowed into the text, not separate in any way -- was a sentence or two and a little graphic that told me about health care costs in Springfield, MA, where it guessed I was reading from (I live about half an hour away, so not a bad guess). I have attached a screen capture and would be curious if the whole enterprise worked as well in other geographic areas. [Omitted for RISKS. PGN] This is the first time I can remember encountering anything like this in a news story -- reaching out to tap the reader on the shoulder in the middle of the article, as opposed to letting the reader click on something. To me, it was at once useful and creepy. On the one hand, I was curious about the results for my local area. On the other, I was creeped out by being reminded of the giant eyeball on the other end that is watching me. [...] [My own browsing of this *interactive* article focuses on San Mateo County, California, which is where SRI is located. I think *The Times* interactive folks have done quite a spectacular job, as the entire article includes statistics related to *my* location. Moreover, from the graphic, it appears that the article is prepared to be instantiated specifically to at least 280 different locations (rough count). At this rate, it won't be long until interactive *Times* articles are personalized down to each county, or each city, or even each household... PGN] ------------------------------ Date: Mon, 14 Dec 2015 08:30:15 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: European Space Agency records leaked for amusement, attackers say http://www.csoonline.com/article/3014507/security/european-space-agency-records-leaked-for-amusement-attackers-say.html Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers. The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.). The second largest set of passwords - 1,314 (16%) - were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person's name or email address would be the first to fall. ------------------------------ Date: Mon, 14 Dec 2015 10:29:04 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: FAA Wants Your Credit Card Number when you register your drones Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number http://lauren.vortex.com/archive/001138.html Oh goodie. The FAA has announced its ultra-rushed plan for a drone registry -- they desperately wanted to get this on the books before Christmas. It's worse than even the most vocal critics had anticipated: https://www.faa.gov/uas/registration/faqs/ Over the next 60 days, the FAA is requiring that anyone who flies drones outside (other than very small toy drones) must register on a web site (in theory paper-based filing is possible, but the FAA obviously anticipates most registrations to be over the web). The FAA is also demanding your credit card number before you fly. In fact, they demand $5 via credit card every three years. Forever. [...] No need to worry though, right? All that required personal information -- name, physical/mailing address, credit card data, email address, etc. will be in the warm embrace of a "third party contractor" who no doubt will take really good care of it to meet the abysmal security and privacy practices of the federal government. The black hat hackers are already salivating over this one. Home addresses! Credit cards! "Hey comrade, do they ship Porsches to Moscow?" ------------------------------ Date: Mon, 14 Dec 2015 18:21:00 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Thai Man May Go to Prison [for 37 years] for Insulting King's Dog on social media http://www.nytimes.com/2015/12/15/world/asia/thailand-lese-majeste-tongdaeng.html?emc=eta1 In a case brought in a Thai military court, the worker, Thanakorn Siripaiboon, was charged with making a "sarcastic" Internet post related to the king's pet. He also faces separate charges of sedition and insulting the king. Mr. Thanakorn could face a total of 37 years in prison for his social media posts, highlighting what has become a feverish campaign to protect the monarchy and rebuff critics of the country's military rulers. ------------------------------ Date: Tue, 15 Dec 2015 09:43:53 -0500 From: Monty Solomon <mo...@roscom.com> Subject: 13 million MacKeeper users exposed after MongoDB door was left open http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-after-mongodb-door-was-left-open/ ------------------------------ Date: Mon, 14 Dec 2015 14:32:22 -0800 From: Lauren Weinstein <priv...@vortex.com> Subject: Bangladesh extends social media ban, blocking Twitter and Skype https://thestack.com/security/2015/12/14/bangladesh-extends-social-media-ban-blocking-twitter-and-skype/ A month after temporarily blocking social media sites including Facebook and WhatsApp, the Bangladeshi government has now taken steps to take down Microsoft's online chat software Skype and social networking service Twitter. Citing 'threats to national security', the government ordered the blocking of the six leading social media apps in Bangladesh - Facebook, Messenger, Line, WhatsApp, Viber and Tango. The decision came after a supreme court ruling which sentenced two opposition leaders, Salauddin Quader Chowdhury and Ali Ahsan Muhajid, to death, having found them guilty of crimes committed in the 1971 war of independence from Pakistan. ------------------------------ Date: Tue, 15 Dec 2015 09:37:22 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Hackers actively exploit critical vulnerability in sites running Joomla Attackers are actively exploiting a critical remote command-execution vulnerability that has plagued the Joomla content management system for almost eight years, security researchers said. http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/ ------------------------------ Date: Tue, 15 Dec 2015 09:22:45 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Small, community banks using machine learning to reduce fraud http://www.networkworld.com/article/2991925/security/small-community-banks-using-machine-learning-to-reduce-fraud.html ------------------------------ Date: Tue, 15 Dec 2015 09:25:52 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy [Wow! 75 percent! That means in 25 percent of the cases, everyone is likely to be falsely accused of something? PGN] ------------------------------ Date: Tue, 15 Dec 2015 11:00:41 -0800 From: Lauren Weinstein <priv...@vortex.com> Subject: British government admits selling Internet addresses to Saudi Arabia and says it can't stop ISIS extremists using them ``The government owns millions of unused IP addresses which we are selling to get a good return for hardworking taxpayers. We have sold a number of these addresses to telecoms companies both in the UK and internationally to allow their customers to connect to the Internet. We think carefully about which companies we sell addresses to, but how their customers use this Internet connection is beyond our control.'' The government did not reveal how much money was made from selling the IP addresses to the pair of Saudi firms, because it regards this information as commercially sensitive. The Saudi deal was first revealed after hackers claimed that a number of Islamic State supporters' social media accounts are being run from Internet addresses which could be linked to the Department of Work and Pensions. http://www.mirror.co.uk/news/technology-science/technology/british-government-admits-selling-internet-7017287 ------------------------------ Date: Tue, 15 Dec 2015 14:04:47 +0000 From: David Damerell <damer...@chiark.greenend.org.uk> Subject: Your iPhone Is Ruining Your Posture -- and Your Mood (R 29 16) The Dreaded iHunch? ... very effectively dealt with here: http://steamtraen.blogspot.co.uk/2015/12/a-cute-story-to-be-told-and-self-help.html starting with the observation that this is a tiny study from 2013, which has not yet been peer-reviewed and yet is felt good enough for *The New York Times*. The risks of sensationalist newspaper articles based on dubious science will be familiar to us, I'm sure - but having the sensationalist article written by one of the authors of the dubious science is certainly more efficient than the usual approach. ------------------------------ Date: Tue, 15 Dec 2015 09:24:37 +0100 From: Peter Houppermans <pe...@houppermans.net> Subject: Google links back to itself Ah, why oh why would Google offer links that would point back to itself? > A side note, Google appears to be (in some instances) not providing users > direct links to articles - Google instead provides links to Google with > search terms. Have others noticed this? And if so, can anyone speculate as > to why? You may want to look up what a chap by the name Gordon Welchman did during WW II. What you're looking at is meta-data collection: tracking relationships. Google is tracking whom you are sharing the link with so they can establish a link between you and the originator. From such casual events metrics and profiles are spun, and it's not just Google who does this -- I find especially LinkedIn rather aggressive in this too. I always strip links back to the actual resource before I forward them to others as I find it uncivil to subject someone to unwanted (and mostly undetected) tracking, and links I receive from third parties get the same treatment before I use them. To quote the late Spike Milligan, there is a lot of it about! ------------------------------ Date: Tue, 15 Dec 2015 11:05:16 -0500 From: Gene Spafford <s...@purdue.edu> Subject: A looming anniversary, and an offer Next year is the 25th anniversary of the publication of Practical Unix Security. The book has attracted quite a readership over the years. As a celebration of the anniversary, and as a way of helping raise some funds for two worthwhile non-profit organizations (EPIC and the ISSA Foundation), we are making a special offer to get a copy of the book signed by the authors. We encourage people to participate -- if nothing else, to provide some support to two worthwhile organizations supporting security & privacy work (Details: http://ceri.as/puis). ------------------------------ Date: Mon, 14 Dec 2015 17:33:28 -0800 From: Henry Baker <hbak...@pipeline.com> Subject: Re: America's secret cyberarsenal (RISKS-29.16) The most important link was omitted from my post: http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331 ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-requ...@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscr...@csl.sri.com or risks-unsubscr...@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <lindsay.marsh...@newcastle.ac.uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.17 ************************
