RISKS-LIST: Risks-Forum Digest Sunday 22 April 2018 Volume 30 : Issue 66 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.66> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Don't Blame Me for Facebook's Privacy Crisis (Ross Anderson) Facebook and Cambridge Analytica (CRYPTO-GRAM) Cambridge Analytica and the Coming Data Bust (NY Times) Palantir Knows Everything About You (Bloomberg) American elections are too easy to hack. We must take action now (Bruce Schenier) Instant Runoff Voting (Stephen H. Unger) Time for airplane engine diversity? (Christine Negroni) Deutsche Bank Inadvertently Made a $35 Billion Payment in a Single Transaction (Bloomberg) Blockchain Kiddy Porn (Rebecca Mercuri) Browser Standard WebAuthn Could Usher in a Password-Free Future (WiReD) Teen charged in Nova Scotia government breach says he had 'no malicious intent' (CBC News) Two vendors now sell iPhone cracking technology and police are buying (Lucas Mearian) "12+ things you can do with a locked iPhone" (Jonny Evans) France builds WhatsApp rival due to surveillance risk (Reuters) "Android security: Your phone's patch level says you're up to date, but that may be a lie" (Liam Tung) In a Leaked Memo, Apple Warns Employees to Stop Leaking Information (Mark Gurman) "Fake Android apps used for targeted surveillance found in Google Play" (Zack Whittaker) "Swim at your own risk: How botched IoT can sink your precious first-world life" (Jason Perlow) Police use Experian Marketing Data for AI Custody Decisions (Big Brother Watch) A call to regulate the use of AI (Nature) Yahoo and AOL just gave themselves the right to read your emails *again* (CNET) FCC dings T-Mobile $40M for faking rings on calls that never connected (TechCrunch) The EU's horrific and tyrannical "Right To Be Forgotten" -- as described in 1944 George Orwell (Lauren Weinstein) China's Xi says Internet control key to stability (Reuters) Moscow State University Team Wins Gold in ACM ICPC Programming Contest (ACM Bulletins) Re: "A bad day with mobile 2FA" (Dmitri Maziuk) Re: Fox News accidentally puts up a poll graphic that shows how they are the least-trusted network (Bob Rahe) Re: Windows security: Microsoft patch for Outlook password leak bug 'not a full fix' (Kelly Bert Manning) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 14 Apr 2018 18:13:40 PDT From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: Don't Blame Me for Facebook's Privacy Crisis (Ross Anderson) Ross Anderson, *New Scientist*, 13 April 2018 Don't blame academics like me for Facebook's privacy crisis http://www.newscientist.com/article/2166331-dont-blame-academics-like-me-for-facebooks-privacy-crisis/ Mark Zuckerberg wonders what is going on at Cambridge University -- I can tell him, but he won't like what privacy researchers have found, says Ross Anderson Mark Zuckerberg has tried to deflect blame for Facebook's privacy crisis by pointing the finger at my university. ``We do need to understand whether there was something bad going on in Cambridge University overall, that will require a stronger action from us,'' he told the US Senate this week. There is a short answer to that, and a deeper one. The short answer is that when Aleksandr Kogan, the researcher whose ``This Is Your Digital Life'' app is at the heart of the current row, applied to use the data collected by his company in university research, our ethics committees turned him down flat. The reason? While the people who installed his app had consented to their data being used in research, their Facebook `friends' had not. The deeper answer goes back almost 10 years, to when I asked two PhD candidates to choose a topic. They said *Facebook privacy*. Seeing my astonishment, one of them said ``We don't expect a married guy like you to appreciate this, but in Cambridge all the party invitations come via Facebook, so if you're not on Facebook you go to no parties, you meet no girls, you have no sex, so you have no kids and your genes die out. It's a Darwinian imperative to be on Facebook. Yet you seem to have no privacy. We're wondering if it's possible to fix that.'' Six months later, they gave it up as hopeless. Facebook operates by providing users with a false sense of security, of being in a private and intimate space, so they puts lots of sensitive information online -- which Facebook's advertisers can then use to target them. Opting out is made deliberately difficult. Yet thanks to a decade of data on students' privacy preferences, we now know that as time goes by, ever more users discover Facebook's privacy settings and figure out how to use them. Facebook responds with periodic redesigns that often reset people to *sharing* their data with advertisers by default. As a result, users have to learn new and often confusing privacy controls. Yet, after each reset, more people choose to opt out. Academia has indeed got a lot to say about Facebook and privacy, but maybe not the things that Mr Zuckerberg wants to hear. Facebook is powerful not because it has great products, but because of network effects; people need to use the tools that everyone else uses. Competing firms such as Instagram and WhatsApp get bought out. And research shows that, although people often disregard privacy, they are starting to learn not to. Ross Anderson is professor of security engineering at the University of Cambridge Computer Laboratory. ------------------------------ Date: Sun, 15 Apr 2018 01:18:29 -0500 From: Bruce Schneier <schne...@schneier.com> Subject: Facebook and Cambridge Analytica (CRYPTO-GRAM) Bruce Schneier (CTO, IBM Resilient), CRYPTO-GRAM, 15 April 2018 [PGN Excerpted] schne...@schneier.com http://www.schneier.com In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed. But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit. Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism." And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it. There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver's license numbers. You certainly didn't give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you've never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it. Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google's surveillance isn't in the news, but it's startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones. That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more. Surveillance capitalism drives much of the Internet. It's behind most of the "free" services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it's really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you. None of this is new. The media has been reporting on surveillance capitalism for years. In 2015, I wrote a book about it. Back in 2010, the Wall Street Journal published an award-winning two-year series about how people are tracked both online and offline, titled "What They Know." Surveillance capitalism is deeply embedded in our increasingly computerized society, and if the extent of it came to light there would be broad demands for limits and regulation. But because this industry can largely operate in secret, only occasionally exposed after a data breach or investigative report, we remain mostly ignorant of its reach. This might change soon. In 2016, the European Union passed the comprehensive General Data Protection Regulation, or GDPR. The details of the law are far too complex to explain here, but some of the things it mandates are that personal data of EU citizens can only be collected and saved for "specific, explicit, and legitimate purposes," and only with explicit consent of the user. Consent can't be buried in the terms and conditions, nor can it be assumed unless the user opts in. This law will take effect in May, and companies worldwide are bracing for its enforcement. Because pretty much all surveillance capitalism companies collect data on Europeans, this will expose the industry like nothing else. Here's just one example. In preparation for this law, PayPal quietly published a list of over 600 companies it might share your personal data with. What will it be like when every company has to publish this sort of information, and explicitly explain how it's using your personal data? We're about to find out. In the wake of this scandal, even Mark Zuckerberg said that his industry probably should be regulated, although he's certainly not wishing for the sorts of comprehensive regulation the GDPR is bringing to Europe. He's right. Surveillance capitalism has operated without constraints for far too long. And advances in both big data analysis and artificial intelligence will make tomorrow's applications far creepier than today's. Regulation is the only answer. The first step to any regulation is transparency. Who has our data? Is it accurate? What are they doing with it? Who are they selling it to? How are they securing it? Can we delete it? I don't see any hope of Congress passing a GDPR-like data protection law anytime soon, but it's not too far-fetched to demand laws requiring these companies to be more transparent in what they're doing. One of the responses to the Cambridge Analytica scandal is that people are deleting their Facebook accounts. It's hard to do right, and doesn't do anything about the data that Facebook collects about people who don't use Facebook. But it's a start. The market can put pressure on these companies to reduce their spying on us, but it can only do that if we force the industry out of its secret shadows. [Lots of useful URLs included. PGN] ------------------------------ Date: Mon, 16 Apr 2018 11:31:31 +0800 From: Richard M Stein <rmst...@ieee.org> Subject: Cambridge Analytica and the Coming Data Bust (NY Times) http://www.nytimes.com/2018/04/10/magazine/cambridge-analytica-and-the-coming-data-bust.html John Herrman argues that the Cambridge Analytica incident is only business as usual. Unlike the 2008 financial crisis, when home evictions decimated neighborhoods, no consumers experienced direct humiliation or experienced vilification via their weaponized Facebook profile data, though evidence suggests these weaponized profiles collectively influenced the 2016 presidential election. Herrman writes: "Experiences that test our trust of the free-services-for-personal- data internet are accumulating and threaten to become more personal: the failure of Twitter to ban someone who harassed or threatened you; a small but embarrassing email hack resulting in a scammer asking old friends for money and concluding with an admonishment from your provider that you just needed a better password; an identity theft, a suffering credit score and then news of a hack at Equifax, a service to which you never even chose to provide data. Or it could be nothing more than an eerily well-targeted ad, one that suggests that a certain service -- maybe one you never even meant to interact with -- knows things about you that you don't remember telling it. "The wider consequences of these arrangements are harder to quantify and sometimes even to see. They are: a social-media ecosystem that has annexed the news and the public sphere; nascent but increasingly assertive systems of identity and social currency that seek to transcend borders while answering only to investors; billions of lives' worth of trustingly volunteered data in the hands of companies that might want to make money from it, or that might have no need for it anymore, or that might go out of business, change ownership or simply forget what they had in the first place. Perhaps someone -- a new partner, an enterprising researcher, a repressive government -- might, one day, discover new uses for the data. "A loss of faith in tech companies as semipublic infrastructure would also arrive simultaneously with an understanding that that;s what they had been all along: services that we depended on, ones we gave ourselves to, and that revealed themselves to be -- or merely became -- the sorts of services we'd rather not. They're not too big to fail in the banking sense. But they're similarly hard to budge, having constructed entire modes of interaction, consumption and identity verification that are now intimately interwoven with our lives, so all-encompassing that they'/ve practically become invisible. To stop using these products is to leave the Internet, and these companies made it their mission to make sure there isn't anywhere else to go." In WW II, tobacco companies contributed free cigarettes to troops creating a generation of addicts. Nicotine level manipulation in cigarettes sustained tobacco company profits while unleashing a cancer epidemic among millions who could not, or would not, break from addiction. Analogously, social media platforms manipulate the brain's dopamine delivery channel with free services in exchange for surrender of personal information to exploit. Aside from coach potato syndrome and smart phone rapture, social media's impact on physical health is apparently marginal. Low user account turnover churn at Facebook, post-Cambridge Analytica, shows that Facebook addiction is stronger than brand outrage and trust erosion merit. Consumer allegiance and free service access form a resilient bond. What type of incident might initiate a wholesale abandonment of social media platforms by their users? An insidious act that implicates the platform (via an social media insider/conspiracy) that: precipitates a nuclear alert per "The Missiles of October." An infrastructure take down -- imagine no power for 1 week or a repeat DDoS that cripples social media access/destroys data centers and backup recovery? Or a conspiracy per "Mr. Robot" that erases all financial records? All unlikely to arise, except in "The Twilight Zone." Without widespread civil protest born of deep personal outrage, social media platforms are unlikely to experience wholesale abandonment. Regulation, however, is one means to throttle corporate behavior. Global adoption of the EU's "Right to be Forgotten" and the GPDR can influence corporate behavior to respect and protect consumer rights. Strengthening these rules, and rigorous enforcement of them, can diminish backlash potential at the expense of corporate profit -- often the only lesson a business is retrospectively forced to learn -- save for a collective CxO perp walk. ------------------------------ Date: Sun, 22 Apr 2018 01:20:16 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Palantir Knows Everything About You (Bloomberg) JPMorgan's experience remains instructive. ``The world changed when it became clear everyone could be targeted using Palantir,'' says a former JPMorgan cyber expert who worked with Cavicchia at one point on the insider threat team. ``Nefarious ideas became trivial to implement; everyone's a suspect, so we monitored everything. It was a pretty terrible feeling.'' http://www.bloomberg.com/features/2018-palantir-peter-thiel/ ------------------------------ Date: Thu, 19 Apr 2018 16:51:37 PDT From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: American elections are too easy to hack. We must take action now (Bruce Schneier) http://www.theguardian.com/commentisfree/2018/apr/18/american-elections-hack-bruce-scheier%3FCMP%3Dshare_btn_fb American elections are too easy to hack. We must take action now The Guardian Bruce Schneier The computers we use in the voting process are vulnerable at every level. We need a system resilient to threats -- and in many cases, that means paper Wed 18 Apr 2018 Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them. Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper. Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely. Senators release election security recommendations to deter meddling Last year, the Defcon hackers' conference sponsored a Voting Village. Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail. It's important to understand that these were not well-funded nation-state attackers. These were not even academics who had been studying the problem for weeks. These were bored hackers, with no experience with voting machines, playing around between parties one weekend. It shouldn't be any surprise that voting equipment, including voting machines, voter registration databases, and vote tabulation systems, are that hackable. They're computers -- often ancient computers running operating systems no longer supported by the manufacturers -- and they don't have any magical security technology that the rest of the industry isn't privy to. If anything, they're less secure than the computers we generally use, because their manufacturers hide any flaws behind the proprietary nature of their equipment. We're not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election. Voting systems have another requirement that makes security even harder to achieve: the requirement for a secret ballot. Because we have to securely separate the election-roll system that determines who can vote from the system that collects and tabulates the votes, we can't use the security systems available to banking and other high-value applications. We can securely bank online, but can't securely vote online. If we could do away with anonymity -- if everyone could check that their vote was counted correctly -- then it would be easy to secure the vote. But that would lead to other problems. Before the US had the secret ballot, voter coercion and vote-buying were widespread. We can't, so we need to accept that our voting systems are insecure. We need an election system that is resilient to the threats. And for many parts of the system, that means paper. Let's start with the voter rolls. We know they've already been targeted. In 2016, someone changed the party affiliation of hundreds of voters before the Republican primary. That's just one possibility. A well-executed attack that deletes, for example, one in five voters at random -- or changes their addresses -- would cause chaos on election day. Security researchers agree that the gold standard is a voter-verified paper ballot Yes, we need to shore up the security of these systems. We need better computer, network, and database security for the various state voter organizations. We also need to better secure the voter registration websites, with better design and better Internet security. We need better security for the companies that build and sell all this equipment. Multiple, unchangeable backups are essential. A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD. Copies of that DVD, or -- even better -- a paper printout of the voter rolls, should be available at every polling place on election day. We need to be ready for anything. Next, the voting machines themselves. Security researchers agree that the gold standard is a voter-verified paper ballot. The easiest (and cheapest) way to achieve this is through optical-scan voting. Voters mark paper ballots by hand; they are fed into a machine and counted automatically. That paper ballot is saved, and serves as a final true record in a recount in case of problems. Touch-screen machines that print a paper ballot to drop in a ballot box can also work for voters with disabilities, as long as the ballot can be easily read and verified by the voter. Finally, the tabulation and reporting systems. Here again we need more security in the process, but we must always use those paper ballots as checks on the computers. A manual, post-election, risk-limiting audit varies the number of ballots examined according to the margin of victory. Conducting this audit after every election, before the results are certified, gives us confidence that the election outcome is correct, even if the voting machines and tabulation computers have been tampered with. Additionally, we need better coordination and communications when incidents occur. Lack of US election auditing raises fears of Russian vote meddling in 2018 It's vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it's easy to agree on strong security. But after the vote, someone is the presumptive winner -- and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it's too late to agree on anything. The politicians running in the election shouldn't have to argue their challenges in court. Getting elections right is in the interest of all citizens. Many countries have independent election commissions that are charged with conducting elections and ensuring their security. We don't do that in the US. Instead, we have representatives from each of our two parties in the room, keeping an eye on each other. That provided acceptable security against 20th-century threats, but is totally inadequate to secure our elections in the 21st century. And the belief that the diversity of voting systems in the US provides a measure of security is a dangerous myth, because few districts can be decisive and there are so few voting-machine vendors. We can do better. In 2017, the Department of Homeland Security declared elections to be critical infrastructure, allowing the department to focus on securing them. On 23 March, Congress allocated $380m to states to upgrade election security. These are good starts, but don't go nearly far enough. The constitution delegates elections to the states but allows Congress to *make or alter such Regulations*. In 1845, Congress set a nationwide election day. Today, we need it to set uniform and strict election standards. ------------------------------ Date: April 22, 2018 at 12:05:57 PM EDT From: "Stephen H. Unger" <s...@columbia.edu> Subject: Instant Runoff Voting Following is a response to a recent IP posting on Instant Runoff Voting (IRV). Instant Runoff Voting (IRV) seems, at first look, to be a great way to improve our elections. But a closer examination reveals that it can produce clearly irrational results. For example, it is not hard to construct cases where an IRV winner would have been defeated in a 2-candidate election by at least one of the losing candidates. IRV is also a very complex method. Processing an IRV election is far more difficult and costly than processing a conventional election. A far better election scheme is Approval Voting (AV): a very simple system, where voters can vote for any number of the candidates on the ballot. This deals effectively with such dilemmas as multiple candidates with similar platforms, or cases where the voter dislikes the front runners. There are no bizarre cases such as those that can turn up in IRV elections. AV elections are no more difficult to process than are traditional elections. For a discussion of IRV, see http://www1.cs.columbia.edu/~unger/articles/irv.html For a discussion of AV, see http:///electology.org/approval-votingreserved=0 ------------------------------ Date: Fri, 20 Apr 2018 06:40:12 -0700 From: Henry Baker <hbak...@pipeline.com> Subject: Time for airplane engine diversity? (Christine Negroni) [Since the 787 has only 2 engines, perhaps they should be from different manufacturers for "diversity"?] Christine Negroni, *The New York Times*, 19 Apr 2018 Engine on Southwest Jet Not the Only One to Develop Cracks http://www.nytimes.com/2018/04/19/business/engine-on-southwest-jet-not-the-only-one-to-develop-cracks.html The engine that failed so catastrophically on a Boeing 737 plane operated by Southwest Airlines this week is not the only jet engine model with problems that have caught the eye of safety officials. Like the engine on the Southwest jet, two others one used on the Boeing 787 Dreamliner and another on some Boeing 767s developed cracks. On Tuesday, the same day as the engine failure on the Southwest plane, the Federal Aviation Administration said Boeing 787 Dreamliners powered by Rolls-Royce engines could no longer be flown on ultra-long, over-water flights. The engines are produced by three different manufacturers, but the fact that all three have developed safety issues is prompting questions about the engines' design, operation and their inspection procedures. ... Inspections have also been ordered for the Rolls-Royce Trent 1000 engines that power a quarter of Boeing's newest wide-body, the 787 Dreamliner, after cracks were found on rotor blades. But the F.A.A. went further and rescinded the operators' approval to fly the airplanes any farther than 2 hours and 20 minutes from an emergency airport. International long-haul carriers like United Airlines, Qantas Airways, Japan Airlines, Air New Zealand and British Airways purchased the Dreamliner over the past decade specifically for the plane's ability to carry fewer people on longer routes more fuel efficiently. On extended flights over water, an airline could schedule flights on routes of up to five hours flying time from an emergency airport. American and European regulators now say that cannot be safely accomplished. Should one Rolls-Royce engine fail, the higher power demand on the remaining engine could cause the second engine to fail. ... ------------------------------ Date: Fri, 20 Apr 2018 15:23:26 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Deutsche Bank Inadvertently Made a $35 Billion Payment in a Single Transaction (Bloomberg) http://www.bloomberg.com/news/articles/2018-04-19/deutsche-bank-flub-said-to-send-35-billion-briefly-out-the-door ------------------------------ Date: Sat, 21 Apr 2018 09:08:32 -0400 From: Rebecca Mercuri <merc...@acm.org> Subject: Blockchain Kiddy Porn University researchers in Germany (funded by the German Federal Ministry of Education and Research) have pre-released a paper titled "A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin." See http://fc18.ifca.ai/preproceedings/6.pdf Their claim is that by embedding illegal content within the blockchain data, the possession of it (such as for legitimate financial transactions) can be deemed illegal. Their analysis of existing blockchain data appears to have revealed "more than 1600 files on the blockchain, over 99% of which are texts or images." Horrifyingly, "among these files, there is clearly objectionable content such as links to child pornography, which is distributed to Bitcoin participants." In response, there have been assertions that all of this is "fake news" and that there is nothing to worry about. But the paper, with 73 very non-fake footnotes, does not look like an April-fool's joke to me. As a digital forensics expert, I know first-hand that U.S. Prosecutors and Law Enforcement have become more aggressive recently in filing possession, receipt and distribution charges (which can carry lengthy prison sentences) for those with illegal data that is discovered in unallocated space or embedded within other files, despite extremely clear evidence that the computer's owner or user has no awareness of such illicit content. We also know, that the injection of malware (such as the FBI's NIT) that forces computers using anonymizers to reveal their actual IP addresses has not been rejected by the courts as inappropriate investigation technology. There is also growing evidence that individuals of certain demographics are being targeted for digital surveillance via open file shares, which do not require search warrants to remotely inspect. In this context, therefore, the information in the research paper is extremely troubling. If the findings are indeed correct, this must be taken very seriously by the RISKS and Crypto communities. I should note that as some in the election community are now considering blockchain as a potential method for "secure remote voting" this could also be a way of distributing kiddy porn to the entire country, and then cherry-picking whomever the Government wants to arrest. Welcome to the Brave New World dystopia. I would urge everyone to take a look at the paper and see what you think. ------------------------------ Date: Sun, 22 Apr 2018 01:08:07 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Browser Standard WebAuthn Could Usher in a Password-Free Future (WiReD) Password-free logins have long been the stuff of dreams for security researchers and privacy advocates -- not to mention regular people who fat-finger their account passwords into a browser every day. Industry efforts to end our reliance on the multi-character password have resulted in the proposal of numerous alternative login methods, including biometric verification and the use of behavioral data to prove an individual's identity. But most of these attempts haven't yet lead to the promised land: A web without passwords. http://www.wired.com/story/7-steps-to-password-perfection/ Now, a new standard for the web called WebAuthn is being lauded as a major step forward in secure authentication, and "probably the most effective anti-phishing measure for the web that's out there," according to Selena Deckelmann, senior director of engineering for Mozilla Firefox. http://www.w3.org/TR/webauthn/ It introduces a set of rules for the web that, if adopted by popular browsers and websites, would mean people could use a single device or a single fingerprint to log into, well, almost everything. But like the password-free attempts before it, WebAuthn still faces hurdles before it becomes something that impacts the masses. Some security and identity experts seem reluctant to claim that our password-free future has finally arrived. And a lot of WebAuthn's success comes down to whether hugely popular websites like Amazon or Facebook will adopt this new standard. http://www.wired.com/story/webauthn-in-browsers One key to rule them all? What could go wrong? ------------------------------ Date: Tue, 17 Apr 2018 07:50:02 -0400 From: Jose Maria Mateos <ch...@rinzewind.org> Subject: Teen charged in Nova Scotia government breach says he had 'no malicious intent' (CBC News) http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970 When he was around eight, he remembered playing around with the HTML of the Google search page, making the coloured letters spell out his name. Around the same time, his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate. That lead to a discovery on the classroom computer. "The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted," he said. "I thought that was interesting." ***The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests.*** [Emphasis mine. ] Someone's at fault here, but I doubt it's the kid. ------------------------------ Date: Mon, 16 Apr 2018 08:31:29 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: Two vendors now sell iPhone cracking technology and police are buying (Lucas Mearian) Lucas Mearian, Computerworld, 13 Apr 2018 http://www.computerworld.com/article/3268729/mobile-wireless/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html Two vendors now sell iPhone cracking technology -- and police are buying Local and regional police departments and federal agencies are lining up to buy technology from two companies whose products can bypass iPhone security mechanisms. ------------------------------ Date: Mon, 16 Apr 2018 09:06:52 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: "12+ things you can do with a locked iPhone" (Jonny Evans) Jonny Evans, Computerworld | Apr 16, 2018 7:06 AM PT You may be surprised at just how many things you can do with a locked iPhone. Learn what you can do and how to switch these features off. http://www.computerworld.com/article/3268884/apple-ios/12-things-you-can-do-with-a-locked-iphone.html ------------------------------ Date: Mon, 16 Apr 2018 11:34:00 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: France builds WhatsApp rival due to surveillance risk (Reuters) via NNSquad http://www.reuters.com/article/us-france-privacy/france-builds-whatsapp-rival-due-to-surveillance-risk-idUSKBN1HN258 The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday. Uh huh. A service that nobody can spy on EXCEPT the French government, eh? ------------------------------ Date: Mon, 16 Apr 2018 09:28:32 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: "Android security: Your phone's patch level says you're up to date, but that may be a lie" (Liam Tung) Liam Tung, ZDNet, 13 Apr 2018 Study into missed security updates casts doubt on Google's Android patch level system. http://www.zdnet.com/article/android-security-your-phones-patch-level-says-youre-up-to-date-but-that-may-be-a-lie/ selected text: Google has spent the past two years building momentum behind its Android monthly patch level system, but a study has found critical patches that should be on devices displaying a patch level aren't actually present. The results, shared with Wired, show that some popular Android devices are missing as many as a dozen patches that users would expect to be there, based on the patch level string displayed in settings in date format. But, according to Nohl, some Android manufacturers appear to be gaming the patch level system to falsely improve their image. And, as vendors chalk up security points for non-existent patches, end users are left with a false sense of security. ------------------------------ Date: Mon, 16 Apr 2018 09:35:41 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: In a Leaked Memo, Apple Warns Employees to Stop Leaking Information (Mark Gurman) Mark Gurman, Bloomberg, 13 Apr 2018 http://www.bloomberg.com/news/articles/2018-04-13/apple-warns-employees-to-stop-leaking-information-to-media selected text: Apple Inc. warned employees to stop leaking internal information on future plans and raised the specter of potential legal action and criminal charges, one of the most-aggressive moves by the world's largest technology company to control information about its activities. The Cupertino, California-based company said in a lengthy memo posted to its internal blog that it "caught 29 leakers," last year and noted that 12 of those were arrested. "These people not only lose their jobs, they can face extreme difficulty finding employment elsewhere," Apple added. The company declined to comment on Friday. The employee who leaked the meeting to a reporter later told Apple investigators that he did it because he thought he wouldn't be discovered. But people who leak -- whether they're Apple employees, contractors or suppliers -- do get caught and they're getting caught faster than ever. ------------------------------ Date: Mon, 16 Apr 2018 09:44:41 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: "Fake Android apps used for targeted surveillance found in Google Play" (Zack Whittaker) Zack Whittaker for Zero Day, 16 Apr 2018 The apps relied on a second-stage component that was downloaded after the apps were installed. http://www.zdnet.com/article/fake-android-apps-used-for-targeted-surveillance-found-in-google-play/ ------------------------------ Date: Mon, 16 Apr 2018 09:18:35 -0700 From: Gene Wirchenko <ge...@telus.net> Subject: "Swim at your own risk: How botched IoT can sink your precious first-world life" (Jason Perlow) Jason Perlow for Tech Broiler, ZDNet, 12 Apr 2018 Boo-hoo. A bungled Internet of Things (IoT) update means you can't switch your swimming pool to spa mode. Laugh all you want: When the HVAC or your home security system fails, the implications are serious. http://www.zdnet.com/article/swim-at-your-own-risk-how-botched-iot-can-sink-your-precious-first-world-life/ ------------------------------ Date: April 15, 2018 at 11:06:57 AM EDT From: Jose Maria Mateos <ch...@rinzewind.org> Subject: Police use Experian Marketing Data for AI Custody Decisions (Big Brother Watch) via Dave Farber http://bigbrotherwatch.org.uk/all-media/police-use-experian-marketing-data-for-ai-custody-decisions/ POLICE USE EXPERIAN MARKETING DATA FOR AI CUSTODY DECISIONS Durham Police has paid global data broker Experian for UK postcode stereotypes built on 850 million pieces of information to feed into an artificial intelligence (AI) tool used in custody decisions, a Big Brother Watch investigation has revealed. Durham Police is feeding Experian's `Mosaic' data, which profiles all 50 million adults in the UK[1] to classify UK postcodes, households and even individuals [2] into stereotypes, into its AI `Harm Assessment Risk Tool' (HART). The 66 `Mosaic' categories include `Disconnected Youth', `Asian Heritage' and `Dependent Greys'.[3] Durham Police's AI tool processes Experian's `Mosaic' data and other personal information to predict whether a suspect might be at low, medium or high risk of reoffending.[4] Experian's Mosaic code includes the `demographic characteristics' of each stereotype -- characterising `Asian Heritage' as `extended families' living in `inexpensive, close-packed Victorian terraces', adding that `when people do have jobs, they are generally in low paid routine occupations in transport or food service'.[5] `Disconnected Youth' are characterised as `avid texters' whose `wages are often low'[6] -- with first names like `Liam' and `Chelsea'[7]. ------------------------------ Date: Wed, 18 Apr 2018 09:52:19 +0100 From: Martyn Thomas <mar...@thomas-associates.co.uk> Subject: A call to regulate the use of AI (Nature) Regulate artificial intelligence to avert cyber arms race: Define an international doctrine for cyberspace skirmishes before they escalate into conventional warfare, urge *Mariarosaria Taddeo *and *Luciano Floridi* http://www.nature.com/articles/d41586-018-04602-6 ------------------------------ Date: Sat, 14 Apr 2018 18:45:57 -1000 From: the keyboard of geoff goodfellow <ge...@iconia.com> Subject: Yahoo and AOL just gave themselves the right to read your emails *again* (CNET) http://www.cnet.com/news/yahoo-aol-oath-privacy-policy-verizon-emails-messages/ ------------------------------ Date: Mon, 16 Apr 2018 11:31:58 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: FCC dings T-Mobile $40M for faking rings on calls that never connected (TechCrunch) via NNSquad http://techcrunch.com/2018/04/16/fcc-dings-t-mobile-40m-for-faking-rings-on-calls-that-never-connected/ The issue at hand is that when someone is trying to call an area with poor connectivity, it can sometimes take several seconds to establish a line to the other party -- especially if a carrier itself does not serve the area in question and has to hand off the call to a local provider. That's exactly what T-Mobile was doing, and there's nothing wrong with it -- just a consequence of spotty coverage in rural areas. But what is prohibited is implying to the caller that their call has gone through and is ringing on the other end, if that's not the case. Which is also exactly what T-Mobile was doing, and had been doing since 2007. Its servers began sending a "local ring back tone" when a call took a certain amount of time to complete around then. ------------------------------ Date: Sat, 14 Apr 2018 11:56:56 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: The EU's horrific and tyrannical "Right To Be Forgotten" -- as described in 1944 by George Orwell "Day by day and almost minute by minute the past was brought up to date. In this way every prediction made by the Party could be shown by documentary evidence to have been correct, nor was any item of news, or any expression of opinion, which conflicted with the needs of the moment, ever allowed to remain on record. All history was a palimpsest, scraped clean and reinscribed exactly as often as was necessary." -- ("Nineteen Eighty-Four" - George Orwell - 1944) ------------------------------ Date: Sat, 21 Apr 2018 12:08:14 PDT From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: China's Xi says Internet control key to stability (Reuters) Reuters, 21 Apr 2018, http://www.yahoo.com/news/chinas-xi-says-internet-control-key-stability-110428337.html SHANGHAI (Reuters) - China must strengthen its grip on the Internet to ensure broader social and economic goals are met, state news agency Xinhua reported on Saturday citing comments from President Xi Jinping, underlining a hardening attitude towards online content. Under Xi's rule China has increasingly tightened its grip on the Internet, concerned about losing influence and control over a younger generation who are driving a diverse and vibrant online culture from livestreaming to blogs. "Without web security there's no national security, there's no economic and social stability, and it's difficult to ensure the interests of the broader masses," Xinhua cited Xi as saying. "We cannot let the Internet become a platform for disseminating harmful information and stirring up trouble with rumours," he added in comments made at a cyber security conference in Beijing, Xinhua said. Chinese regulators have been driving a sweeping crackdown on media content, which has been gaining force since last year, spreading a chill among content makers and distributors. China is also looking to take a leading role globally in Internet regulation and technology more broadly, which has come into sharp focus amid a trade standoff with the United States and an arms race over technology. The United States banned sales of parts and software to Chinese telecoms equipment maker ZTE earlier this week, which the Chinese firm said on Friday threatened its survival. ZTE uses U.S. chips in many of its smartphones. The ZTE case had "triggered a heated debate" in China about advanced technology, Xinhua said in a separate report on Saturday, adding mastering high-end technologies such as chips was "key" to becoming a strong nation. Luo Wen, China's deputy industry minister, said while China had made progress in advance manufacturing in areas like electric vehicles and aviation, it was still facing challenges due to a lack of top talent and global scale, Xinhua said. "Our advanced manufacturing development faces the risk of being boxed in at the low-end," Xinhua reported, citing Luo. ------------------------------ Date: Fri, 20 Apr 2018 14:39:40 PDT From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: Moscow State University Team Wins Gold in ACM ICPC Programming Contest Baylor via ACM Bulletins, Apr 20 2018 Three students from Moscow State University earned the title of 2018 World Champions in the ACM International Collegiate Programming Contest (ICPC, http://icpc.baylor.edu Teams from the Moscow Institute of Physics and Technology, Peking University and The University of Tokyo placed in second, third and fourth places and were recognized with gold medals in the prestigious competition, held April 15-19 in Beijing, China. ACM-ICPC is the premier global programming competition conducted by and for the world's universities. It is conceived, operated and shepherded by ACM and headquartered at Baylor University. This year's World Finals were hosted by Peking University and CYSC: Children and Youth Science Center of CAST, and the contest was sponsored by Founder Group and JetBrains. For more than four decades, the competition has raised the aspirations and performance of generations of the world's problem solvers in computing sciences and engineering. At ICPC, teams of three students tackle eight or more complex, real-world problems. The students are given a problem statement, and must create a solution within a looming five-hour time limit. The team that solves the most problems in the fewest attempts in the least cumulative time is declared the winner, with the top teams receiving medals. ICPC regional participation included 49,935 contestants from 3,089 universities in 111 countries on six continents competing at more than 585 sites, all with the goal of earning one of the coveted invitations to Beijing. As computing increasingly becomes part of the daily routines of a growing percentage of the global population, the solution to many of tomorrow's challenges will be written with computing code. The ICPC serves as a unique forum for tomorrow's computing professionals to showcase their skills, learn new proficiencies and to work together to solve many real-world problems. This international event fosters the innovative spirit that continues to transform our world. Full results of the competition are available at http://icpc.baylor.edu/worldfinals/results ------------------------------ Date: Sun, 15 Apr 2018 06:24:34 -0500 From: Dmitri Maziuk <dmaz...@bmrb.wisc.edu> Subject: Re: "A bad day with mobile 2FA" (Evan Schuman, R 30 65) My bank uses Google authenticator app that requires -- obviously, once you know -- synchronized clocks between the server and client cellphone. As it turns out my Galaxy note 4 sometimes automagically turns off network time, not sure why exactly. The backup option was e-mail but that was removed at some point because it is "insecure". A robo-call to my home phone (and then I could call my answering machine from overseas if I remembered the codes to play back my messages) is still available, as is a human person on the phone. ------------------------------ Date: Sun, 15 Apr 2018 10:05:20 -0400 From: Bob Rahe <b...@dtcc.edu> Subject: Re: Fox News accidentally puts up a poll graphic that shows how they, are the least-trusted network (RISKS-30.65) Not sure about the relevance to RISKS with that article other than to maybe highlight how fakenews can manipulate various categories of readers. About the only thing correct about that article was that the wrong graphic was displayed and it was on FNC and MediaBuzz with Kurtz. The graphic did not show relative trust between networks, and the implication that Kurtz was angry about it just isn't accurate. The article also implies that that graphic wasn't shown as part of the segment. It was. Kurtz's show deals with the media and he does a pretty good job of sticking to the media [coverage] of stories rather than the stories themselves. Thus the graphic actually shown had to do with the trust of the various media outlets vs. the President in a study by Monmouth. The article completely mis-characterized it. Either they did so intentionally in order to try to score points or they were just sloppy and only saw the graphic for the few seconds it was actually on screen and didn't watch the rest of the segment. That article was variously bogus/fake/incomplete in any number of ways. Even Politifact called it mostly false and has the rest of the story correct in its analysis (below.) Although the Trump/Fox/etc. haters won't like it. If you've lost the left 'fact checker' Politifact, you must be doing something *really* wrong! http://www.politifact.com/punditfact/statements/2018/apr/13/blog-posting/No-Fox-News-did-not-put-up-graphic-showing-it-was/ ------------------------------ Date: Sun, 15 Apr 2018 11:56:10 -0400 From: Kelly Bert Manning <bo...@freenet.carleton.ca> Subject: Re: Windows security: Microsoft patch for Outlook password leak bug 'not a full fix' (RISKS-30.65) This sort of thing, along with Ctrl F being Forward, not Find as in almost every other Windows product, is why I pronounce it Lookout. Microsoft keeps trying to install some form of Outlook on my windows machines at home, even though I never choose Outlook as my non work email software and do not use any form of Instant Messaging. http://www.itworld.com/article/2696441/consumerization/the-story-behind-microsoft-outlook-s-terrible-ctrl---f-shortcut.html Failure to address widespread customer concerns is an old story at Microsoft. If memory serves me correctly they didn't address the need to reboot to add a directly connected printer until William Gates III experienced it in public while doing a major product release presentation. Then it became a High Priority Use Interface Issue. http://www.pcmag.com/article/351494/how-to-fix-the-most-annoying-things-in-windows-10 ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.66 ************************