RISKS Forum mailing list archives
Risks Digest 27.40
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 31 Jul 2013 13:47:12 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 31 July 2013 Volume 27 : Issue 40 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.40.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Surviving the blame game (Michelle Singletary via PGN) Smart Houses that are not so smart (Barry Gold) The risks of measuring progress by more of the same (Bob Frankston) Stanford University passwords compromised -- again (PGN) Download manager takes Web site down (Geoff Kuenning) "Microsoft and FBI take down malware, housed on 1.9 million computers" (Lucian Constantin via Gene Wirchenko) "Cloud adoption suffers in the wake of NSA snooping" (David Linthicum via Gene Wirchenko) A Blow for the Press, and for Democracy (Margaret Sullivan via Monty Solomon) 4 Russians, 1 Ukrainian charged in massive hacking (Samantha Henry via Monty Solomon) Re: Is Your Cable Box Spying On You? (F. Barry Mulligan) Re: License-plate readers let police collect millions of driver records (Geoff Kuenning) Re: And now, from the country that brought you INCIS and Novopay... (Nick Brown) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 31 Jul 2013 10:07:45 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Surviving the blame game (Michelle Singletary) Michelle Singletary, *The Washington Post*, 30 Jul 2013 The health of our economy relies on people finding and keeping jobs. If there are electronic-record systems that are preventing qualified people from getting hired or staying employed, they [the systems, not the people notes PGN] need to be fixed. That's why it's important to take note of a report from the National Employment Law Project, which estimates that 1.8 million workers every year are subjected to FBI background checks that contain incorrect or incomplete information. [...] http://www.washingtonpost.com/business/surviving-the-data-blame-game/2013/07/30/3ad80f48-f890-11e2-8e84-c56731a202fb_story.html?tid=pp_stream ------------------------------ Date: Tue, 30 Jul 2013 22:52:38 -0700 From: Barry Gold <BarryDGold () ca rr com> Subject: Smart Houses that are not so smart A pair of security researchers found that so-called smart houses have serious security vulnerabilities. A discontinued home automation system from Insteon is connected to the Internet with a web server -- and did not even provide a robots.txt file to tell search engines to stay away. The result is that all the house controls are visible if you know the right keywords to search for. The researcher was able (after contacting the homeowner and getting permission) to turn the lights on and off, control TV sets, garage doors, cameras, etc. All the things that the owner can control remotely with a smartphone app. The system is shipped from the manufacturer with a default setting of no username or password. Other manufacturers have similar problems. The Satis Smart Toilet can be controlled by anybody with an Android, the right app, and close enough to communicate with the toilet. More details at http://onforb.es/159JEcM http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/?google_editors_picks=true ------------------------------ Date: Mon, 29 Jul 2013 16:53:13 -0400 From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Subject: The risks of measuring progress by more of the same I'm often frustrated in trying to explain that the Internet isn't just the web or a series of tubes. The problem is that those views work well for those who look at the surface and want more of what they see. It's hard to explain that the web and benefits come from the days of an Internet without borders in which we were free to experiment. Today we're back to the time when you had a network suitable for phone calls or other enumerated applications. This is not a new issue but I recently posted http://rmf.vc/CILight which might help people understand the issue by using a very simple example - the ability to maintain a relationship between two end points. If we can't do that then how can we innovate ahead of what offered by the incumbent providers? For that matter why do we use words like "provide" and "access" when we talk about the Internet which came from our innovation at the edge despite the service providers. Maybe this the about the risks of language and using words like communicate, information, broadband which allow us to talk without really communicating. http://frankston.com ------------------------------ Date: Tue, 30 Jul 2013 15:04:55 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Stanford University passwords compromised -- again Various sources have reported that Stanford University has alerted its network users that their accounts may have been compromised (for the second time in about a month), and recommended that passwords should be changed as a precautionary measure while the Stanford IT folks are trying to assess the scope of the breach. Five days later, I've heard nothing further. Perhaps a RISKS reader at Stanford can contribute an update. ------------------------------ Date: Mon, 29 Jul 2013 23:35:34 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Download manager takes Web site down I run a small Web site (http://iotta.snia.org) that distributes large scientific files to researchers. For unjustifiable reasons, it has an absurdly slow link (10 Mbits) to the outside world. Yes, I'd like to fix that. Recently we observed an enormous spike in download attempts--all of which failed. After investigating and contacting the responsible parties (fortunately, we ask our users to provide an e-mail address and most tell the truth) we learned that they were using "Internet Download Manager", a Windows application that purports to speed up and simplify downloads. In this case, IDM was opening dozens of simultaneous connections, each of which attempted to acquire a different file. The resulting logjam caused ALL of the downloads to time out, at which point the package would try again. Telling the users to disable IDM and be patient cured the problem. (In the longer term, we'll be activating per-IP connection limits, which are an imperfect but helpful solution.) RISK: The TCP/IP specification is extensive and explicit, but doesn't address simultaneous connections from the same client. As far as I can figure out, the HTTP specification doesn't offer a way for servers to suggest a maximum (let alone a way to enforce one). And overeager developers are welcome to ignore conventions and common courtesy in an attempt to gain personal benefit. Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 30 Jul 2013 14:47:50 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Microsoft and FBI take down malware, housed on 1.9 million computers" (Lucian Constantin) Lucian Constantin, *ITBusiness*, 26 Jul 2013 http://www.itbusiness.ca/article/microsoft-almost-90-percent-of-citadel-botnets-in-the-world-disrupted-in-june selected text: But one security researcher says he believes Microsoft had already been controlling about 1,000 of the 4,000 Citadel-related domain names, since its researchers were using them to track the botnets. He also adds Microsoft modified settings on people's computers without getting their permission, as it sent configuration files to infected computers connecting to the sinkhole servers. [Said researcher posted https://www.abuse.ch/?p=5362 about this.] ------------------------------ Date: Tue, 30 Jul 2013 14:55:47 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Cloud adoption suffers in the wake of NSA snooping" (David Linthicum) David Linthicum, InfoWorld, 30 Jul 2013 Due to PRISM, non-U.S. firms are avoiding Stateside cloud providers, but government access to cloud data can't be stopped http://www.infoworld.com/d/cloud-computing/cloud-adoption-suffers-in-the-wake-of-nsa-snooping-223606 opening text: According to a survey by the Cloud Security Alliance, 10 percent of the CSA's non-U.S. members have canceled a contract with a U.S.-based cloud provider due to fears of U.S. government abuse of their citizens' data, a fear stoked by revelations of extensive spying on electronic communications by the U.S. National Security Agency through its PRISM program. Moreover, 56 percent said they were now less likely to use an American company. ------------------------------ Date: Tue, 30 Jul 2013 23:51:52 -0400 From: Monty Solomon <monty () roscom com> Subject: A Blow for the Press, and for Democracy (Margaret Sullivan) Margaret Sullivan, *The New York Times*, 28 Jul 2013 Sometimes James Risen feels like Jean Valjean, the beleaguered protagonist of "Les Miserables," hounded for years by the authorities. "They just keep coming at me," Mr. Risen, a Times reporter in Washington, told me by phone last week. It has been 10 years since he learned of a secret C.I.A. program to interfere with Iran's quest for nuclear weapons, and six since he got an ominous FedEx package containing a government subpoena. Since then, it has been one legal hurdle after another, trying to stay out of court. Just over a week ago, another blow came: A federal appeals court panel ruled, 2 to 1, against his effort to avoid testifying in the government's case against Jeffrey Sterling, a former C.I.A. official charged with leaking secret information about the matter. Mr. Risen's lawyers, backed by a flotilla of press organizations and journalists, argue that his testimony isn't necessary and that First Amendment protections, combined with legal precedent, should keep him out of court. Unwilling to testify, Mr. Risen may end up in jail. Meanwhile, the distractions and the continued scrutiny of government investigators - sure to make sources skittish - have hurt his ability to do his job. That's a shame given the importance of his work: it was Mr. Risen and his Times colleague Eric Lichtblau who disclosed the Bush administration's eavesdropping on American citizens without warrants, and the recent revelations of National Security Agency surveillance have built on that foundation. The chilling ruling by the United States Court of Appeals for the Fourth Circuit said that even though a journalist has promised confidentiality to a source, "there is no First Amendment testimonial privilege, absolute or qualified, that protects a reporter from being compelled to testify by the prosecution or the defense in criminal proceedings about criminal conduct that the reporter personally witnessed or participated in." National security necessitates that those who illegally leak classified information be brought to justice, the court said. It added that it saw no clear legal justification for treating a reporter differently than any other citizen, and that "other than Sterling himself, Risen is the only witness who can identify Sterling as a source (or not) of the illegal leak." ... http://www.nytimes.com/2013/07/28/public-editor/a-blow-for-the-press-and-for-democracy.html ------------------------------ Date: Fri, 26 Jul 2013 01:00:13 -0400 From: Monty Solomon <monty () roscom com> Subject: 4 Russians, 1 Ukrainian charged in massive hacking (Samantha Henry) [More on the item in RISKS-27.39] Samantha Henry, Associated Press. 25 Jul 2013 NEWARK, N.J. (AP) - Four Russian nationals and a Ukrainian have been charged with running a sophisticated hacking organization that penetrated computer networks of more than a dozen major American and international corporations over seven years, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars. Indictments were announced Thursday in Newark, where U.S. Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States. Princeton-based Heartland Payment Systems Inc., which processes credit and debit cards for small to mid-sized businesses, was identified as taking the biggest hit in a scheme starting in 2007 - the theft of more than 130 million card numbers at a loss of about $200 million. Atlanta-based Global Payment Systems, another major payment processing company, had nearly 1 million card numbers stolen, with losses of nearly $93 million, prosecutors said. The indictment did not put a loss figure on the thefts at some other major corporations, including Commidea Ltd., a European provider of electronic payment processing for retailers. The government said hackers in 2008 covertly removed about 30 million card numbers from its computer network. About 800,000 card numbers were stolen in an attack on the Visa network, but the indictment did not cite any loss figure. ... http://www.boston.com/business/news/2013/07/25/russians-ukrainian-charged-massive-hacking/zj9q9jvyKAKT6FTgD7YdLI/singlepage.html ------------------------------ Date: Tue, 30 Jul 2013 10:10:37 -0400 From: "F. Barry Mulligan" <mulligan () acm org> Subject: Re: Is Your Cable Box Spying On You? (RISKS-27.39) For the first time in many years, I suddenly feel ahead of the technology. I have two cable boxes, one to feed the actual television and a secondary box to feed the (antiquated) VCR. Since they are located close to each other, I fabricated a sliding cover to obscure the sensor on the secondary box. Should these intrusive cable boxes become real products, I foresee a niche market for similar covers that would obscure the spy sensors while still allowing desired remote functions. ------------------------------ Date: Mon, 29 Jul 2013 23:49:54 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: License-plate readers let police collect millions of driver records (Alexander, RISKS-27.39)
If a car is scanned that shows a potential offence, an alert sounds and displays the reason why the car is suspected to be illegal.
Wow. So failure to pay a tax is now grounds for immediate arrest. Gotta catch those tax evaders right away! It'd be unforgivably dangerous to let them drive another ten miles and catch them the old-fashioned way. (Note that by definition, the government knows who they are, so most of them aren't going to be dodging the tax man for very long.) If you're "disqualified for some other offence" then anybody who happens to borrow your car is at risk of false arrest, at best wasting both their time and that of the police. That's not what I'd call good design. And in the future, what a great tool this will be for apprehending the dastardly mastermind who dared to post a video of a burning poppy. Or, if you're not afraid of government overreaching, there's always the fact that The Sun might bribe somebody to search the records to prove that a particular politician was cheating on his wife. I'll take my privacy, thanks. I can stand to live in a world with a few tax evaders and even the occasional faulty brakes. Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 30 Jul 2013 00:06:02 +0200 (CEST) From: nick.brown () free fr Subject: Re: And now, from the country that brought you INCIS and Novopay... (O'Keefe, RISKS-27.39)
The changes duly took place this year, in anticipation of the benefits of the new system... I wonder if any of the decision-makers had heard of "counting your chickens before they're hatched"?
This situation reminded me that this is the 20th anniversary of the publication of my favourite book about computing of all time, namely "Digital Woes: Why We Should Not Depend on Software" by Lauren Ruth Wiener. Inspired partly by stories from RISKs as well as by the author's personal experiences as a writer of software documentation and observer of the development process, this book is still as relevant today as it was in 1993, despite containing not one reference to the World-Wide Web, or indeed, as far as I can recall, any other part of the Internet. Everyone who is even remotely connected to any software development process should read this book. Wiener gave examples of projects similar to this one, where exaggerated savings on personnel and other overheads from the new computer system were used to pay for the system, thus creating a double bind for executives when the system failed to materialise, leaving them with no staff and no money to re-hire them. It seems that we have learned very little in the intervening 20 years. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.40 ************************
Current thread:
- Risks Digest 27.40 RISKS List Owner (Jul 31)