RISKS Forum mailing list archives
Risks Digest 27.78
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 3 Mar 2014 16:17:24 PST
RISKS-LIST: Risks-Forum Digest Monday 3 March 2014 Volume 27 : Issue 78 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.78.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Startups don't realize the issue with security until it's too late (Jenna Wortham and Nicole Perlroth) Apple Rolls Out CarPlay (Apple Press Info via Monty Solomon) Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market (Karl Bode via Monty Solomon) "Yahoo breach exposes naked truth about online security" (Robert X. Cringely via Gene Wirchenko) Snowden made cyber-geek nightmares true. Can 'private' be normal again? (Dan Gillmor via Dewayne Hendricks) Ed Felten at TrustyCon (PGN) Apple's Serious Security Issue: Update Your iPhone or iPad Immediately (Molly Wood via Monty Solomon) The goto Squirrel (Dennis E. Hamilton) Re: iPhone's Critical Security Bug: a Single Bad `Goto' (Dimitri Maziuk, Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 3 Mar 2014 11:45:23 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Startups don't realize the issue with security until it's too late (Jenna Wortham and Nicole Perlroth) No surprise here to anyone who's ever worked for a startup -- making software products secure isn't high on anyone's list. That's not what brings in customers, and hence additional funding. Until someone gets hurt, that is. Jenna Wortham and Nicole Perlroth, 2 March 2014 When Start-Ups Don't Lock the Doors http://www.nytimes.com/2014/03/03/technology/when-start-ups-dont-lock-the-doors.html?nl=todaysheadlines&emc=edit_th_20140303 ------------------------------ Date: Mon, 3 Mar 2014 11:04:26 -0500 From: Monty Solomon <monty () roscom com> Subject: Apple Rolls Out CarPlay Apple Rolls Out CarPlay Giving Drivers a Smarter, Safer & More Fun Way to Use iPhone in the Car CarPlay Premieres with Leading Auto Manufacturers at the Geneva International Motor Show GENEVA--March 3, 2014--Apple today announced that leading auto manufacturers are rolling out CarPlay, the smarter, safer and more fun way to use iPhone in the car. CarPlay gives iPhone users an incredibly intuitive way to make calls, use Maps, listen to music and access messages with just a word or a touch. Users can easily control CarPlay from the car's native interface or just push-and-hold the voice control button on the steering wheel to activate Siri without distraction. Vehicles from Ferrari, Mercedes-Benz and Volvo will premiere CarPlay to their drivers this week, while additional auto manufacturers bringing CarPlay to their drivers down the road include BMW Group, Ford, General Motors, Honda, Hyundai Motor Company, Jaguar Land Rover, Kia Motors, Mitsubishi Motors, Nissan Motor Company, PSA Peugeot Citro=EBn, Subaru, Suzuki and Toyota Motor Corp. http://www.apple.com/pr/library/2014/03/03Apple-Rolls-Out-CarPlay-Giving-Dri= vers-a-Smarter-Safer-More-Fun-Way-to-Use-iPhone-in-the-Car.html ------------------------------ Date: Mon, 3 Mar 2014 11:07:44 -0500 From: Monty Solomon <monty () roscom com> Subject: Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market (Karl Bode) Karl Bode, 3 Mar 2014 The single coffee cup craze has been rolling now for several years in both the United States and Canada, with Keurig, Tassimo, and Nespresso all battling it out to lock down the market. In order to protect their dominant market share, Keurig makers Green Mountain Coffee Roasters has been on a bit of an aggressive tear of late. As with computer printers, getting the device in the home is simply a gateway to where the real money is: refills. But Keurig has faced the `problem' in recent years of third-party pod refills that often retail for 5-25% less than what Keurig charges. As people look to cut costs, there has also been a growing market for reusable pods that generally run anywhere from five to fifteen dollars. Keurig's solution to this problem? In a lawsuit (pdf) filed against Keurig by TreeHouse Foods, they claim Keurig has been busy striking exclusionary agreements with suppliers and distributors to lock competing products out of the market. What's more, TreeHouse points out that Keurig is now developing a new version of their coffee maker that will incorporate the java-bean equivalent of DRM -- so that only Keurig's own coffee pods can be used in it: ... http://www.techdirt.com/articles/20140227/06521826371/keurig-will-use-drm-new-coffee-maker-to-lock-out-refill-market.shtml https://s3.amazonaws.com/s3.documentcloud.org/documents/1031250/treehouse-v-greenmountain.pdf http://www.canadianbusiness.com/companies-and-industries/keurig-2-single-serve-coffee-pod-drm/ ------------------------------ Date: Mon, 03 Mar 2014 14:49:18 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Yahoo breach exposes naked truth about online security" (Robert X. Cringely) Robert X. Cringely, Infoworld, 28 Feb 2014 The umpteenth violation of our Internet privacy proves once again the dearth of common sense among us Web users http://www.infoworld.com/t/cringely/yahoo-breach-exposes-naked-truth-about-online-security-237460 opening text: The hits just keep on coming. Yesterday's news that Brit spy mongers recorded the video chats of 1.8 million Yahoo users over six months left me numb, as if I had inhaled a frosty Slurpee full of Novocain. Yahoo claims no knowledge of the theft -- yeah, I said it, because that's what it is -- but that declaration is worthy of more than a little skepticism. ------------------------------ Date: Sunday, March 2, 2014 From: *Dewayne Hendricks* <dewayne () warpspeed com> Subject: Snowden made cyber-geek nightmares true. Can 'private' be normal again? (Dan Gillmor) Dan Gillmor, *The Guardian*, 28 Feb 2014 The NSA leaks created everyday interest in products built to protect. At a security pow-wow turned sour, that's a good thing. http://www.theguardian.com/commentisfree/2014/feb/28/snowden-privacy-products-trustycon-2014 In the nearly nine months since the Edward Snowden revelations began on this website, some of the most jaw-dropping surveillance news has involved a company called RSA, which for years has been one of the top computer security firms in the world. Boiled down, RSA is alleged to have weakened a core element of a widely used encryption product at the behest of the National Security Agency, receiving $10 million in the process of providing a `back door' for government snooping. RSA issued what amounted to a non-denial denial after Reuters' Joseph Menn broke a key part of the story back in December. This week, at its annual cyber-security conference here in San Francisco, the company was on defense at an event usually reserved for looking forward, not back. Its CEO said that any weakness was inadvertent, at least on RSA's part, and not the result of some nefarious deal with the US government. Respected cryptographer and university professor Matt Blaze summed it up nicely: ``Everyone to RSA: Did you deliberately sell us out, or are you incompetent? RSA: We're incompetent.'' It's too early to tell whether this incompetence -- or betrayal, take your pick -- will hit RSA and its $51bn parent company, EMC, where it should: on the bottom line. And despite a boycott by some scheduled speakers here, the RSA conference was well-attended. As one security expert who's expressed contempt for the company's behavior told me, it's still his best chance to catch up, face-to-face, with other top people in this still burgeoning field. But the episode did spark another gathering, held Thursday across the street from where RSA held its conference, where the topic of the moment wasn't security, per se. It was trust, a commodity in short supply these days. `TrustyCon' -- short for the Trustworthy Technology Conference -- came together in a hurry after Mikko Hypponen, chief research officer for F-Secure, a Finnish security company, announced in January, in a public letter to RSA, that he was canceling his scheduled RSA conference talk and that his own company would skip the event entirely. Hypponen, a rock star in the computer security world, gave the opening keynote at TrustyCon instead. It was a pessimistic assessment of technology users' chances to have a computing and communications they can genuinely trust in an age when nation-states have taken over as the most dangerous -- even malicious -- hackers on Earth. ``Our worst fears turned out to be fairly accurate,'' Hypponen said of what's transpired in the security world over the past few years. And he's right: in the past nine months, it's become clear that many of the people once derided as paranoid were, if anything, understating the reality of how much we're all being watched. Certainly, Thursday's revelation on this website that spy services had become outright peeping toms by hijacking webcam images would have sounded ridiculous not so long ago. Alas, from betrayal rose a glimmer of hope in this insidery community -- that privacy might make an everyday comeback, and maybe even sell. At TrustyCon, for example, technologists updated the audience on an important security service for whistleblowers and the journalists to whom they leak documents. This was `SecureDrop', a project started by the late Aaron Swartz and now run by the Freedom of the Press Foundation which ensures safe communications by relying on the Tor web-anonymity system. No one says SecureDrop is perfect. But it is easy to use and robust, a vast improvement over what journalists have typically deployed. [...] ------------------------------ Date: Sun, 2 Mar 2014 08:13:07 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Ed Felten at TrustyCon Princeton Professor and USACM Council Co-Vice-Chair Ed Felten gave the final talk at TrustyCon on 27 Feb 2104. This begins at 6:32:33 (six and one half hours into the day's events). Mikko Hypponen's keynote (see the previous RISKS item from Dan Gillmor) runs from 0:15:27 to 1:04:20. http://www.youtube.com/watch?v=lkO8SNiDSw0? The subject matter of TrustyCon (Trustworthy Technology Conference) might really be thought of as UnTrustyCon, referring to the `Untrustworthy confidence game' that it pervasively exposes. ------------------------------ Date: Sat, 1 Mar 2014 01:28:00 -0500 From: Monty Solomon <monty () roscom com> Subject: Apple's Serious Security Issue: Update Your iPhone or iPad Immediately (Molly Wood) This week, Apple rushed out a patch for its iOS 7 and iOS 6 operating systems to fix a serious security issue. Before I explain further, let me just say this: If you've gotten the prompt to update and you haven't, do it now. If you're still running older versions of iOS on your iPhone, iPod, or iPad, update now. Done? O.K., good. - - - - Apple Issues Fix for Security Problem on Macs Molly Wood, *The New York Times* blogs, 25 Feb 2014 http://bits.blogs.nytimes.com/2014/02/24/apples-serious-security-issue-update-your-iphone-or-ipad-immediately/ Apple has finally issued a security update to its OS X Mavericks software for Macintosh computers, patching a bug that could have let hackers eavesdrop on supposedly encrypted connections and steal everything from usernames and passwords to location data. Version 10.9.2 comes four days after Apple patched iOS, its mobile operating system, to close the same hole. The OS X update addresses several security issues, including the so-called `goto fail' code bug, which Apple said could allow an attacker to capture or modify data in sessions users believe are protected by the Secure Sockets Layer (SSL) or Transportation Layer Security (TLS) encryption methods. ... http://bits.blogs.nytimes.com/2014/02/25/apple-issues-fix-for-security-problem-on-macs/ ------------------------------ Date: Fri, 28 Feb 2014 16:55:22 -0800 From: "Dennis E. Hamilton" <dennis.hamilton () acm org> Subject: The goto Squirrel (Re: Petra et al., RISKS-27.77) Oh look, a misplaced goto statement that short-circuits a security procedure. Squirrel! It is amazing to me that, once the specific defect is disclosed (and the diff of the actual change has also been published), the discussion has devolved into one of coding style and whose code is better. I remember similar distractions around the Ariane 501 defect too, although in that case there was nothing wrong with the code -- the error was that it was being run when it wasn't needed and it was not simulation tested with new launch parameters under the mistaken assumption that if the code worked for Ariane 4, it should work for Ariane 5. It is not about the code. It is not about the code. It is not about goto. It is not about coming up with ways to avoid introducing this particular defect by writing the code differently. I say this is all about the engineering and delivery process that allowed this gaff to be introduced into production code for a security-important procedure and allowed to remain there until someone noticed externally. The coding style could have been perfect, with the code still not establishing security correctly and it would have been put into the live release, all else being equal. Some of the offered alternatives, I daresay, offer many ways to inject a comparable defect that is much less apparent. The defect was introduced when code was being patched to change the signature of some of the functions being called. This strikes me as a classic lapse about not testing what is thought to be obvious, although I have no idea what the actual scenario was. There are any ways the particular defect could have been detected and remedied well before the code was committed to the code base. A walkthrough would likely catch it, assuming a skilled human other than the original programmer simply read through it. I bet explaining it on a walkthrough would probably have led the originator to notice it. A pretty-printer (or any IDE that reflows indentation) would point it out. So would a modern IDE that identifies unreachable code. Any practical code-coverage testing would reveal it too. Furthermore, it is incomprehensible to me that a change to security- important code wasn't subjected to regression testing and confirmation of the procedure. For that matter, I'm a little disappointed that a review and commit by a senior technical-staff member was evidently not required. What's appalling to me is the evident absence of risk management and procedures for detection and mitigation of regressions. It is incumbent on all of us to stand back from the code and look at the process by which injection of a regression was allowed to sit there and fester all this time. ------------------------------ Date: Fri, 28 Feb 2014 17:57:48 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.77) ... algol, curlies, bad code, fortran, oo ... Or Apple could just read the fine manual for the compiler they presumably downloaded together with the rest of xBSD: gcc -Wunreachable-code -Werr would've told them: cc1: warnings being treated as errors ... In function 'SSLVerifySignedServerKeyExchange': ,.. error: will never be executed Dimitri Maziuk BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu ------------------------------ Date: Sat, 01 Mar 2014 04:35:51 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' There's not enough space or patience in comp.risks to re-litigate the GOTO wars. However, for anyone interested in a deep understanding of the issues, you can start with Steele & Sussman's excellent paper `LAMBDA: The Ultimate Imperative' (and then read most of the papers in the computer science literature that reference this one): http://dspace.mit.edu/bitstream/handle/1721.1/5790/AIM-353.pdf In particular, one must have a thorough understanding of the term `continuation-passing style' before it is possible to have a useful discussion on the subject of GOTO's. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.78 ************************
Current thread:
- Risks Digest 27.78 RISKS List Owner (Mar 03)