RISKS Forum mailing list archives
Risks Digest 28.68
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 11 Jun 2015 12:08:22 PDT
RISKS-LIST: Risks-Forum Digest Thursday 11 June 2015 Volume 28 : Issue 68 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.68.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: All U.S. United Flights Grounded Over Mysterious Problem (PGN) Airbus transport crash caused by "wipe" of critical engine control data (Ars Technica) Man dies in Corvette after battery cable becomes loose (Khou via Mark Thorson) Traffic Hacking: Caution Light Is On (Nicole Perlroth) OpenSesame: 10-sec universal garage door opener (Dennis Fisher) Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find (NYTimes) After Silences and Setbacks, the LightSail Spacecraft Is Revived (NYT) Evidence of Healthcare Breaches Lurks On Infected Medical Devices (Werner U) New exploit leaves most Macs vulnerable to permanent backdooring (Dan Goodin) Breach in a Federal Computer System Exposes Personnel Data (NYTimes) Chinese Hackers Behind Breach at Insurers Are Also Responsible for Government Attack (NYTimes) Single Test for All Virus Exposure Opens Doors for Researchers (NYT) Kaspersky Lab cybersecurity firm is hacked (BBC) Consumers Dislike Data-Mining but Feel Helpless to Stop It (NYT) Exclusive: In 'year of Apple Pay', many top retailers remain skeptical (Reuters) "Governments of the World Agree: Encryption Must Die!" (Lauren Weinstein) Japanese pension organization phished, 1.25M people's data leaked (chiaki ishikawa) Twitter Advertisers Can Now Target You Based on the Other Phone Apps (recode) Re: "NOBUS can shoot ourselves in the foot like this" (Chris Drewe) Re: Volvo has an accident, but not the one you thought (Peter Ladkin) Re: EU wants to kill open Wi-Fi (Peter Ladkin) Re: You Can Be Prosecuted for Clearing Your Browser History (Henry Baker) Re: House of Discards: Wikipedia pre-election edits (Henry Baker) REVIEW - "The Florentine Deception", Carey Nachenberg (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 11 Jun 2015 11:03:52 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: All U.S. United Flights Grounded Over Mysterious Problem All United Airlines flights in the US were grounded this morning for nearly an hour, over `dispatching information'. Various tweets from passengers suggest different possible explanations: hacked network? fake flight plans? disgorging random plans? dropped flight plans? Considerable confusion? The problem was then resolved. http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/ ------------------------------ Date: Wed, 10 Jun 2015 08:44:33 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Report: Airbus transport crash caused by "wipe" of critical engine control data http://arstechnica.com/information-technology/2015/06/report-airbus-transport-crash-caused-by-wipe-of-critical-engine-control-data/ ------------------------------ Date: Wed, 10 Jun 2015 13:18:17 -0700 From: Mark Thorson <eee () sonic net> Subject: Man dies in Corvette after battery cable becomes loose The doors don't open without battery power. There is a mechanical release, but it's hidden and many Corvette owners don't know about it. This man may have died while reading his owner's manual, which adds a new dimension to the term RTFM. http://www.khou.com/story/news/local/texas/2015/06/10/texas-man-dog-die-after-being-trapped-in-corvette/70999112/ ------------------------------ Date: 11 Jun 2015 09:49:32 -0400 From: "Bob Frankston" <bob19-0501 () bobf frankston com> Subject: Traffic Hacking: Caution Light Is On (Nicole Perlroth) Today's NYTimes.com http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0 [The article might be interpreted as implying that so-called `smart' anythings could all be vulnerable. No surprise to RISKS readers. PGN] ------------------------------ Date: Fri, 05 Jun 2015 14:24:25 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: OpenSesame: 10-sec universal garage door opener FYI -- It usually takes me longer than 10 seconds to find the right button to push... Dennis Fisher, 4 Jun 2015 Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146 ------------------------------ Date: Wed, 10 Jun 2015 09:46:51 -0400 From: Monty Solomon <monty () roscom com> Subject: Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find http://www.nytimes.com/2015/06/11/us/amtrak-crash-engineer-brandon-bostian-not-on-cellphone-ntsb-says.html ------------------------------ Date: Tue, 9 Jun 2015 03:10:31 -0400 From: Monty Solomon <monty () roscom com> Subject: After Silences and Setbacks, the LightSail Spacecraft Is Revived http://www.nytimes.com/2015/06/08/science/space/lightsail-setbacks-spacecraft-prepares-unfurl-sail.html LightSail was successfully deployed and worked for two days before its computer crashed because of a software flaw. Eight days of silence followed until, as engineers expected, a high-speed charged particle zipping through space fortuitously scrambled part of the computer's memory and caused the computer to restart ... and deploy its solar sail. ------------------------------ Date: Tue, 9 Jun 2015 05:15:48 +0200 From: Werner U <werneru () gmail com> Subject: Evidence of Healthcare Breaches Lurks On Infected Medical Devices [ regarding 8 June 2015 article on The Security Ledger website ] chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT http://it.slashdot.org/story/15/06/08/166207/report-evidence-of-healthcare-breaches-lurks-on-infected-medical-devices *Evidence that serious and widespread breaches of hospital- and healthcare networks is likely to be hiding on compromised and infect medical devices in clinical settings <https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/>, including medical imaging machines, blood gas analyzers and more, according to a report by the firm TrapX. In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements. According to the report, medical devices -- in particular so-called picture archive and communications systems (PACS) radiologic imaging systems -- are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets. Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.* ------------------------------ Date: Sun, 7 Jun 2015 23:33:08 -0400 From: Monty Solomon <monty () roscom com> Subject: New exploit leaves most Macs vulnerable to permanent backdooring (Dan Goodin) Hack allows firmware to be rewritten right after older Macs awake from sleep. Dan Goodin, *Ars Technica*. 1 Jun 2015 Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/ ------------------------------ Date: Fri, 5 Jun 2015 01:50:53 -0400 From: Monty Solomon <monty () roscom com> Subject: Breach in a Federal Computer System Exposes Personnel Data http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html The intrusion, which appears to have involved information on about four million current and former government workers, was the third such breach in the last year. ------------------------------ Date: Fri, 5 Jun 2015 01:51:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Chinese Hackers Behind Breach at Insurers Are Also Responsible for Government Attack Researchers say it suggests spies are no longer just stealing American corporate and military trade secrets, but personal information for some later purpose. http://www.nytimes.com/2015/06/05/technology/chinese-hackers-behind-breach-at-insurers-are-also-responsible-for-government-attack-researchers-say.html [See also http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html PGN] ------------------------------ Date: Thu, 4 Jun 2015 20:12:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Single Test for All Virus Exposure Opens Doors for Researchers http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html It's like one-stop shopping for scientists: a blood test can now show every virus that has a crossed a person's path, lending insight into disease. ------------------------------ Date: Wed, 10 Jun 2015 18:46:49 +0000 From: PGN Subject: Kaspersky Lab cybersecurity firm is hacked (BBC) BBC, 10 Jun 2015 http://www.bbc.com/news/technology-33083050 "Kaspersky Lab said it believed the attack was designed to spy on its newest technologies. It said the intrusion involved up to three previously unknown techniques." ------------------------------ Date: Fri, 5 Jun 2015 14:36:32 -0400 From: Monty Solomon <monty () roscom com> Subject: Consumers Dislike Data-Mining but Feel Helpless to Stop It Many Americans do not think the trade-off of their data for personalized services, giveaways or discounts is a fair deal, a University of Pennsylvania study found. http://www.nytimes.com/2015/06/05/technology/consumers-conflicted-over-data-mining-policies-report-finds.html ------------------------------ Date: Sun, 7 Jun 2015 23:28:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Exclusive: In 'year of Apple Pay', many top retailers remain skeptical http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605 ------------------------------ Date: Thu, 4 Jun 2015 14:18:52 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Lauren's Blog: "Governments of the World Agree: Encryption Must Die!" Governments of the World Agree: Encryption Must Die! http://lauren.vortex.com/archive/001104.html Finally! There's something that apparently virtually all governments around the world can actually agree upon. Unfortunately, it's on par conceptually with handing out hydrogen bombs as lottery prizes. If the drumbeat isn't actually coordinated, it might as well be. Around the world, in testimony before national legislatures and in countless interviews with media, government officials and their surrogates are proclaiming the immediate need to "do something" about encryption that law enforcement and other government agencies can't read on demand. Here in the U.S., it's a nearly constant harangue over on FOX News (nightmarishly, where most Americans apparently get their "news" these days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN must share space with primetime reruns of a globetrotting celebrity chef and crime "reality" shows). It's much the same if you survey media around the world. The names and officials vary, but the message is the same -- it's not just terrorism that's the enemy, it's encryption itself. That argument is a direct corollary to governments' decidedly mixed feelings about social media on the Internet. On one hand, they're ecstatic over the ability to monitor the public postings of criminal organizations like ISIL (or ISIS, or Islamic State, or Daesh -- just different labels for the same fanatical lunatics) that sprung forth from the disastrously misguided policies of Bush 1 and Bush 2 era right-wing neocons -- who not only set the stage for the resurrection of long-suppressed religious rivalries, but ultimately provided them with billions of dollars worth of U.S. weaponry as well. Great job there, guys. Since it's also the typical role of governments to conflate and confuse issues whenever possible for political advantage, when we dig deeper into their views on social media and encryption we really go down the rabbit hole. While governments love their theoretical ability to track pretty much every looney who posts publicly on Twitter or Facebook or Google+, governments simultaneously bemoan the fact that it's possible for uncontrolled communications -- especially international communications -- to take place at all in these contexts. In particular, it's the ability of radical nutcases overseas to recruit ignorant (especially so-called "lone wolf") nutcases in other countries that is said to be of especial concern, notably when these communications suddenly "go dark" off the public threads and into private, securely encrypted channels. "Go dark" -- by the way -- is now the government code phrase for crypto they can't read on demand. Dark threads, dark sites, dark links. You get the idea. One would be remiss to not admit that these radical recruiting efforts are of significant concern. But where governments' analysis breaks down massively is with the direction of their proposed solutions, which aren't aimed at addressing the root causes of fanatical religious terrorism, but rather appear almost entirely based on preventing secure communications -- for anybody! -- in the first place. Naturally they don't phrase this goal in quite those words. Rather, they continue to push (to blankly nodding politicians, journalists, and cable anchors) the tired and utterly discredited concept of "key escrow" cryptography, where governments would have "backdoor" keys to unlock encrypted communications, supposedly only when absolutely necessary and with due legal process. Rewind 20 years or so and it's like "Groundhog Day" all over again, back in the early to mid 90s when NSA was pushing their "Clipper Chip" hardware concept for key escrowed encryption, an idea that was mercilessly buried in relatively short order. But like a vampire entombed without appropriate rituals, the old key escrow concepts have returned to the land of the living, all the uglier and more dangerous after their decades festering in the backrooms of governments. The hardware Clipper concept dates to a time well before the founding of Twitter or Facebook, and a few years before Google's arrival. Apple existed back then, but centralized social media as we know it today wasn't yet even really a glimmer in anyone's eye. While governments generally seem to realize that stopping all crypto that they can't access on demand is not practical, they also realize that the big social media platforms (of which I've named only a few) -- where most users do most of their social communicating -- are the obvious targets for legislative, political, and other pressures. And this is why we see governments subtly (and often, not so subtly) demonizing these firms as being uncooperative or somehow uncaring about fighting evil, about fighting crime, about fighting terrorism. How dare they -- authorities repeat as a mantra -- implement encryption systems that governments cannot access at the click of a mouse, or sometimes access at all under any conditions. Well, welcome to the 21st century, because the encryption genie isn't going back into his bottle, no matter how hard you push. Strong crypto is critical to our communications, to our infrastructures, to our economies, and increasingly to many other aspects of our lives. Strong crypto is simply not possible -- let's say that once more with feeling -- not possible, given key escrow or other government backdoors designed into these systems. There is no practical or even theoretically accepted means for including such mechanisms without fatally weakening the entire associated encryption ecosystem, and opening it up to all manner of unauthorized access via hacking and various subversions of the key escrow process. But governments just don't seem willing to accept the science and reality of this, and keep pushing the key escrow meme. It's like the old joke about the would-be astronaut who wanted to travel to the sun, and when reminded that he'd burn up, replied that it wasn't a problem, because he'd go at night. Right. Notably, just as we had governments who ignored realistic advice and unleashed the monsters of religious fanatical terrorism, we now have many of the same governments on the cusp of trying to hobble, undermine, and decimate the strong encryption systems that are so very vital. There's every reason to believe that we'd experience a similarly disastrous outcome in the encryption context as well, especially if social media firms were required to deploy only weak crypto -- putting the vast populations of innocent users at risk -- while driving the bad guys even further underground and out of view. If we don't vigorously fight back against government efforts to weaken encryption, we're all going to be badly burned. ------------------------------ Date: Fri, 05 Jun 2015 13:29:31 +0900 From: chiaki ishikawa <ishikawa () yk rim or jp> Subject: Japanese pension organization phished, 1.25M people's data leaked Reading the discussion about "Re: Only 3% of people aced Intel's phishing quiz", I have to wonder how much we should educate the general public AND the SYSTEM INTEGRATORS who hire new graduates without much experience in security matters. The recent news brought home this issue: Japanese Pension Service (run by the government) was attacked by phishing, and as a result, data for 1.25 million people got leaked according to news articles in the past few days. What irked me most, as someone who is in ICT industry and has interest in security matters, is the comment uttered by a senior official according to some news articles in different publications. (So I assume it was on a live interview or something and *is* FOR REAL, to my utter dismay.): My translation: "The organization will take more security measures including that the PCs that handle individual's data cannot access outside Internet, ..." A PC/terminal that handles the privacy information at Pension Service can talk to directly to the outside WAN? I WAS INCREDULOUS INITIALLY. And this seems to be the case, indeed, and that is how a large amount (maybe not total) of the leak seems to have occurred. Sigh. In the aftermath of the revealed incidence, some high government officials blamed the pension fund for its handling of private data and that a clerk should not open an attachment to e-mail from outside sources. But to err is human. I think such an organization ought to 1. - Use a customized mail client so that the clerk on a PC that handles the sensitive data can never open an attachment at all: Yes, what I mean is even if a clerk can click on an attachment or an URL within the main text by mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's mailer is open source, and there are other source mail clients. Customizing to disable certain operations won't be difficult. (If a clueless correspondent sends an attachment, it can be opened in a very very carefully quarantined a computer running a virtual PC environment, after forwarding to it) AND OF COURSE 2. - such PC with sensitive data should not be capable of talking to the outside Internet directly. Regarding the second point, the sophistication of the worms means that they may be able to install a communication proxy on an Internet-capable intranet PC that relays the communication from the Internet-blocked PC to the outside world, but a proper filtering at the local PCs or switches ought to prevent such issues: I looked at Norton Internet security on my PC and I think it can restrict communication only to a selected few and it can disable all the inbound communication. So it can thwart the use of proxy, etc. (And actually, this has been a pain in the neck when I try to use a Privoxy proxy running on a PC from a linux image running on a different PC). So it is doable easily today. Of course, we need constant and independent check of the firewall setting of such locally installed security tool. Anyway, I really would like to know who DESIGNED the intranet at the Pension Service so that we can learn from the mistakes... I found some English articles about this. [1] https://www.itgovernance.co.uk/blog/1-25-million-japanese-pension-records-leaked-following-phishing-attack/ [2] http://www.tripwire.com/state-of-security/latest-security-news/hackers-steal-over-a-million-japanese-citizens-personal-data-in-targeted-attack/ But these leave some key issues missing and a little misinformed to the degree of the serious nature of the attack. Today's Asahi Shimbun newspaper article (online) [in Japanese.] gives a very detailed good report of what has happened. http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01 Usually details remain obscured for this type of incidents, but given the sloppy work of system integrator(s) at key government services in the past, I think someone high up in the command of government security matters must have decided that the detailed explanation would be good to educate the ICT community to rise up from this shoddy level of awareness. At least the next time something like this happens, government can sue system integrators for gross negligence by citing this incident and publicized method of the attack. NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make sure proper security measures is in place. I suspect this is the only stick that sinks in security lessons.
From the above link of Asahi Shimbun, I have learned the following:
A certaian "Takemura" sent an e-mail using some jargons in the pension business and explained that he sent some suggestions to the procedure at the organization and this made the recipient to believe that the sender is well versed in pension matters. Now, according to the article, the clerk clicked on the URL at the end of the e-mail (ok, so no attachment is involved this time around, but a mere URL clicking.) [At least my suggestion above would block this operation.] This caused a download of malware with 0-day attack ! It collected ID of the user on the PC, etc. Also, this malware subsequently downloaded a bot software. There was a trace that this malware created clones so that even if one is eradicated, the others would remain, and it seems that tried to connect to other PCs on the LAN. Within less than 5 hours of the contamination, the Pension Service was notified of strange network activity of the PC by NISC (National Information Security Center), and pulled the plug. This was on May 8th. 10 days later, in two-minute intervals, about 100 phishing e-mails arrived at addresses within the organization, including some which were never publicized outside before, with virus attachment and now the "From:" address shown was that of an INTERNAL address (!). But the originating IP address was the same of the initial attack. [Obviously some clever attack is being waged.] I have no idea whether the e-mail from the originating IP address was blocked or not. Anyway, on May 21, two PCs in the same office were found to be communicating with external IP addresses. Surprise. One is the "replacement PC" of the clerk whose PC was pulled off the network (!?) On May 23, 9 more PCs in a different office (now in Tokyo) were found to be doing the same. The rest is history. At least the newspaper article stated the forensics has only determined how the initial PC and the two PCs found on May 21 were attacked and hijacked. It is not known how others got infected. Current Japanese administration is trying to introduce a single numeric ID for each citizen in Japan for efficient administrative process ala SS number in USA. In the face of this breach, it is hard to sell such a policy now. Too easy target for ID theft, etc. unless proper security measures and the preventive measures for limiting the damage of ID theft are in place. At least, I hope that there will be more scrutiny on the security design of the computer systems. P.S. I suspect this phishing is a part of well orchestrated attacks by an organized crime or something. News articles report the police seems to have found a part of the leaked data on a data servers used by previous phishing attacks (which I assume they have been monitoring for illegal activities). ------------------------------ Date: Wed, 10 Jun 2015 22:27:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Twitter Advertisers Can Now Target You Based on the Other Phone Apps http://recode.net/2015/06/10/twitter-advertisers-can-now-target-you-based-on-the-other-apps-on-your-phone/ For the past six months, Twitter has been collecting data on which smartphone apps its users download. Now, the company is using that data to make some money. Twitter announced on Wednesday that its advertisers can use that app information to target users with ads. Marketers will be able to target you based on the different categories of apps you have downloaded onto your phone as well as how recently you downloaded them. I'm incredibly disappointed in the direction Twitter has been taking. I understand why they've felt they need to go in this direction, but that's not an excuse. They're spamming like mad, and now this. Unacceptable, and why I hardly use Twitter any more. ------------------------------ Date: Wed, 10 Jun 2015 15:10:17 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: "NOBUS can shoot ourselves in the foot like this" (RISKS-28.67) As it happens, there's a review in this weekend's newspaper of a book 'The New Spymasters' by Stephen Grey (Viking) which makes a similar point. http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html In summary it says: Langley was far too reliant on technology (or SIGINT), preferring to amass vast amounts of data on suspected terrorists with few credible human sources to corroborate it. As Grey observes: ``All this scientific espionage was bewitching. Cool gadgets and smart techniques inspired awe and a confidence that was comparable to religious zeal.'' ... What was missing from the American approach, in the author's view, was good, old-fashioned HUMINT. ``Human spies can be terribly frail and unreliable, but without any element of understanding and verification through human intelligence, and without basic common sense, terrible errors are bound to follow.'' There's some debate here in the UK right now (following the recent election) on what surveillance powers the authorities should have; as usual, there's a hard sell for the idea that if they can't "collect it all" then we'll all be blown up by terrorists, but personally I'm more afraid of the country becoming like 1970s East Germany. Charles Cumming, What's the point of spies? A new book about spying argues that modern digital surveillance is no substitute for old-fashioned espionage http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html [Long item truncated for RISKS. PGN] ------------------------------ Date: Fri, 05 Jun 2015 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Re: Volvo has an accident, but not the one you thought (Reisert) Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the real context in Risks 28.67. I searched for articles on the incident. There are a few, but many are derivative. I summarised what I found in http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and commented. There has to be some lesson in someone trying out a protective function, on live people, with which the car was not equipped. There has to be some lesson in trying out any protective function on live people. There has to be some lesson in conducting the trial in such a way that the protective function would have been suppressed. And there has to be some lesson in conducting this trial without informing oneself about the capabilities of the vehicle or taking elementary safety precautions in case things go wrong. This last, BTW, is also a problem for professionals. There are incidents of professional pilots conducting return-to-service tests on commercial aircraft ... and of auguring in because they were assuming the tests would succeed and they didn't! The main lesson is to remember that functional tests can always have at least two outcomes: pass and fail. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com ------------------------------ Date: Fri, 05 Jun 2015 13:01:02 +0200 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Re: EU wants to kill open Wi-Fi (Weinstein, Risks 28.67) Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in RISKS-28.67. He says "...the Court of Justice of the European Union ..... is asked whether an enforcement practice requiring open wireless networks to be locked is an acceptable one. Germany's Federal Supreme Court in 2010 held that the private operator of a wireless network is obliged to use password protection in order to prevent abuse by third parties....." Let me set the record straight. There is no such requirement and no such obligation in Germany (or anywhere else I know). The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether operators of unsecured Wi-Fi networks can be held liable for copyright infringement conducted using their networks. http://www.out-law.com/en/articles/2014/november/cjeu-asked-to-rule-on-copyright-liability-of-operators-of-free-and-open-wi-fi-networks-/ Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com ------------------------------ Date: Thu, 04 Jun 2015 21:39:43 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: You Can Be Prosecuted for Clearing Your Browser History (R-28.67) FYI -- Hmmm... Not a single Wall Street banker has faced jail time due to their part in almost bankrupting the country (and the world), yet we're using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing enacted by Congress in the wake of the Enron scandal, to prosecute non-financial crimes? Remind me again which Constitution is supposed to be in effect in the U.S. ? ------------------------------ Date: Fri, 05 Jun 2015 10:25:17 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: House of Discards: Wikipedia pre-election edits (Ladkin)
It's only one sentence; he doesn't justify the connection he makes and I don't see one.
Two words: "Dennis Hastert". Dennis Hastert was 3rd in line to be President, and presided over a lot of legislation regarding sexual harassment (and worse). Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now be electing their own Dennis Hasterts. Those who are ready to forget the past shouldn't be surprised when the past repeats itself. Once again, "right-to-be-forgotten" is incompatible with democratic representative government. Yes, remembering past mistakes is painful, but the alternative (totalitarian govt) is far, far worse. ------------------------------ Date: Wed, 10 Jun 2015 09:06:33 -0800 From: Rob Slade <rmslade () shaw ca> Subject: REVIEW - "The Florentine Deception", Carey Nachenberg BKFLODEC.RVW 20150609 "The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9, U$13.49/C$18.91 %A Carey Nachenberg http://florentinedeception.com %C 345 Hudson Street, New York, NY 10014 %D 2015 %G 978-1-5040-0924-9 150400924X %I Open Road Distribution %O U$13.49/C$18.91 www.openroadmedia.com %O http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20 %O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 321 p. %T "The Florentine Deception" It gets depressing, after a while. When you review a bunch of books on the basis of the quality of the technical information, books of fiction are disappointing. No author seems interested in making sure that the technology is in any way realistic. For every John Camp, who pays attention to the facts, there are a dozen Dan Browns who just make it up as they go along. For every Toni Dwiggins, who knows what she is talking about, there are a hundred who don't. So, when someone like Carey Nachenberg, who actually works in malware research, decides to write a story using malicious software as a major plot device, you have to be interested. (And besides, both Mikko Hypponen and Eugene Spafford, who know what they are talking about, say it is technically accurate.) I will definitely grant that the overall "attack" is technically sound. The forensics and anti-forensics makes sense. I can even see young geeks with more dollars than sense continuing to play "Nancy Drew" in the face of mounting odds and attackers. That a vulnerability can continue to go undetected for more than a decade would ordinarily raise a red flag, but Nachenberg's premise is realistic (especially since I know of a vulnerability at that very company that went unfixed for seven years after they had been warned about it). That a geek goes rock-climbing with a supermodel we can put down to poetic license (although it may increase the license rates). I can't find any flaws in the denouement. But. I *cannot* believe that, in this day and age, *anyone* with a background in malware research would knowingly stick a thumb/jump/flash/USB drive labeled "Florentine Controller" into his, her, or its computer. (This really isn't an objection: it would only take a couple of pages to have someone run up a test to make sure the thing was safe, but ...) Other than that, it's a joy to read. It's a decent thriller, with some breaks to make it relaxing rather than exhausting (too much "one damn thing after another" gets tiring), good dialog, and sympathetic characters. The fact that you can trust the technology aids in the "willing suspension of disbelief." While it doesn't make any difference to the quality of the book, I should mention that Carey is donating all author profits from sales of the book to charity: http://florentinedeception.weebly.com/charities.html copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609 rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.68 ************************
Current thread:
- Risks Digest 28.68 RISKS List Owner (Jun 11)