RISKS Forum mailing list archives
Risks Digest 28.72
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 22 Jun 2015 15:01:28 PDT
RISKS-LIST: Risks-Forum Digest Monday 22 June 2015 Volume 28 : Issue 72 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.72.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Possible Seasonal Slowdown Begins] Polish airline LOT hacked, flights suspended for hours (Michal Rosa) 8 Indicted in Identity Thefts of Patients at Montefiore Medical Center (NYT via Monty Solomon) US agency plundered by Chinese hackers made one of the dumbest security moves possible (Business Insider) Australia passes controversial anti-piracy web censorship law (Ars Technica) Reason.com hit with federal subpoena to identify online commenters (Steve Golson) "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" (WiReD) Michael Bacon <michaelbacon () tiscali co uk> The Titanic and the Ark -- Re: pension org phished (Michael Bacon) Re: L.A. plans potentially disastrous switch to "electronic" voting (Steve Lamont) Subject: Re: Major League Baseball cancels 60 million all-star votes (Harlan Rosenthal, RISKS-28.71) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 21 Jun 2015 23:01:49 +0000 From: "Rosa, Michal" <michal.rosa () hp com> Subject: Polish airline LOT hacked, flights suspended for hours notsp A number of flights operated by the Polish national airline LOT were grounded on Sunday, June 22 as the unknown hackers gained access to LOT's computers. According to the official communique the computers were attacked in a way which made impossible to print flight plans for airliners departing from Warsaw. According to LOT there was no danger to any of the aircraft already in the air, the only thing the attack prevented was creation and printing of flight plans for regular flights departing from Warsaw. LOT has informed about the problem at 4pm on Sunday and the problem was apparently resolved by 8.45 pm. At the moment no other details are know. http://niebezpiecznik.pl/post/komputery-lot-u-zaatakowane-samoloty-uziemione/ - link in Polish only, sorry. ------------------------------ Date: Mon, 22 Jun 2015 02:10:25 -0400 From: Monty Solomon <monty () roscom com> Subject: 8 Indicted in Identity Thefts of Patients at Montefiore Medical Center A hospital employee and seven others were indicted on Friday on charges of stealing the personal information of as many as 12,000 patients. http://www.nytimes.com/2015/06/20/nyregion/8-indicted-in-identity-thefts-of-patients-at-montefioremedical-center.html ------------------------------ Date: Sat, 20 Jun 2015 20:30:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: US agency plundered by Chinese hackers made one of the dumbest security moves possible (Re: RISKS-28.69,71) http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6 Contractors in Argentina and China were given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica. [See also, from Monty Solomon: Undetected for nearly a year, Chinese intruders executed a sophisticated hack that gave them administrator privileges in government networks. Their ultimate target: information on anyone seeking a security clearance. http://www.nytimes.com/2015/06/21/us/attack-gave-chinese-hackers-privileged-access-to-us-systems.html PGN] ------------------------------ Date: Mon, 22 Jun 2015 07:29:56 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Australia passes controversial anti-piracy web censorship law (Ars) Ars via NNSquad http://arstechnica.co.uk/tech-policy/2015/06/australia-passes-controversial-anti-piracy-web-censorship-law/ As well as being based on a false premise, the new law will also be ineffectual, since Australians can simply use to web proxies and VPNs to circumvent any blocks that are imposed. This has raised the fear that the courts will go on to apply the new law to VPN providers, although Australia's Communications Minister Malcolm Turnbull has insisted this won't happen. According to TorrentFreak, last week Turnbull said: "VPNs have a wide range of legitimate purposes, not least of which is the preservation of privacy--something which every citizen is entitled to secure for themselves--and [VPN providers] have no oversight, control or influence over their customers' activities." If Turnbull sticks to that view, it is likely that Australians will turn increasingly to VPNs to nullify the new law. ------------------------------ Date: Sat, 20 Jun 2015 14:13:35 -0400 From: Steve Golson <sgolson () trilobyte com> Subject: Reason.com hit with federal subpoena to identify online commenters Reason.com, a leading libertarian website affiliated with Reason magazine, received a federal grand jury subpoena compelling them to identify anonymous commenters. The subpoena included a gag order so Reason.com could not talk about it. Until now: http://reason.com/blog/2015/06/19/government-stifles-speech http://popehat.com/2015/06/08/department-of-justice-uses-grand-jury-subpoena-to-identify-anonymous-commenters-on-a-silk-road-post-at-reason-com/ http://popehat.com/2015/06/11/media-coverage-of-the-reason-debacle/ But Reason.com is not the dark web. Many of our regular commenters voluntarily display either personal website information or their email addresses. In fact, three of the six commenters subject to this very subpoena voluntarily displayed public links to personal blogs at Blogger as part of their comments, one of which further links to a Google+ page. Raising the question: How can the government view these so-called "threats" as so nefarious when people posted them in such a non-anonymous fashion? ------------------------------ Date: Sat, 20 Jun 2015 16:54:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" http://www.wired.com/2015/06/facebook-real-name-policy-problems/ "TWO WEEKS AGO, Facebook locked me out of my profile. My photos and friends are gone, my profile vanished without a trace. Someone reported my account as pseudonymous, and Facebook kicked me out. To get back in, I must provide various forms of identification proving the authenticity of my username. I'm not going to. I am one of many casualties of Facebook's recently rejiggered "authentic name" policy, wherein anonymous users can report a name as fake and trigger a verification process. Part of the motivation is stopping the proliferation of celebrity imposter accounts and profiles made for pets. But it's also allowed Facebook to shutter the accounts of real people, based on "authenticity." What does "authentic" mean, though? It's both confusing and contextual, because identity itself is confusing and contextual." Yet another difference with Google. When they realized that the entire "real name" paradigm just didn't work out well for users in Google+, Google actually learned from this and moved beyond it to an open naming model. In contrast, Facebook just keeps repeating its own mistakes again, and again, and again ... [FaRcebook with R for Repeat? PGN] ------------------------------ Date: Sat, 20 Jun 2015 13:17:38 +0100 From: Michael Bacon <michaelbacon () tiscali co uk> Subject: The Titanic and the Ark (was: Japanese pension organization phished ... (Macintyre RISKS- 28.67) "... very few employers seem interested in factoring [IT certifications] into their hiring process." Over many years I have interviewed prospective employees for a variety of roles, from screen-watchers in a SOC to top-flight consultants in 'Big Six' practices. A great many have adduced certificates of competency in IT and IT/Information Security. Few have stood my scrutiny. I have seen candidates with CISSP after their name who had zero trade experience; I have seen CISAs who couldn't audit their way out of a paper bag; I have seen people with a "practitioner" certificate whose acquired knowledge is useless in practice; and I have shown the door to those with a plethora of Microsoft, Cisco and other manufacturer certifications who couldn't explain what the first letter in SFTP, SSH, SHTTP meant, let alone how it worked. In short, I have never put much store by certificates, but a lot on real-world, nose-to-the-grindstone, ear-to-the-ground, demonstrable experience, ideally with a major cock-up in their past from which they have learned major lessons. As a consequence, I have recruited great people who were logical in thought, thorough in approach, and tenacious in execution, and who have gone on to have great careers. But not one of the best I could name had any certificate to back up the skills I hired them for. The Ark was built by one man with no qualifications, the Titanic by people with certificates. ------------------------------ Date: Sat, 20 Jun 2015 15:07:04 -0700 From: spl () tirebiter org (Steve Lamont) Subject: Re: L.A. plans potentially disastrous switch to "electronic" voting Here's the problem: our election system is *already* hacked and has been for decades. It seems perversely (and perhaps intentionally) designed to keep all but the most fervent partisans from voting, especially in off-year elections, where most of the mischief seems to now occur. News archives are replete with tales of voters standing for hours in enormously long lines, waiting for the chance to exercise their franchise. Shortages of paper ballots are frequent. And, now, of course, states seem to be intent upon erecting further roadblocks to voting through voter ID laws, which "solve" the largely non-existent problem of voter fraud. And we wonder why voter turnout becomes progressively worse each election and why all too often elections are decided by a few zealots, resulting in the warped Congress and Senate currently installed in Washington, DC. (and that includes members of *both* parties, mind you). Now I'm not necessarily advocating electronic voting and certainly not Internet voting, given the current state of the technology, but perhaps the time has come for the technologists and security mavens reading this list to go beyond mere nay-saying and skepticism and come up with verifiable, auditable solutions that make voting as easy as, say, ordering a new gadget from Amazon. ------------------------------ Date: Sun, 21 Jun 2015 07:13:38 -0500 (CDT) From: Harlan Rosenthal <harlan.rosenthal () verizon net> Subject: Re: Major League Baseball cancels 60 million all-star votes (RISKS-28.71) Look on the bright side: at least the risks were made obvious and apparent in a vote that has enough importance for people to care (and for publicity), but less importance than a real governmental vote. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.72 ************************
Current thread:
- Risks Digest 28.72 RISKS List Owner (Jun 22)