RISKS Forum mailing list archives
Risks Digest 29.32
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 7 Mar 2016 13:38:41 PST
RISKS-LIST: Risks-Forum Digest Monday 7 March 2016 Volume 29 : Issue 32 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.32.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Risk to babies' health due to an alleged cover up of patient information system failures: Israeli clinics converted to new system (Omer Zak) Cisco NX-OS switch risk (Martyn Thomas) France to Jail Tech Execs over Encryption (The Register) Big Brother is tracking all of us...except for terrorists (via Paul Saffo) Apple vs FBI -- Another Constitutional Issue (David E. Ross) Apple VP: The FBI wants to roll back safeguards that keep us a step ahead of criminals (WashPo) Competing Interests on Encryption Divide Top Obama Officials (NYTimes) Joining Together to Avoid a Troubling Legal Precedent (Google) Re: ISIS turns to foreign encryption products as Apple-FBI fight rages in U.S. (Amos Shapir) Re: NY Judge rules in Apple favor (John Levine) Re: Apple vs FBI ... (Peter Bernard Ladkin, Keith Medcalf, Henry Baker) Re: IRS identity theft story -- wanna bet it is much, much bigger? (John Levine) Drone conflict update (ACLU+ via AlMac) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 07 Mar 2016 00:30:05 +0200 From: Omer Zak <w1 () zak co il> Subject: Risk to babies' health due to an alleged cover up of patient information system system failures: Israeli clinics converted to new system (Article in Hebrew, use Google Translate) http://www.nrg.co.il/online/1/ART2/759/045.html There is a serious problem in the information system serving the "Tipat Chalev" (Drop of Milk) network of clinics in Israel. Those clinics monitor the health of babies, their growth, and vaccinate them. The problems are that wrong data is recorded for the babies -- no record of vaccinations which were administered, vaccinations that were not in fact administered have been recorded, information about baby's development recorded for the wrong patient, etc. There are also interruptions during data entry, causing the nurses in the clinics not to be sure if the data was actually entered into the system. The problem was caused by conversion from one computerized system into another computerized system. There are allegations that the Ministry of Health is covering up the problem. However, now the problem was brought to the attention of the Knesset. ------------------------------ Date: Fri, 4 Mar 2016 13:15:08 +0000 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Cisco NX-OS switch risk Sigh! ``A vulnerability in Cisco NX-OS Software running on Cisco Nexus 3000 Series Switches and Cisco Nexus 3500 Platform Switches could allow an unauthenticated remote attacker to log in to the device with the privileges of the /root /user with bash shell access.'' The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system." https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k ------------------------------ Date: Fri, 4 Mar 2016 16:11:12 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: France to Jail Tech Execs over Encryption (The Register) http://www.theregister.co.uk/2016/03/04/france_to_jail_tech_execs_over_encryption/ ------------------------------ Date: Sat, 5 Mar 2016 09:47:21 -0800 From: Paul Saffo <paul () saffo com> Subject: Big Brother is tracking all of us...except for terrorists [From a friend who prefers not to be identified.]
Date: March 5, 2016 Subject: Big Brother is tracking all of us...except for terrorists
Interesting video (in French, sorry, but the picture speaks for itself) sent by an unknown Middle-eastern technician to his "brothers and sisters" explaining how to disable the remote tracking features of a Galaxy4 smart phone.
As the instructor says, "don't panic"...
------------------------------ Date: Thu, 3 Mar 2016 17:21:05 -0800 From: "David E. Ross" <david () rossde com> Subject: Apple vs FBI -- Another Constitutional Issue The U.S. Supreme Court ruled in both the "Citizens United" and the "Hobby Lobby" cases that corporations are persons no less than living, breathing persons. That is, the Supreme Court eliminated the distinction between corporeal persons and corporate persons. The FBI is demanding that Apple perform a task that Apple would not otherwise do. The 13th amendment to the U.S. Constitution prohibited involuntary servitude. It makes no exception for national security, criminal investigations, or acts of terrorism. In any case, I have not heard that the FBI is willing to pay Apple's costs for subverting the security of its iPhone. Those costs would not merely be the labor costs of actually unlocking one phone; they would also include the costs of lost sales when potential customers stop trusting Apple. Lacking any offer of compensation, what the FBI proposes would be a violation of the last phrase of the 5th amendment of the Constitution: "nor shall private property be taken for public use, without just compensation." ------------------------------ Date: Sun, 6 Mar 2016 18:16:08 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Apple VP: The FBI wants to roll back safeguards that keep us a step ahead of criminals (WashPo) *The Washington Post* via NNSquad https://www.washingtonpost.com/opinions/apple-vp-the-fbi-wants-to-roll-back-safeguards-that-keep-us-a-step-ahead-of-criminals/2016/03/06/cceb0622-e3d1-11e5-a6f3-21ccdbc5f74e_story.html That's why it's so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. They have suggested that the safeguards of iOS 7 were good enough and that we should simply go back to the security standards of 2013. But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers. What's worse, some of their methods have been productized and are now available for sale to attackers who are less skilled but often more malicious. ------------------------------ Date: Sat, 5 Mar 2016 17:02:58 -0500 From: Monty Solomon <monty () roscom com> Subject: Competing Interests on Encryption Divide Top Obama Officials (NYTimes) While the White House denies any internal disagreement over its legal battle with Apple, the differences in the administration have become increasingly apparent. http://www.nytimes.com/2016/03/06/us/politics/competing-interests-on-encryption-divide-top-obama-officials.html ------------------------------ Date: Thu, 3 Mar 2016 19:55:11 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Joining Together to Avoid a Troubling Legal Precedent [Google via NNSquad] Today, Google joined a variety of technology companies to file an amicus brief in US federal court. Together, we are voicing concern about the use of a broad statute from the 18th century, the All Writs Act, to require companies to re-engineer important security features that protect people and their data. http://googlepublicpolicy.blogspot.com/2016/03/joining-together-to-avoid-troubling.html [PGN suggests also: http://www.apple.com/pr/library/2016/03/03Amicus-Briefs-in-Support-of-Apple.html ------------------------------ Date: Sun, 6 Mar 2016 18:44:09 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: ISIS turns to foreign encryption products as Apple-FBI fight rages in U.S. (RISKS-29.31) It's yet another reminder: If strong encryption is outlawed, only outlaws would have strong encryption; If encryption tools without backdoors are outlawed, only outlaws would have encryption tools without backdoors; If encryption without keys escrow is outlawed, only outlaws would have encryption without keys escrow; etc., etc... ------------------------------ Date: 4 Mar 2016 02:26:00 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: NY Judge rules in Apple favor (Macintyre, RISKS-29 31)) I read the 50-page James Orenstein decision ,,, (you should, it's pretty interesting.) It has many references to the California case so it obvious the judge expects it to be used as a precedent. I blogged about it here: https://jl.ly/Internet/nyapple.html ------------------------------ Date: Fri, 4 Mar 2016 09:18:46 +0100 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Re: Apple vs FBI ... (Houppermans, RISKS-29.31) Peter Houppermans discusses the implications of the FBI winning the lawsuit to make Apple build tools to break the security of a specific iPhone. I don't disagree that whatever precedent the Apple vs FBI lawsuit sets, there are lots of similar lawsuits waiting to be decided the same way. But I dispute that companies will find it "more economical" to build pervasive backdoors into their kit. Global companies have been dealing with country-local restrictive legislation for a long time, and move their centres of operations around as they see fit. Banks and financial services firms, for example. There is a far larger global market for data privacy than the US alone. The European Union itself is (at least) a third larger in terms of population and its members implement legal systems which support data privacy and which will exist for the foreseeable future. I would guess that privacy-supporting kit will continue to be developed, because global companies such as Apple can sell it in markets where privacy is protected, such as most EU countries. Savvy US residents could avail themselves of trips to such places to obtain such kit, and US Homeland Security would have a new task trying to stop such kit from entering the US. There is a precedent for such a state of affairs, and it's not been pretty for most of the last century.
The implications of a win are that it will no longer be possible to protect ANY information held on US provided equipment and services.
May well be. US companies who wish to protect their data could find ways to use Canadian or EU cloud services, maybe set up by global companies such as Apple, Amazon and Google. Peter Bernard Ladkin, University of Bielefeld and Causalis www.rvs.uni-bielefeld.de www.causalis.com ------------------------------ Date: Thu, 03 Mar 2016 18:33:03 -0700 From: "Keith Medcalf" <kmedcalf () dessus com> Subject: Re: Apple vs FBI ... (Houppermans, RISKS-29.31) This whole line of reasoning is so wrong on so many fronts. The reason that the FBI is requesting Apple to "break into" the iPhone in question is because Apple has ALREADY CREATED the backdoor into the device that permits them to do this. If Apple had not done so, there would be no way for Apple to comply no matter what tantrums anyone decided to throw. Just as Apple has created backdoor access for themselves to turn over backups and so forth stored in iCloud (the definition of "Cloud" being, of course, Third Party operated computer system over which the data owner has no control or influence over the security of what is stored there). Apple can get itself out of the mess it has created for itself by cutting the petard of its own making which is being used to hoist them: Give the user the complete and total ability to control the security of the Hardware and Software such that not even Apple has access once "Secure" mode is engaged. Apple should back up the impenetrable security of such a system with a $1,000,000.00 bond that once engaged, no one will be able to access the data on the device or the iCloud unless the correct password is provided (or guessed within the guessing limits), and that this may entail application of rubber hoses, waterboards, electric charges, and other tortures to the person in order to compel disclosure of the password. Then it will be up to the Device Owner to decide whether they want the device to be secure or not, and Apple will have no responsibility whatsoever for the outcomes of that decision. ------------------------------ Date: Fri, 04 Mar 2016 08:58:54 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Apple vs FBI ... (Houppermans, RISKS-29.31) Among many other things, the Apple case is about campaign contributions. Apple is one of the most valuable companies on Earth, so some not-so-subtle suggestions from time to time "It's a nice little company you've got there, Apple; it would be such a shame for the govt to screw you over with bad laws and precedents". And the other tech giants know that they're next on the menu. How do we know this? Check the calendar: it's presidential election season. ------------------------------ Date: 4 Mar 2016 02:02:22 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: IRS identity theft story -- wanna bet it is much, much bigger? (RISKS-29.32)
I will bet $$$ that this is just the tip of an iceberg, as it is breathtakingly stupid for the IRS to have been snookered by a KBA attack.
My tax accountant said a lot of her clients have had refund fraud, and it's so common that the fix, a form where you swear it wasn't you attached to your real return, is now quite routine. --------------------------------------- Date: Sat, 5 Mar 2016 17:03:19 -0600 From: "Alister Wm Macintyre" <macwheel99 () wowway com> Subject: Drone conflict update (ACLU+) ACLU lawsuit regarding US military drone killings., led to a US gov filing with the court. http://i2.cdn.turner.com/cnn/2016/images/03/04/ppg.letter.pdf https://www.aclu.org/issues/national-security/targeted-killing The court ordered the government to show the judge some key documents on the secret killing by drone program. https://www.aclu.org/blog/speak-freely/court-considers-releasing-key-documents-governing-secretive-targeted-killing https://www.aclu.org/sites/default/files/field_document/65._order_directing_government_to_produce_three_documents_2.25.16.pdf Obama administration to go public with more details on drone killing program. http://www.cnn.com/2016/03/04/politics/drone-program-obama-administration/ Update on how to hack government drone. This is not a new capability, it is just another well qualified researcher finding something, that others before him have found out, such as crooks, and nations we have been spying on. https://securityaffairs.co/wordpress/45039/hacking/hacking-professional-drones.html http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mile-away/ https://securityaffairs.co/wordpress/43168/laws-and-regulations/surveillance -drones-hacking.html In USA it is illegal to interfere with a drone in flight, because the courts have ruled that a drone is an aircraft, without differentiating rules for drones, from rules for their larger cousins. 18 U.S. Code 32, prescribes up to 20 years in prison for anyone who willfully sets fire to, damages, destroys, disables, or wrecks an aircraft in flight. <https://www.law.cornell.edu/uscode/text/18/32> This also includes bringing down a drone via trained bird, big net, radio frequency gun, bigger drone, or hacking it. I hope no penalties if the owner of the drone crashes it, by accident, or battery depletion, and no damage to anyone else, Or if on the public highways, a motorist collides with a drone, which did not have right of way. http://drones.newamerica.org/primer/ http://www.slate.com/blogs/future_tense/2016/03/04/proposed_connecticut_law_would_ban_putting_guns_on_drones.html ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.32 ************************
Current thread:
- Risks Digest 29.32 RISKS List Owner (Mar 07)