RISKS Forum mailing list archives
Risks Digest 30.14
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 17 Feb 2017 11:29:21 PST
RISKS-LIST: Risks-Forum Digest Friday 17 February 2017 Volume 30 : Issue 14 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.14> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: To Lure Moviegoers, 20th Century Fox Dangles Fake News (Liam Stack and Sapna Maheshwari) Fake news is killing people's minds, says Apple boss Tim Cook (The Telegraph) Dutch election will be counted by hand (The Guardian) Forged Racist Emails Cause Stir at University of Michigan (ABC) New Mac malware from Iran targets US defense industry, human rights advocates with fake Flash updates (Apple) Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? (EFF) Cooperative Bank sends a text with a dyn.co link (Martin Ward) Toyota recalls all the Mirais for software bug (Andrew Krok) Majority of Android VPNs can't be trusted to make users more secure (Ars Technica) "Flaw in Intel Atom chip could crash servers, networking gear" (Agam Shah) "S. Korea plans to tighten battery regulations after Note 7 crisis" (John Ribeiro) 'Xagent' malware arrives on Mac, steals passwords, screenshots, (Ars Technica) Yahoo sends new security warning to users (Chicago Tribune) "Microsoft re-releases snooping patches KB 2952664, KB 2976978" (Woody Leonhard) "Microsoft Explains Why Windows Drivers Are Dated 21 June 2006" (Matthew Humphries) Why you can't depend on antivirus software anymore (Slate) The Internet of Evil Things (Tim Johnson) Security and the Internet of Things (Bruce Schneier) Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links (Citizen Lab) How do destroy a web form and the risks (Paul Robinson) Spanner, the Google Database That Mastered Time, Is Now Open to Everyone (WiReD) The AI Threat Isn't Skynet. It's the End of the Middle Class (WiReD) Google is spying on my photos (Geoff Kuenning, Lauren Weinstein) Re: D-Wave and quantum computer architecture (Rodney Van Meter) Re: quantum communications via plane and satellite (Rodney Van Meter) Re: Rob Slade on quantum computing (Rodney Van Meter) Re: Quantum Cryptography (Paul E. Black) Re: "The missile may have veered ... towards the United States" (Michael Black) Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Amos Shapir) Re: The Truth About UNIX... (Paul Robinson)) *WiReD* in RISKS-30.13 (Dave Horsfall) The 'March for Science' is gaining mainstream momentum (Joel Achenbach via Dewayne Hendricks) Stein Schjolberg: The History of Cybercrime (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 16 Feb 2017 9:19:00 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: To Lure Moviegoers, 20th Century Fox Dangles Fake News (Liam Stack and later Sapna Maheshwari in *The New York Times*) Liam Stack, *The New York Times*, 16 Feb 2017 [PGN-ed] At least five fake news sites were set up (such as the Houston Leader and the Salt Lake City Guardian), providing lots of partisan fake news headlines such as * LEAKED: Lady Gaga Half-time Performance to Feature Muslim Tribute * BOMBSHELL: Trump and Putin spotted at Swiss Resort prior to election * California Legislature to Consider Tax Rebates for Women Who Get Abortions * Texas Doctor Charged with Multiple Counts of Human Experimentation and lots more similarly false stuff on similar topics. The intent was to promote a new film -- A Cure for Wellness -- about a fake cure that makes people even sicker. ``As part of this campaign, a 'fake' wellness site, healthandwellness.com, was created and we partnered with a fake news creator to publish fake news.'' -- according to a statement by Regency Enterprises and 20th Century Fox acknowledging their roles in the ad campaign for the film. There apparently was considerable outrage within the film industry, because the very next day, 20th Century Fox apologized for this movie ad campaign: Sapna Maheshwari, *The New York Times*, 17 Feb 2017 The News Was Fake. The Regret? That's Real. The *Times* article quotes Susan Credle (global chief creative officer of the FBC ad agency): ``Fake news is not a cute or silly subject. When you start to tear down media and question what's real and what's not real, our democracy is threatened. I think this is a hot enough subject that most marketers would understand that taking advantage of a vulnerable public is dangerous.'' [One might wonder how many people will foolishly take such blatantly fake news as genuine. Based on our experience with past April Fools items, I suspect there would be quite a few with some of the cleverer spoofs that really seem semi-plausible. However, just one item quoted out of context can spread around the Internet and be accepted! In the early days of my collecting RISKS cases beginning in the mid-1970s, there was the notorious *Weekly World News* tabloid, with its utterly fantastic headlines. Here are two examples from our archives: * 2 dead, 1 brain-dead from Chilean bank terminal (noted in ACM SIGSOFT Software Engineering Notes 12 2, April 1987) * First cybersex pregnancy (RISKS-19.60) Apparently this kind of outrageous nonsense brings in customers. PGN] ------------------------------ Date: Sat, 11 Feb 2017 13:08:05 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Fake news is killing people's minds, says Apple boss Tim Cook (The Telegraph) NNSquad http://www.telegraph.co.uk/technology/2017/02/10/fake-news-killing-peoples-minds-says-apple-boss-tim-cook/ Tim Cook, the boss of Apple, is calling for governments to launch a public information campaign to fight the scourge of fake news, which is "killing people's minds". In an impassioned plea, Mr Cook, boss of the world's largest company, says that the epidemic of false reports "is a big problem in a lot of the world" and necessitates a crackdown by the authorities and technology firms. ------------------------------ Date: Wed, 8 Feb 2017 13:38:57 -0800 From: Mark Thorson <eee () sonic net> Subject: Dutch election will be counted by hand (The Guardian) Netherlands reverts to paper ballots and hand counting to thwart hackers. https://www.theguardian.com/world/2017/feb/02/dutch-will-count-all-election-ballots-by-hand-to-thwart-cyber-hacking ------------------------------ Date: Wed, 8 Feb 2017 10:09:34 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Forged Racist Emails Cause Stir at University of Michigan (ABC) NNSquad http://abcnews.go.com/Technology/wireStory/forged-racist-emails-stir-university-michigan-45352248 Someone sent racist and anti-Semitic emails to University of Michigan students and made it look like they were from a computer science professor who pushed for presidential election recounts in several states. The emails were sent mostly to engineering students Tuesday with subject lines such as "African American Student Diversity" and "Jewish Student Diversity." Two messages included the phrase "Heil Trump." A school spokesman, Rick Fitzgerald, said it wasn't a hack and that campus police are investigating. It's not known if the emails were connected to Alex Halderman's activism after the election. ------------------------------ Date: Wed, 8 Feb 2017 12:41:39 -1000 From: geoff goodfellow <geoff () iconia com> Subject: New Mac malware from Iran targets US defense industry, human rights advocates with fake Flash updates (Apple) http://appleinsider.com/articles/17/02/08/new-mac-malware-from-iran-targets-us-defense-industry-human-rights-advocates-with-fake-flash-updates ------------------------------ Date: Wed, 8 Feb 2017 10:29:02 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? (EFF) Can foreign governments spy on Americans in America with impunity? That was the question in front of the U.S. Court of Appeals for the District of Columbia Circuit Thursday, when EFF, human rights lawyer Scott Gilmore, and the law firms of Jones Day and Robins Kaplan went to court in /Kidane v. Ethiopia/ <https://www.eff.org/cases/kidane-v-ethiopia>. Jones Day partner Richard Martinez <http://www.jonesday.com/rmartinez/> argued before a three-judge panel that an American should be allowed to continue his suit against the Ethiopian government for infecting his computer with custom spyware and monitoring his communications for weeks on end. The judges questioned both sides for just over a half hour. Despite the numerous issues on appeal, the argument focused on whether U.S. courts have jurisdiction to hear a case brought by an American citizen for wiretapping and invasion of his privacy that occurred in his living room in suburban Maryland. The question is relevant because, under the Foreign Sovereign Immunities Act, foreign governments are only liable for torts they commit within the United States. ... Ethiopia's lawyer argued next, taking the position that it should be able to do anything to Americans in America, even set off a car bomb, as long as Ethiopia didn't have a human agent in the United States. One judge asked what would happen if Ethiopia mailed a letter bomb into the United States to assassinate an opponent, or hacked an American's self-driving car, causing it to crash. Ethiopia didn't hesitate: their counsel said that they could not be sued for any of those. https://www.eff.org/deeplinks/2017/02/can-foreign-governments-launch-malware-attacks-americans-without-consequences ------------------------------ Date: Thu, 9 Feb 2017 11:35:30 +0000 From: Martin Ward <martin () gkc org uk> Subject: Cooperative Bank sends a text with a dyn.co link Yesterday I received a text message, claiming to be from the Co-op Bank stating: "This is the Co-op bank. Some services will be unavailable this weekend due to essential maintenance. For more details, visit:" followed by a link to "CoopBank.dyn.co" The ".co" top level domain is the country code for Columbia. I sent an email to the Co-op Bank to warn them of this phishing attempt and received a reply stating that the text was genuine! How can we persuade people not to click on dodgy links in emails and text messages when legitimate companies send out genuine messages with links that are indistiguishable from phishing attempts? ------------------------------ Date: Thu, 16 Feb 2017 13:38:35 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Toyota recalls all the Mirais for software bug (Andrew Krok) Andrew Krok, Road Show by CNET, February 16, 2017 11:19 AM PST Toyota issued a recall for every single Mirai hydrogen fuel cell vehicle sold around the world. That may seem like a ton, but bear in mind it's a niche vehicle utilizing an infrastructure that isn't fully fleshed out. Thus, only about 2,840 vehicles are affected. The issue relates to the car's powertrain. A unique set of driving conditions -- for example, jamming the accelerator to the floor after driving on a long descent under cruise control -- might cause the fuel cell's boost converter to output voltage higher than the maximum. If that happens, a warning light will come on and the fuel cell system will stop running. Toyota will fix the issue with a simple software reflash. https://www.cnet.com/roadshow/news/toyota-recalls-all-the-mirais-for-software-bug/ ------------------------------ Date: Wed, 8 Feb 2017 20:35:39 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Majority of Android VPNs can't be trusted to make users more secure (Ars Technica) https://arstechnica.com/security/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/ Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all. ------------------------------ Date: Thu, 09 Feb 2017 09:05:19 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Flaw in Intel Atom chip could crash servers, networking gear" (Agam Shah) Agam Shah, Info World, 6 Feb 2017 Intel is 'implementing and validating a minor silicon fix' to resolve the issue http://www.infoworld.com/article/3167205/storage/flaw-in-intel-atom-chip-could-crash-servers-networking-gear.html [selected text] A flaw in an old Intel chip could crash servers and networking equipment, and the chipmaker is working to fix the issue. The issue is in the Atom C2000 chips, which started shipping in 2013. [Four years old is old in a chip still in production? Risks of short-term thinking?] The usual server refresh cycle is three to five years, but networking and storage equipment -- which the C2000 is targeted toward -- is often used for five to 10 years. Intel continuously finds flaws in its chips, and it fixes them over time. But one that may crash a system is serious and could put data at risk. [I am curious about chip flaws being more common than I thought. Is anyone is a position to knowledgeably comment about this?] The chipmaker has given up making Atom chips for servers, ... Intel is now dedicating Atom chips to drones, robots, gateways, smart devices, and Internet of things products. [IDIOT* strikes again? *Insecurely-Designed Internet of Things] ------------------------------ Date: Thu, 09 Feb 2017 09:18:38 -0800 From: Gene Wirchenko <genew () telus net> Subject: "S. Korea plans to tighten battery regulations after Note 7 crisis" (John Ribeiro) John Ribeiro, InfoWorld, 6 Feb 2017 A government agency agreed with Samsung's view that faulty batteries caused the Note 7 to overheat http://www.infoworld.com/article/3165952/smartphones/south-korea-plans-to-tighten-battery-regulations-post-note7-crisis.html [selected text] In the wake of the Note 7 debacle, South Korea is introducing new tests and regulations to ensure battery and smartphone safety, the Ministry of Trade, Industry, and Energy said. The announcement Monday by MOTIE also agrees with the analysis by Samsung Electronics and some experts on the cause of the overheating and even explosions of some Galaxy Note 7 smartphones. Samsung, backed by experts from Exponent, TUV Rheinland, and UL, said in January that the overheating of some Note 7 phones was likely caused by the faulty design and manufacturing of batteries by two suppliers, rather than by the design of the smartphone itself. ------------------------------ Date: Tue, 14 Feb 2017 21:41:50 -1000 From: geoff goodfellow <geoff () iconia com> Subject: 'Xagent' malware arrives on Mac, steals passwords, screenshots, iPhone backups (Ars Technica) A Russian hacking group accused of interfering with last year's presidential election has evolved its Xagent malware package, known for its ability to infiltrate Windows, iOS, Android and Linux devices, to target Macs, according to a report on Tuesday. Uncovered by security research firm and antivirus builder Bitdefender, the Mac strain of Xagent is similar to its predecessors in that it acts as a modular backdoor for intruders, reports *Ars Technica*. <https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/> <https://arstechnica.com/security/2017/02/new-mac-malware-pinned-on-same-russian-group-blamed-for-election-hacks/> Once the malware is installed, likely through the Komplex downloader, it checks for the presence of a debugger. If none is found, Xagent waits for an Internet connection to reach out to command and control servers, which in turn activate specific payload modules, Bitdefender explains. As a Mac malware, most C&C URLs impersonate Apple domains. The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. More troubling is the malware's ability to grab desktop screenshots, steal web browser passwords and offload iPhone backups. The latter capability is perhaps most important from an intelligence-gathering standpoint, Bitdefender says. While an exact lineage has yet to be determined, the security firm believes APT28 is behind the Mac form of Xagent... http://appleinsider.com/articles/17/02/14/xagent-malware-arrives-on-mac-steals-passwords-screenshots-iphone-backups ------------------------------ Date: Wed, 15 Feb 2017 11:36:12 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Yahoo sends new security warning to users (Chicago Tribune) via NNSquad http://www.chicagotribune.com/bluesky/technology/ct-yahoo-new-security-warning-20170215-story.html Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016, the latest development in the Internet company's investigation of a mega-breach that exposed 1 billion users' data several years ago. Yahoo confirmed Wednesday that it was notifying users that their accounts had potentially been compromised but declined to say how many people were affected. Unavoidable reference: https://www.youtube.com/watch?v=vUi1PdYn5nk ------------------------------ Date: Thu, 09 Feb 2017 14:23:19 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Microsoft re-releases snooping patches KB 2952664, KB 2976978" (Woody Leonhard) Given the following and other Microsoft Windows 10 shenanigans, I have not done a Windows Update in quite some time now. I am more worried about Microsoft doing something nefarious to my system than anyone else. Woody Leonhard, InfoWorld, 9 Feb 2017 Earlier versions of the Win7 and 8.1 patches kicked off enhanced snooping routines, and there's no indication what's changed in these versions http://www.infoworld.com/article/3168397/microsoft-windows/microsoft-re-releases-snooping-patches-kb-2952664-kb-2976978.html selected text: We don't know what KB 2952664 (for Windows 7) and KB 2976978 (for Windows 8.1) actually do. But both patches have been shown in the past to trigger a new Windows task called DoScheduledTelemetryRun. But I do know that earlier versions of these patches triggered new snooping scans, whether the Customer Experience Improvement Program is enabled or not. And I do know that Microsoft hasn't documented much at all. ------------------------------ Date: Thu, 09 Feb 2017 14:13:24 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Microsoft Explains Why Windows Drivers Are Dated 21 June 2006" (Matthew Humphries) When is a date not a date? (I wonder if anyone has had problems because of supposedly outdated drivers.) Matthew Humphries, PC Mag, 9 Feb 2017 http://www.pcmag.com/news/351668/microsoft-explains-why-windows-drivers-are-dated-june-21-20 selected text: The drivers are regularly updated, but that timestamp never changes. Why? Microsoft drivers in a lot of cases are the fallback option. We all run hardware in our desktop PCs and laptops that's supplied by third-party companies, and they produce drivers for those components. These drivers are preferable to Microsoft's own, but if every time Microsoft released an updated driver it changed the timestamp to be current, Windows would view it as newer than the custom driver and replace it. You probably don't want this to happen as manufacturer's driver are more suited than Microsoft's. So to avoid this, Microsoft timestamps all drivers with the Windows Vista Release To Manufacturing (RTM) date, which is June 21, 2006. The Vista RTM was chosen because, "since only drivers as far back as Vista are compatible with new versions of Windows, every driver should have a date newer than Vista RTM, preserving the driver you installed as the best ranked driver." ------------------------------ Date: Thu, 16 Feb 2017 9:06:28 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Why you can't depend on antivirus software anymore (Slate) http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html [Thanks to Ray Perrault for spotting this one. PGN] ------------------------------ Date: Mon, 13 Feb 2017 16:26:37 -1000 From: geoff goodfellow <geoff () iconia com> Subject: The Internet of Evil Things (Tim Johnson) As wireless devices flourish, network security pros break into cold sweats Tim Johnson, McClatchy, 13 Feb 2017 http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html Washington Sure, your office may seem clean. But it's probably not. Invisible network pollution contaminates the space, and it may open a door to evildoers. The pollution comes from the growing list of Internet-connected devices: cellphones, security cameras, thermostats, door locks, printers, speakerphones, even coffeemakers. Not all of them have up-to-date security patches or strong password protection. All of them are potential foot soldiers for hackers. <https://www.pwnieexpress.com/hubfs/2017InternetOfEvilThings.pdf?utm_campaign=IoET+2017&utm_source=hs_automation&utm_medium=email&utm_content=42452447> In a report titled The Internet of Evil Things, to be released Monday, a Boston-based company says the connected devices that surround us at home and work give indigestion to technology security experts, who see the rise of a menacing new force. ``Our devices live in an open and free world. They connect to anything. They connect to good things and bad things. They don't know the difference,'' said Paul Paget, chief executive of Pwnie Express, the Boston cyber threat detection firm. The problem, Paget said, is that much of the Internet-connected world is contaminated with malicious code, or malware, and your devices swim in that pollution. Increasingly, employees carry their own devices to work, perhaps unwittingly bringing cyber infections and malware into contact with an office network, or bringing devices with weak defenses that can be forcibly recruited into in a hostile robotic network, or botnet, for attacks elsewhere. The first major alarm about these zombie botnets arose on Oct. 21 when hackers used malware, which security professionals dubbed Mirai <http://www.mcclatchydc.com/news/nation-world/national/national-security/article105894272.html>, to harness an army of enslaved connected devices, mainly security cameras, to overwhelm a New Hampshire firm, Dyn, that is a backbone of the Internet. The massive attack, the largest of its kind ever, took down Internet access in some metropolitan areas of the East Coast. Rather suddenly, the risk of connected devices became a hot topic. Even the most mundane home or office device could seem, well, potentially virulent. [...] http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html ------------------------------ Date: Wed, 15 Feb 2017 10:22:35 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Security and the Internet of Things (Bruce Schneier) [Bruce has written a long article that augments much of what we have noted here in the past, including the article Ulf Lindqvist and I have written for the February 2017 CACM Inside Risks series (item 240): http://www.csl.sri.com/neumann/insiderisks.html PGN] CRYPTO-GRAM February 15, 2017 <https://www.schneier.com/crypto-gram/archives/2017/0215.html>. by Bruce Schneier CTO, Resilient Systems, Inc. schneier () schneier com https://www.schneier.com <https://www.schneier.com/crypto-gram.html>. Security and the Internet of Things [This essay previously appeared in "New York Magazine."] http://nymag.com/selectall/2017/01/the-Internet-of-things-dangerous-future-bruce-schneier.html ] ------------------------------ Date: Mon, 13 Feb 2017 12:14:57 -0500 From: Jose Mara Mateo <chema () rinzewind org> Subject: Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links (Citizen Lab) https://citizenlab.org/2017/02/bittersweet nso mexico spyware/ Key Findings * A prominent scientist at the Mexican National Institute for Public Health (INSP) and two directors of Mexican NGOs working on obesity and soda consumption were targeted with government exclusive spyware. * All of the targets have been active supporters of Mexico's soda tax, a public health measure to reduce the consumption of sugary drinks. * The targets received messages with malicious links that would have installed NSO Group's Pegasus spyware on their phones. NSO Group is an Israeli cyber-warfare company. * NSO's government surveillance tool may have been misused on behalf of special commercial interests, not for fighting crime or terrorism. ------------------------------ Date: Fri, 10 Feb 2017 03:39:25 +0000 (UTC) From: Paul Robinson <paul () paul-robinson us> Subject: How do destroy a web form and the risks There has been a problem I was having that, even though I have over 35 years of experience as a computer programmer, I had no idea why it was happening, and, explaining how I figured out what caused it. Right now I am using a web form to type in this message. Sometimes I will go on various web sites where you're allowed to post messages or comments in forums, and on rare occasions, I'd be typing something in and the message would simply vanish. It wasn't posted, it wasn't saved, it was if I had asked the website to cancel my message. This can be very irritating to express a complicated explanation or idea and have it vanish in the middle of what you're typing. So let me show you how this happens, and why it bodes large for more than just someone typing a comment on a web page. Tools Needed: * A computer with Windows * Running Firefox browser * Having an Internet connection The process: * Log on to your favorite message boards or the compose page if you use Web mail. * Choose to reply or create a new message. This opens a text box, sets "focus" to it, and places the cursor in the box, allowing you to type in text. * Type in some material and make a mistake and proceed to press the backspace key to correct the mistake. * Accidentally hit F12, which is directly above the backspace. This opens a debug window so you can analyze the objects and DOM layout of the web page. * Realize that (unless you are a web designer or programmer who wants to analyze this page) you did not want that, and press F12 again to release the debug window and go back to the "ordinary" web page. * Unless you are very attentive, you might not notice that the "focus" - the place where the system sends keystroke messages - is not on the input area of the page, but on the whole page. This means the "mode" of the application has silently changed, and keystroke messages are sent to the application, not to the text box. * Proceed to correct the message by pressing the backspace key. Since you're not in the text area, the web browser does not treat the backspace as a command to "delete the previous typed in key" it is now the *back* button, which means to back up one web page from the stack of pages you've surfed through. * This causes the web browser to return to the previous page before you wanted to enter a reply, destroys the current web page and discards everything you typed in. It's gone forever and you can't get it back. Using the "forward" button on the toolbar returns you to the posting page, but is cleared out as when you start a new post. Now, the worst thing about this is given the number of functions available from the keyboard this is not the only way for the focus to change, there are other possible keystrokes you can made that can take the focus off the input box and move it to the app, and thus potentially cause a mode change that you do not even know has happened. Now, this presents a big possibility of error "writ large" onto any application or system where any button or key used by an application is modal, in which the button's functionality is different according to the current mode you are in. Obviously having a mode change the behavior of an application without the user being aware of it could have substantial risks that are clearly obvious. ------------------------------ Date: Tue, 14 Feb 2017 11:36:26 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Spanner, the Google Database That Mastered Time, Is Now Open to Everyone (WiReD) https://www.wired.com/2017/02/spanner-google-database-harnessed-time-now-open-everyone/#a-6159ef6b-4043-4271-89e3-b3c5108d72a8 Google can change company data in one part of this database--running an ad, say, or debiting an advertiser's account--without contradicting changes made on the other side of the planet. What's more, it can readily and reliably replicate data across multiple data centers in multiple parts of the world--and seamlessly retrieve these copies if any one data center goes down. For a truly global business like Google, such transcontinental consistency is enormously powerful. ------------------------------ Date: Fri, 10 Feb 2017 20:45:52 -0500 From: "Dave Farber" <farber () gmail com> Subject: The AI Threat Isn't Skynet. It's the End of the Middle Class (WiReD) https://www.wired.com/2017/02/ai-threat-isnt-skynet-end-middle-class/ ------------------------------ Date: Sun, 12 Feb 2017 16:53:28 -0800 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Google is spying on my photos I stopped by our local wilderness park today to take a photo of some wildflowers with my Android phone. Imagine my shock an hour or so later when the phone's notifications screen offered me a chance to "Be a part of Google Maps! Share your pictures of Claremont Hills Wilderness Park" complete with thumbnails of the photos I took. Now to be fair, the thumbnails could have been assembled into the message on my phone without ever being sent to Google. But the only way they could have known that I took a picture near (not in) the park was if the GPS data and the fact of the photo were sent to them, without my knowledge or permission, when I hit the shutter button. To make matters worse, I wasn't even using the phone's built-in camera app; I was using an alternative, Camera FV-5, which as far as I can tell only uses your GPS location internally. So the conclusion is that every time my camera's shutter operates, the location (and maybe a thumbnail) is sent to Google. Most of the time they might discard it, but it's still creepy. And IMHO it certainly violates their motto of "Don't be evil." One more reason to use a real camera... ------------------------------ Date: Sun, 12 Feb 2017 19:07:02 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Re: Google is spying on my photos (Kuenning, RISKS-30.14) This is all documented. If memory serves the specific option is in: maps>settings>notifications ("add photos" or some such) Also, a similar effect would likely be achieved by turning off location sharing. - - - Add Photos to Multiple Places No more digging through photos and searching for the right now we automagically match them for you with Google Photos. On your Android phone, simply turn on the back up and location features in Google Photos to have your photos of places appear in the Contribute tab of Google Maps, ready for you to share and score points. ------------------------------ Date: Tue, 14 Feb 2017 10:47:18 +0900 From: Rodney Van Meter <rdv () sfc wide ad jp> Subject: Re: D-Wave and quantum computer architecture I'm going to be a bit gauche and toot my own horn here, hopefully while putting some context on the three quantum-related items in the last couple of issues of RISKS. I am one of the few classically-trained computer architects whose research is full time quantum, and has been since 2003. Apologies for the collective length, but since I'm addressing several prior posts I hope you'll allow them. First, D-Wave: the Wired article says, "D-Wave's computers can't tackle all algorithms yet," -- no kidding! It's a special-purpose machine that solves optimization problems mapped to Ising spin problems, a type of graph problem. It's a one-trick pony, although it's a really good trick, if it works. "[T]hird-party research didn't consistently confirm hype about D-Wave machines' speed gains versus classical computing." *Really* no kidding! The only person I trust unreservedly about this is Matthias Troyer (ETH Zurich & Microsoft Research). Turns out that characterizing performance of algorithms with many parameters including probability of being within some distance of optimal is tricky stuff. A great place to start is http://www.sciencemag.org/content/345/6195/420.abstract The slides by John Seymour, linked to from the Wired article, are an excellent account of one adventure using the machine. Designing algorithms for somewhat more general-purpose quantum computers is nothing like designing classical algorithms. The entire goal is to use entanglement and the wave nature of quantum states to drive the machine toward a state where non-answers to your problem destructively interfere, and answers to your problem constructively interfere. For discussion of the state of machines and our attempts to design them, see (ahem) A blueprint for building a quantum computer: http://dl.acm.org/citation.cfm?id=2494568 Quantum computing's classical problem, classical computing's quantum problem: https://arxiv.org/abs/1310.2040 The path to scalable distributed quantum computing http://ieeexplore.ieee.org/abstract/document/7562346/ or https://arxiv.org/abs/1605.06951 and I love Dave Bacon's review of quantum algorithms, though it's getting a bit long in the tooth now: http://dl.acm.org/citation.cfm?doid=1646353.1646375 ------------------------------ Date: Tue, 14 Feb 2017 14:37:03 +0900 From: Rodney Van Meter <rdv () sfc wide ad jp> Subject: Re: quantum communications via plane and satellite Apologies for the length, I didn't set out to write something this long... RISKS 30.13 had a note about the Jennewein team capturing single photons from an airplane on the ground. It's prepartory work to doing the same thing from a satellite, and it's great stuff. Note that Makarov is a coauthor, and Makarov is the best "red team" QKD person on the planet, known for his work hacking QKD systems. And, in case you haven't heard, China already *has* a satellite in orbit for essentially the same experiments: https://www.rt.com/news/374167-china-quantum-satellite-operational/ They haven't yet published data from the satellite (launched last August), but they're now saying it's performing "much better than expected". The basic idea is to generate pairs of entangled photons in space, and capture them at two different locations on the ground. The current experiments, as far as I know, involve only capturing and measuring the photons directly, which means they are good for only quantum key distribution (QKD), creating a guaranteed-secret stream of classical bits shared with exactly one partner. Doing this via satellite has a lot of security advantages, including how hard it is to intercept and resend signals. This form of QKD (so-called Ekert-style, known as E91, using entangled pairs of photons rather than single photons from a sender to a receiver) is not subject to worries about e.g. the quality of the RNG on the satellite. Even if you could fly a high-altitude aircraft that spoofed the satellite, proper operation of the checks on the ground would _still_ keep the key secure. A combination of spoofing the satellite with a known vulnerability in the RNG at the ground stations could result in a compromised key, I believe, by judiciously avoiding the checks. Or, rather than directly spoofing the entangled pairs, other recent work has shown how, with some receiver setups, you can force any outcome you like (see DOI:10.1126/sciadv.1500793). n.b.: Some of this is speculative, given that I haven't seen details of the experiments they are doing with the actual satellite, but I have read many of their preparatory papers. Of course, there are a lot of limitations, including weather and satellite orbit. And if you have failures in orbit, fixing them is hard! Jian-Wei Pan's group is the best in the world at this kind of optical experiment. He was in Zeilinger's group in Vienna, which is the only other real contender for best at this kind of thing. Jian-Wei is also chief architect of the fiber-based QKD network they are now building out in eastern China. My viewpoint is limited, but from where I sit, he is probably China's most famous and most politically powerful researcher, in any field, and with good reason. I've already gone on long here, but I want to note that QKD, which involves early, direct measurement of the quantum states as photons, is only the beginning of quantum networking. If we can build quantum repeater networks that create entanglement over long distances, we can do many more things: sensor networks and interferometers with better-than-classical precision; high-precision distributed clocks (although whether they can be built without supporting classical infrastructure that already exceeds the quantum portion is an open question); other security functions such as stronger byzantine agreement; and distributed quantum computation (such as blind computation). See (again, ahem) https://www.verisign.com/en_US/company-information/verisign-labs/speakers-series/quantum-networks/index.xhtml and (final ahem) my book, _Quantum Networking_ http://as.wiley.com/WileyCDA/WileyTitle/productCd-1848215371.html (Apologies for the price. I get a couple of bucks, the publisher gets the rest.) Happy to talk at more length with any RISKers who are interested in either quantum computing or quantum networking. Prof. Rodney Van Meter, Faculty of Environment and Information Studies, Keio University, Japan rdv () sfc wide ad jp http://web.sfc.keio.ac.jp/~rdv/ ------------------------------ Date: Tue, 14 Feb 2017 11:19:33 +0900 From: Rodney Van Meter <rdv () sfc wide ad jp> Subject: Re: Rob Slade on quantum computing I'm really thrilled to see someone of Rob's firepower thinking seriously about what quantum computing means to a particular community (in this case, the security community). And I hadn't seen his articles before, so I'm reading them and sharing with my students. Re: security of the quantum computers themselves: yes, their operations are very easily disrupted (a bigger problem, actually, for quantum networks, see my next message). But as to verifying the answers they produce, that should be straightforward. Anything like an NP-complete problem, or math problems like factoring, it's pretty easy to check. Other applications, such as quantum chemistry (popularly touted as an important class of apps) are harder. Re: security of results: One of my favorite ideas of the last decade is blind quantum computation, by Broadbent, Fitzsimons and Kashefi. Like Gentry's homomorphic encryption, it allows a computer to run an algorithm with no access to the input or output data. Blind QC goes a step further and keeps even the algorithm hidden. You can run the algorithm on a remote server, and the server, its operators and hackers can learn nothing at all except an upper bound on the size of the computation you have done. https://arxiv.org/abs/0807.4154 The penalty for using BQC is substantial, but tolerable, even when accounting for quantum error correction. However, the network demands to use it remotely in full form are unrealistically high for the foreseeable future, see (again, ahem) https://arxiv.org/abs/1306.3664 and papers by others that I don't have handy at the moment. Re: applications for QCs: Rob suggests a number of things that are "hard" problems. Unfortunately, due to very limited memory capacity and inconceivably low I/O rates, no "big data" applications are in the offing, so e.g. climate modeling is right out. Problems involving modeling of other quantum systems, such as quantum chemistry of fertilizers (the favorite example problem of the Microsoft Research folks) are good candidates. Small-data problems with high branching factors, like solving chess or go without a massive library, are good candidates. Re: "superposition will allow for the processing of vast numbers of possibilities simultaneously": Scott Aaronson, one of the premiere theorists and quantum's most visible and funniest blogger, really hates that description. See my last message for a short discussion of algorithm design via interference, or Scott's blog at http://www.scottaaronson.com/blog/?p=2026 or his book _Quantum Computing Since Democritus_, if you want the hard thinking without the math. (That book is amazingly deep given the dearth of equations.) Enough for now, a note about networking later... ------------------------------ Date: Thu, 16 Feb 2017 18:56:08 +0000 From: "Black, Paul E. (Fed)" <paul.black () nist gov> Subject: Re: Quantum Cryptography (Werner U, RISKS-30.13) Re: stealing a quantum key (Feb 2 in WiReD)) On Mon, 6 Feb 2017 Werner U <werneru () gmail com> wrote "... it's physically *impossible* for a hacker to steal a key encoded using quantum particles." It is physically impossible for a hacker to steal such a key *without being detected*. This is clearly communicated in the rest of the paragraph. Paul E. Black 100 Bureau Drive, Stop 8970 paul.black () nist gov Gaithersburg, Maryland 20899-8970 voice: +1 301 975-4794 fax: +1 301 975-6097 http://hissa.nist.gov/~black/ KC7PKT ------------------------------ Date: Mon, 13 Feb 2017 16:01:04 +0000 (UTC) From: Black Michael <mdblack98 () yahoo com> Subject: Re: "The missile may have veered ... towards the United States" Having been on an observation ship during a failed missile test back in the 80's I can tell you this is much ado about nothing. All missile launches...including subs...have a missile safety officer Their sole job is to have their finger on the detonate button if something goes wrong. We were about 10km as I recall from a Trident launch and the missile started to roll...took probably 2 seconds before the safety officer destroyed it. The idea that a missile might "veer" towards the U.S. is just one of the obviously many directions a bad missile might go.As soon as it goes off course it will be destroyed. The extremely poor scientific reporting that goes on in the media leaves a lot of people with bad and/or incomplete information....just like the current scare mongering from Fukushima with news agencies reporting "record radiation levels"....of an area that had never been meaured before....and who woulda thunk a nuclear reactor core might actually be dangerous? ------------------------------ Date: Thu, 9 Feb 2017 13:58:47 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Risks 30.13) What most respondents seem to ignore is that the difference between indentation-oriented syntax and enclosing-delimiter-oriented one is not a matter of the behavior or availability of automatic indenting applications. The main issue is that with the latter syntax (e.g. Python's) there's no way to know where an "if" or a "while" statement ends, except by indentation; messing indentation on even a single line can result in a program which is syntactically valid, but wrong. In a language like C, one would have to lose at least two opposing braces to get this result, and it's even harder with languages which use syntax like if...fi and do...od . ------------------------------ Date: Mon, 13 Feb 2017 19:56:57 +0000 (UTC) From: Paul Robinson <paul () paul-robinson us> Subject: Re: The Truth About UNIX... (Norman, RISKS-30.13) Don Norman wrote: "More facts: I never used a DEC (Digital) PDP-10, although I did use (and own) many every other DEC machine: PDP 1, 4, 7, 8, 9, 11 and Vax. I managed to skip the 10, which was replaced by the Vax." To set the record straight, the Decsystem 20 replaced the PDP 10, both of which were 36-bit architecture. Then DEC deprecated the 20. Then the only mainframe option to a (now former) Decsystem 20 customer was either an IBM 370 series or a DEC VAX. But the VAX, like the 370, is a 32-bit machine, is not compatible in terms of operating system or architecture with the 10 or the 20, and was the replacement for the 16-bit PDP-11, with which its machine instruction set was compatible. ------------------------------ Date: Thu, 9 Feb 2017 10:34:55 +1100 (EST) From: Dave Horsfall <dave () horsfall org> Subject: *WiReD* in RISKS-30.13 A couple of articles have mentioned the wired.com site; please be aware that they run an ad-blocker-blocker, which means you either disable your blocker (which I won't do) or risk (no pun intended) your privacy by signing up; I won't trust any site that demands I either view adverts, or pay what amounts to a ransom. [Let's hope someone at EFF is reading RISKS. PGN] ------------------------------ Date: Sat, Feb 11, 2017 at 2:05 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: The 'March for Science' is gaining mainstream momentum (Joel Achenbach) Joel Achenbach, *The Washington Post*, 9 Feb 2017 https://www.washingtonpost.com/news/speaking-of-science/wp/2017/02/09/the-march-for-science-is-gaining-mainstream-momentum/ Many scientists are reluctant to leap into politically charged territory, but these are not normal times, and even the most mainstream science organizations say there may be no choice but to take to the streets. The much-discussed March for Science, organized via social media and scheduled for April 22 in Washington, has been gaining momentum. Christine McEntee, executive director and chief executive of the American Geophysical Union, said Thursday that her organization has been talking in recent days with march organizers and looking for ways to support the effort. ``We are pleased to see the growing support for the value of science and scientific integrity. AGU has begun discussions with the organizers of the march and we are exploring how we can best support their efforts. Democracy is based on active participation. We fully support the efforts of scientists to speak out on these important issues.'' [...] ------------------------------ Date: Sat, 11 Feb 2017 10:22:42 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Stein Schjolberg: The History of Cybercrime "The History of Cybercrime (1976-2016)" was published in January 2017 in Germany by the Cybercrime Research Institute, Cologne. It contains new information from United Nations organizations, INTERPOL, a new chapter on Public-Private Partnerships, new information on Internet of Things (IoT), the encryption problems for law enforcements, and much more. The book is now available on Amazon Kindle and book editions. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.14 ************************
Current thread:
- Risks Digest 30.14 RISKS List Owner (Feb 17)