Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.39
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 29 Jul 2013 11:39:31 PDT

RISKS-LIST: Risks-Forum Digest  Monday 29 July 2013  Volume 27 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.39.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
First-hand report from Philadelphia Airport shutdown (Dave Farber)
Jurors jailed for contempt of court over Internet use (George Ross)
And now, from the country that brought you INCIS and Novopay...
  (Richard A. O'Keefe)
Information is Beautiful: relative sizes of data losses (Nico Chart)
"Information Consumerism: The Price of Hypocrisy" (Evgeny Morozov via
  Prashanth Mundkur)
"Scientist banned from revealing codes used to start luxury cars"
  (Lisa O'Carroll via Gene Wirchenko)
"What else can Congress bungle? Their passwords, for starters"
  (Robert X. Cringely via Gene Wirchenko)
Is your computer spying on you? (Henry Baker)
Is Your Cable Box Spying On You? (Christopher Zara via Henry Baker)
"Feds Indict 5 in Largest Hacking, Data Theft Ring in U.S. History"
  (ABC via Gene Wirchenko)
"U.S. agents 'got lucky' pursuing accused Russia master hackers"
  (Gene Wirchenko)
"Apple's developer site overhaul continues following breach" (Jeremy Kirk
  via Gene Wirchenko)
If you have a rooted Android device, don't rush to install 4.3
  (Lauren Weinstein)
NASDAQ's Sloppy, After-hack, Phishing-like password reset message
  (Lauren Weinstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 28 Jul 2013 18:01:04 -0400
From: Dave Farber <dave () farber net>
Subject: First-hand report from Philadelphia Airport shutdown

Philadelphia Airport without power -- went out courtesy of too much rain.
Can't get to the planes.   The computers are down.  Everything's out.

------------------------------

Date: Mon, 29 Jul 2013 17:08:00 +0100
From: George Ross <gdmr () inf ed ac uk>
Subject: Jurors jailed for contempt of court over Internet use

Following up on previous RISKS items:

"Two jurors have each been jailed for two months for contempt of court after
one posted Facebook comments and the other researched the case on the web.
..."
//www.bbc.co.uk/news/uk-23495785>.

George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh,
School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB

------------------------------

Date: Mon, 29 Jul 2013 10:26:45 +1200
From: "Richard A. O'Keefe" <ok () cs otago ac nz>
Subject: And now, from the country that brought you INCIS and Novopay...

Summary: NZ's new "Electronic Operating Model" for courts is late and
over budget; staff appear to have been mismanaged; and the government
has already closed some courts in anticipation of benefits from a
system that may not operate until next year.

Justice Minister Judith Collins announced in 2011 that the NZ Government was
"amending criminal procedure to bring [the justice system] up to date with
[the] 21st century... Within the District Sourts, around 60% of criminal
procedures will be new or changed.  Where old law required paper records,
the Act allows use of technology to exchange information ..."  The
"Electronic Operating Model" was to be introduced "later in 2013", replacing
the current paper-based court record.  It was then estimated that charges
would be processed up to 70% faster and that the Ministry of Justice and
Police would be saved "around 93,000 hours a year".  -- Extracted from
  http://my.lawsociety.org.nz/news/electronic-operating-model-outlined

I'm not sure when work started, but the "2010/11 estimates examination;
responses to the additional questions: Vote Courts" document, which is
missing from its home but still in Google's cache, suggests that it was
already in the 2010 budget, as part of a "Criminal Procedure Simplification
programme" that appears to have included paperwork streamlining as well as
computerisation.  This would be the Criminal Procedure Act 2011, described
as the "biggest reform of criminal procedure in 50 years", and "enabled an
electronic operating model:.

The same document says
 - the first phase will involve the electronic filing, management, and
   disposal of an estimated 270,000 charges/year from the Police; this would
   take about 2 years with the first charges processed by mid-2012.

 - costs were expected to be NZD 11.2 million capital and NZD 7.8 million
   operating expenses between 2010/11 and 2013/14.

 - benefits were expected to equal costs for the first phase.

 - the first phase was to "start establishing the platform for a wholly
   electronic criminal summary operating model", but was not yet to _be_
   that model.

-- Extracted from
http://webcache.googleusercontent.com/search?q=cache:hoquQTJVMaIJ:www.parliament.nz/NR/rdonlyres/5264E59A-204D-400B-A71D-450064F8CD4C/148485/49SCJE_EVI_00DBSCH_EST_9923_1_A56701_MinisterofCou.pdf+%22Electronic+Operating+Model%22+New+Zealand+Justice&cd=5&hl=en&ct=clnk&gl=nz&client=safari

If I'm reading the "Briefing for the Incoming Minister" correctly, that was
in the context of a total Vote Courts budget of NZD 438 million,

Quoting that document:

    The court system is one of the few examples of a significant national
    service delivery model that still relies predominantly on paper.  Given
    the technology available, a paper-based court record is resource
    intensive, cumbersome and inefficient.  The system is also open to error
    from manual transcription into other administration systems, and at risk
    of loss, damage or misuse.

    The EOM project addresses these issues by reducing, simplifying, and
    automating a number of steps in handling and processing of the court
    record.  This will improve and better control access to official court
    records regardless of location, and reduce the risk of misuse or loss of
    information.  Having a single authoritative record will also increase
    the quality of information available to justice agencies.

  
http://www.justice.govt.nz/publications/global-publications/b/briefings-to-incoming-ministers-2011/documents/VOTE%20COURTS%202011%20BIM%20FOR%20RELEASE.pdf

The concern to reduce error is praiseworthy.

Phase 1 was supposed to begin operation in March this year.

However,

    From 1 July 2013, implementation of the justice sector's Electronic
    Operating Model will begin with the electronic filing of Police charges.
    We asked why the implementation of the electronic filing of judicial
    decisions has been delayed until 2014.  We heard that an audit of the
    Ministry of Justice project found the programming to be more complicated
    than expected.  Some processes have already been tested, but real-time
    live trials of the system will also be conducted before the progressive
    implementation at courts next year.  The technology will reduce the time
    involved in handling documents and make them more easily accessible.  We
    will follow the implementation of the Electronic Operating Model
    closely.  -- Extracted from http://www.parliament.nz/resource/0001682426

The system is now being described as costing "$30 million".

From an article printed on page 6 of the Friday July 26 issue of *The Otago
Daily Times*, reprinted from *The New Zealand Herald*:

  - The project was flagged at risk and getting worse in November 2012
  - "the project was reporting that these technical matters would be
    sorted out"
  - Staff "were compelled to work evenings and weekends"
  - under "three extraordinarily high work streams"
  - resulting in "key resignations amid prolonged work periods",
    also described as "a wave of resignations"
  - During all this high pressure, "staff were moved to a
    different floor of the national headquarters, which had seating
    for only 45 of the 48 staff, and more were hired".

Sounds to me like some manager at the Ministry of Justice (possibly
Crazy Eddie from the Mote) had never read 1 Kings 12.

The thing is that on the 3rd of October last year,
it was announced that
    31 jobs would be lost at 13 courts
    4 courts would be closed
    9 would have their hours slashed
    2 of those 9 would be reconsidered for closure in 2013
    and "two tiers of management [would] have to reapply".
    a net reduction of 68 staff

-- extracted from
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10838100

The changes duly took place this year, in anticipation of the
benefits of the new system...

I wonder if any of the decision-makers had heard of "counting your
chickens before they're hatched"?

------------------------------

Date: Mon, 29 Jul 2013 07:21:02 +0000
From: Nico Chart <Nico.Chart () pdgm com>
Subject: Information is Beautiful: relative sizes of data losses

David McCandless of the "Information is Beautiful" website has produced a
nice graphic illustrating the relative sizes of famous data losses
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.

Nicholas Chart, Senior Technical Consultant (Epos Infrastructure), Paradigm,
Dukes Court, Duke Street, Woking, Surrey, GU21 5BH, +44 (0)1483 758146

------------------------------

Date: Sun, 28 Jul 2013 16:17:11 -0700
From: Prashanth Mundkur <prashanth.mundkur () gmail com>
Subject: "Information Consumerism: The Price of Hypocrisy"

Evgeny Morozov, Frankfurter Allgemeine Zeitung, 24 July 2013.

A lengthy take on surveillance, online culture and Silicon Valley, with
interesting links to examples of the current 'smart' bubble, like 'smart
forks', 'smart toothbrushes', 'smart umbrellas', and 'smart shoes' (patented
by Apple!).

http://www.faz.net/aktuell/feuilleton/debatten/ueberwachung/information-consumerism-the-price-of-hypocrisy-12292374.html

------------------------------

Date: Sat, 27 Jul 2013 14:58:49 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Scientist banned from revealing codes used to start luxury cars"
  (Lisa O'Carroll)

Lisa O'Carroll, *The Guardian*, 26 Jul 2013
High court imposes injunction on Flavio Garcia, who has cracked
security system of cars including Porsches and Bentleys
http://www.guardian.co.uk/technology/2013/jul/26/scientist-banned-revealing-codes-cars

------------------------------

Date: Mon, 22 Jul 2013 13:21:24 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "What else can Congress bungle? Their passwords, for starters"
  (Robert X. Cringely)

Robert X. Cringely, InfoWorld, 19 Jul 2013
Data leak proves yet again that DC politicos are even less tech savvy
than your grandma (no offense to grandmas)
http://www.infoworld.com/t/cringely/what-else-can-congress-bungle-their-passwords-starters-223078

------------------------------

Date: Fri, 26 Jul 2013 06:42:33 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Is your computer spying on you?

I did an experiment on my Windows 7 machine yesterday.

I right-clicked on the wireless connection in my system tray to Open Network
and Sharing Center.

I then clicked on Access type: Internet Connections: Wireless Network
Connection in order to get the Wireless Connection Status panel to display
(it's much easier to do this in Windows XP).

This Wireless Connection Status panel displays the number of bytes sent &
received on the wireless connection since the last time it was reset.

(This wireless connection is the only connection this particular computer
has with the outside world.)

I then turned off every background task on this machine that I could find
that didn't seem relevant to simply running my local Windows machine.

I then left the machine alone for several hours.

Even though the machine is doing *nothing* (no browser, no e-mail, no file
server, no music serving, etc.), there is still some residual amount of
network traffic that runs to megabytes over several hours.

Interestingly, there was almost 3x the traffic being *sent* as being
*received*.

I then tried the same experiment with my Windows XP machine.  Simply
right-click on the wireless icon in the system tray and click on 'status'.

The result: much less traffic -- essentially zero.

Perhaps someone on this list has an explanation for this phenomenon.

------------------------------

Date: Sun, 28 Jul 2013 04:48:21 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Is Your Cable Box Spying On You? (Christopher Zara)

FYI -- What could possibly go wrong here?

Christopher Zara, *IB Times*, 26 Jul 2013
Is Your Cable Box Spying On You?  Behavior-Detecting Devices From Verizon, Microsoft And Others Worry Privacy Advocates
http://www.ibtimes.com/your-cable-box-spying-you-behavior-detecting-devices-verizon-microsoft-others-worry-privacy-1361587

Pay-TV providers like Verizon and tech giants like Microsoft are developing
devices that can monitor our behaviors as we watch TV and play games.
Reuters

``Watching the watchers'' is taking on a whole new meaning.

News that Google Inc. may be developing a television set-top box with a
motion sensor and video camera has rekindled the debate over technology that
can record so-called ambient action. Should a TV-mounted box have the
ability to track our movements, record our voices and monitor our behaviors?
Should cable providers and tech companies be allowed to collect such
information without our consent?

Lawmakers and privacy advocates are asking such questions as companies
continue to experiment with data collection that will extend beyond our
gadgets and into our living rooms and bedrooms. On Thursday, the Wall Street
Journal reported that Google privately showed off a prototype device at the
Consumer Electronics Show in Las Vegas last January. The company is one of
many tech players looking to compete with pay-TV providers, who themselves
have been exploring new ways to capture information about viewers' behavior.

In November, Verizon Communications Inc. filed a patent application for a
set-top box that delivers advertisements based on users' behaviors.  For
instance, two people cuddling on sofa watching TV might see a commercial for
a romantic Disney cruise, while an arguing couple might see a pitch for
couples' therapy. The device would use a combination of motion and audio
sensors to collect information about what viewers are doing as they watch
TV.

Creeped out yet? You're not alone. News of Verizon's plans brought countless
headlines about the potential for Orwellian cable boxes and digital video
recorders, spying on us during our most intimate moments. And legislators
have been quick to respond. Last month, two U.S. congressmen, a Democrat and
a Republican, introduced a bill that would require such devices to be
opt-in, meaning consumers would have to grant explicit consent before
companies could collect data on ambient action. The bill -- dubbed the We
Are Watching You Act of 2013 -- would also require that devices flash
on-screen warnings whenever they are recording such information.

Reps. Michael E. Capuano, D-Mass., and Walter Jones, R-N.C., who sponsored
the bill, called such technology an ``invasion of privacy.'' In a statement,
Jones even acknowledged the data collected through such devices could be
potentially abused by the government itself. ``When the government has an
unfortunate history of secretly collecting private citizens' information
from technology providers, we must ensure that safeguards are in place to
protect Americans' rights,'' he said.

The extent to which Google's set-top box would collect ambient information
is unclear. In its report, the Journal cited only ``people briefed on the
device,'' and a Google representative has not yet responded to a request for
more information. However, the company has reportedly been experimenting
with such technology for several years. As Gizmodo reported in 2007, Google
filed for a patent for an interactive TV that would include an image-capture
device capable of measuring ``how many viewers are watching or listening to
a broadcast.''

And Google and Verizon are by no means lone players. In November, the
Microsoft Corp. (NASDAQ:MSFT) also filed a patent application for a system
that would use its Kinect camera to monitor users' behavior. Kinect will
come attached to Microsoft's forthcoming Xbox One game consoles. Its
always-on sensors can read body behavior, track eye movements and listen for
commands. It even knows how many people are in the room. As Polygon
reported, the device has raised numerous concerns among privacy advocates,
particularly in light of Microsoft's reported compliance with the National
Security Agency's PRISM program.

If it makes you feel any better, Microsoft has vowed to ``aggressively
challenge'' any government attempt to spy on its customers using Kinect
sensors. ``Absent a new law, we don't believe the government has the legal
authority to compel us or any other company that makes products with cameras
and microphones to start collecting voice and video data,'' a company
representative told the Verge this month.

If that doesn't allay your fears, you can visit Microsoft's Xbox One privacy
page.

------------------------------

Date: Sat, 27 Jul 2013 14:50:31 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Feds Indict 5 in Largest Hacking, Data Theft Ring in U.S. History"

Feds Indict 5 in Largest Hacking, Data Theft Ring in U.S. History
http://abcnews.go.com/US/feds-indict-largest-hacking-data-theft-ring-us/story?id=19772118

------------------------------

Date: Sat, 27 Jul 2013 14:56:44 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "U.S. agents 'got lucky' pursuing accused Russia master hackers"

http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726

------------------------------

Date: Fri, 26 Jul 2013 11:57:22 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Apple's developer site overhaul continues following breach"
  (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 25 Jul 2013
Apple created a status page showing its progress in rebuilding its
systems following last week's intrusion
http://images.infoworld.com/d/application-development/apples-developer-site-overhaul-continues-following-breach-223429

------------------------------

Date: Sat, 27 Jul 2013 16:41:16 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: If you have a rooted Android device, don't rush to install 4.3

If you have a rooted Android device, I recommend against rushing to install
Android 4.3 for now. It appears that 4.3's new protection model may require
re-rooting devices in various situations (and require a new, rather kludgy
workaround, for now at least), and unless you have some reason to push
through 4.3 quickly (which is a relatively minor update in most other
respects) I would suggest holding off until best practice procedures have
been developed and promulgated. If you don't root your devices, you won't
care about this, and you can jump to 4.3 immediately and happily.

http://j.mp/1789QjV  (This message on Google+ via NNSquad)

------------------------------

Date: Sat, 27 Jul 2013 07:52:40 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: NASDAQ's Sloppy, After-hack, Phishing-like password reset message

NASDAQ's Sloppy, Phishing-like password reset message after being hacked?
http://j.mp/14k5Niq  (This message on Google+ via NNSquad)

[name withheld]

NASDAQ wrote the other week that they were hacked badly. They closed the
site for some days. Now I got this email:

  Dear Community Members:
  We are pleased to inform you that your "My NASDAQ" account is again online
  and available. We invite you back to enjoy all the features you have come
  to rely upon, including your portfolio tracker, stock ratings and social
  features. To regain access to your account, please set a new password by
  going to http://community.nasdaq.com/reset-password.aspx, entering your
  email address, and clicking on the "Reset Password" button. You will be
  sent a verification email which contains a link. You can then use that
  link to reset your password.

  Thank you for your patience. You are a valued member of our audience and
  your security is paramount to us.

  Sincerely,   Bruce Hashim,   www.nasdaq.com

The trouble I see is, the URL given is in an HTML mail, and it doesn't
actually go to what is being displayed. Rather, it goes to (numbers munged):
http://www.mmsend10.com/link.cfm?r=[xxxxxxxx]&sid=[xxxxxx]&m=[xxxxx]&u=NASDAQ_OI
S&j=[xxxxxx]&s=http://community.nasdaq.com/reset-password.aspx

Now, I'm not saying it's not legit, mind; I don't know. But mmsend10.com is
owned as follows:

   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: MMSEND10.COM
      Created on: 04-Jan-08
      Expires on: 04-Jan-15
      Last Updated on: 02-Jan-13

   Registrant:
   Real Magnet LLC
   4853 Cordell Ave
   PH-11
   Bethesda, Maryland 20814
   United States

   Administrative Contact:
      Pines, Tom  domain-admin () realmagnet com
      Real Magnet LLC
      4853 Cordell Ave
      PH-11
      Bethesda, Maryland 20814
      United States
      +1.3016524025

   Technical Contact:
      Pines, Tom  domain-admin () realmagnet com
      Real Magnet LLC
      4853 Cordell Ave
      PH-11
      Bethesda, Maryland 20814
      United States
      +1.3016524025

   Domain servers in listed order:
      NS1V.DATAPIPE.NET
      NS2V.DATAPIPE.NET

[That does not exactly foster trust on my first take.  LW]

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.39
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.39 RISKS List Owner (Jul 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]