Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.64
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 18 Dec 2013 16:54:25 PST

RISKS-LIST: Risks-Forum Digest Wednesday 18 December 2013  Volume 27 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.64.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Way backlogged.  More coming.  PGN]
Chinese hackers attacked crucial government election website (CNN)
The latest example of a large, failed British government IT system
  (Peter Bernard Ladkin)
Taiwanese tourist walks off Australia pier while checking Facebook
  (Mark Brader)
Confirming the MOOC Myth (Carl Straumsheim via ACM TechNews)
After Setbacks, Online Courses Are Rethought (Tamar Lewin via ACM TechNews)
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis 
  (Genkin/Shamir/Tromer via Lauren Weinstein)
Snowden ``stole everything -- literally everything'' (Henry Baker)
NSA Uses Google Cookies to Pinpoint Targets for Hacking (Soltani/Peterson/
  Gellman)
MacBook webcams vs. spying (Lauren Weinstein)
"Two million log-ins stolen from Facebook, Google, ADP payroll processor"
  (Jeremy Kirk via Gene Wirchenko)
French cybersecurity agency says they forged Google certificates due to
  ... "human error" (ANSSI via Lauren Weinstein)
The Mission to De-Centralize the Internet (Joshua Kopstein)
The Dumbest Privacy Case of the Year (Stewart Baker)
"Where pass-the-hash attacks could be hiding" (Roger Grimes via
  Gene Wirchenko)
Re: New FCC Chairman appears to simultaneously endorse Net Neutrality
  and letting ISPs crush Net services and consumers (Bob Frankston)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 17 Dec 2013 15:02:44 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Chinese hackers attacked crucial government election website (CNN)

[Source: CNN, 17 Dec 2013]

Chinese hackers tapped into the Federal Election Commission's website during
the federal government shutdown in October, a report released Tuesday by an
investigative news organization says.

The report from the Center for Public Integrity, one of the country's oldest
and largest nonpartisan, nonprofit investigative news organizations,
indicates that hackers crashed the FEC's computer systems, which compiles
federal election campaign finance information like contributions to parties
and candidates, and how those billions of dollars are spent in each election
by candidates, political parties, and independent groups such as political
action committees.

The attack came as nearly all of the FEC's employees, except for the
presidential-appointed commissioners, were furloughed due to the government
shutdown, with not even one staffer being deemed "necessary to the
prevention of imminent threats" to federal property. And it came a few
months after an independent auditor hired by the government warned that the
FEC's computer systems were at "high risk" to infiltration, a charge the
commission disputed.

"Hackers from China, in Russia, Syria, you name it are constantly targeting
U.S. websites. But what happened here with the Federal Election Commission,
which is the independent watchdog sponsored by the government to keep
elections fair and free, effectively got hit about as hard as it ever has
gotten hit," David Levinthal of the Center for Public Integrity said on
CNN's "New Day."

"It came as the FEC had absolutely no regular employees actually serving at
the agency because of the government shutdown. It was one of the agencies
that actually went completely dark during the government shutdown, only had
the commissioners themselves manning the doors, manning the systems. They
are not IT experts by any stretch of the imagination," Levinthal told CNN's
Chris Cuomo.

The CPI says the hacking incident was confirmed by three government
officials involved in an ongoing investigation that included the Department
of Homeland Security.

"Here you have for days at a time, the FEC's website - which is part and
parcel of the agency's mission to provide Americans with the ability to
access information about their elections, access information about political
campaigns and candidates - and nobody in America could do it during that
time. So it was a huge black eye, not only for the agency but for the
country's government in general," Levinthal added.

The FEC is not commenting at this time about the hacking incident.

Following the hacking incident, the FEC in November said it had moved
certain data servers off-line and replace[d] them with less powerful backup
servers, that the agency said would slow the ability for users to navigate
the website.

  [... but presumably not slow down the hackers...  PGN]

------------------------------

Date: Tue, 10 Dec 2013 10:15:52 +0100
From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de>
Subject: The latest example of a large, failed British government IT system

This time, it's the IT support for the Department of Work and Pensions' new
program Universal Credit, which is supposed to replace many benefits
programs with just one. The write-off current stands at £40.1m (it has been
going up steadily over the last few months) but it is expected that up to
£90m will be written down in the next five years. The quote below suggests
it was the result of requirements creep.

  Mike Driver, finance director general at the Department for Work and
  Pensions, said: "There is no use for the IT code built to run the computer
  systems. It has no future value. It is not going to generate any future
  return for the department."......  ..... the specifications made by the
  department had changed, especially over security. The code was well
  written and engineered, the department added.  http://gu.com/p/3y42y

------------------------------

Date: Wed, 18 Dec 2013 02:38:32 -0500 (EST)
From: msb () vex net (Mark Brader)
Subject: Taiwanese tourist walks off Australia pier while checking Facebook

At least she kept hold of her phone!

http://www.bbc.co.uk/news/world-asia-25426263

  [PGN notes after reading the article:]

  There once was a tourist in Melbourne
  Whose Facebook contacts were well borne.
    Although not a swimmer,
    Her cellphone grew dimmer
  As she lay on her back, waterworn.

[Yes, I am a Canadian submitting a British report of an incident about a
Taiwanese person in Australia to an American RISKS moderator. --msb]

------------------------------

Date: Tue, 10 Dec 2013 11:56:38 -0500
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Confirming the MOOC Myth (Carl Straumsheim)

Carl Straumsheim, Inside Higher Ed, 6 Dec 2013
(via ACM TechNews 9 Dec 2013)

Massive open online courses (MOOCs) are neither transforming education nor
yielding large profits, but more time is needed to experiment with various
applications, said participants at a conference hosted by the University of
Texas at Arlington.  Preliminary results from the MOOC Research Initiative,
a grant program founded by the Bill and Melinda Gates Foundation and
administered by Athabasca University, were presented at the conference.  The
University of Pennsylvania Graduate School of Education presented research
that analyzed the study habits of 1 million students in 16 Coursera courses
between June of 2012 and 2013.  "Emerging data...show that [MOOCs] have
relatively few active users, that user 'engagement' falls off dramatically
especially after the first one to two weeks of a course, and that few users
persist to the course end," the study says.  Speakers noted that MOOCs can
cost hundreds of thousands of dollars to develop, which has created a
problematic scenario in which some institutions develop MOOCs while others
buy them.  However, some say more time is needed to research MOOCs and test
different uses, as students are benefiting from the courses in unexpected
ways.  For example, Wake Technical Community College and Udacity created an
introductory algebra review MOOC to prepare students for college placement
tests, but found that more than two-thirds of users were using it to improve
their general math skills.
http://www.insidehighered.com/news/2013/12/06/mooc-research-conference-confirms-commonly-held-beliefs-about-medium

  [With musers in every mooc and granny? PGN]

------------------------------

Date: Wed, 11 Dec 2013 11:56:44 -0500
From: ACM TechNews <technews () HQ ACM ORG>
Subject: After Setbacks, Online Courses Are Rethought (Tamar Lewin)

Tamar Lewin, *The New York Times* 10 Dec 2013
(via ACM TechNews, Wednesday, December 11, 2013)

A recent University of Pennsylvania study of a million users of massive open
online courses (MOOCs) found that, on average, only about 50 percent of
those who registered for a course ever viewed a lecture, and only about 4
percent completed the courses.  Although MOOCs were started with the goal of
providing courses for students in poor countries with little access to
higher education, the study found that about 80 percent of those taking
MOOCs had already earned a degree of some kind.  In response to some of the
initial shortcomings of several MOOC programs, their designers are making
changes to broaden their appeal.  For example, edX is producing videos to
use in some high school Advanced Placement classes, and Coursera is
experimenting with using its courses, along with a facilitator, in small
discussion classes at some U.S. consulates.  In addition, Udacity is
revamping its software so future students could have more time to work
through the courses.  "We are seeing significant improvement in learning
outcomes and student engagement," says Udacity founder and Stanford
University professor Sebastian Thurn.  Meanwhile, some MOOC pioneers are
developing a connectivist MOOC model, which is more about the connections
and communications among students than about the content delivered by a
professor.
http://www.nytimes.com/2013/12/11/us/after-setbacks-online-courses-are-rethought.html

------------------------------

Date: Wed, 18 Dec 2013 08:54:32 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
  (Genkin/Shamir/Tromer)

Daniel Genkin, Adi Shamir, Eran Tromer, assisted by Lev Pachmanov and others
http://www.cs.tau.ac.il/~tromer/acoustic/ and http://j.mp/1dmRAYj
(via NNSquad)

  "Here, we describe a new acoustic cryptanalysis key extraction attack,
  applicable to GnuPG's current implementation of RSA. The attack can
  extract full 4096-bit RSA decryption keys from laptop computers (of
  various models), within an hour, using the sound generated by the computer
  during the decryption of some chosen ciphertexts. We experimentally
  demonstrate that such attacks can be carried out, using either a plain
  mobile phone placed next to the computer, or a more sensitive microphone
  placed 4 meters away."

  [The summary at the above URLs has a link to the full version of the
  paper.  PGN]

------------------------------

Date: Tue, 17 Dec 2013 18:12:33 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: Snowden ``stole everything -- literally everything''

FYI -- This particular source of news may not be the most reliable, but the
mere _possibility_ that Snowden took this amount of information, and that
the NSA itself considers it possible, makes you wonder if the NSA can be
trusted to keep secret any of the information that they sweep up on all US
residents.

Even more troubling: suppose that some of the speculation is true, and there
really are _backdoors_ installed by the NSA into the encryption systems
widely utilized on the Internet.  Snowden, or another NSA contractor with
fewer scruples, could bring down a significant fraction of the world's
Internet economy.  This is _precisely why_ these backdoors are so troubling
-- they can be used by others -- e.g., criminals, not-so-friendly
nation-states -- as well as the NSA.

http://dailycaller.com/2013/12/17/dod-official-snowden-stole-everything-literally-everything/

The Daily Caller - http://dailycaller.com -
Posted By Giuseppe Macri, 17 Dec 2013

Former National Security Agency contractor Edward Snowden stole vastly more
information than previously speculated, and is holding it at ransom for his
own protection.

``What's floating is so dangerous, we'd be behind for twenty years in terms
of access (if it were to be leaked).  He stole everything -- literally
everything.'' a ranking Department of Defense official told the Daily
Caller.

Last month British and U.S. intelligence officials speculated Snowden had in
his possession a `doomsday cache' of intelligence information, including the
names of undercover intelligence personnel stationed around the world.
Sources briefed on the matter told Reuters that such a cache could be used
as an insurance policy in the event Snowden was captured, and that, ``the
worst was yet to come.''

The officials cited no hard evidence of such a cache, but indicated it was a
possible worst-case-scenario. Some version of that scenario appears to have
come true.  [... Truncated for RISKS.  PGN]

The Daily Caller: http://dailycaller.com
http://dailycaller.com/2013/12/17/dod-official-snowden-stole-everything-literally-everything/

------------------------------

Date: Wed, 11 Dec 2013 11:56:44 -0500
From: ACM TechNews <technews () HQ ACM ORG>
Subject: NSA Uses Google Cookies to Pinpoint Targets for Hacking

Ashkan Soltani, Andrea Peterson, and Barton Gellman,
*The Washington Post*, 11 Dec 2013

New documents released by former U.S. National Security Agency (NSA)
contractor Edward Snowden indicate the agency is using Internet cookies in
its efforts to hack the computers of suspicious individuals.  NSA's Special
Source Operations (SSO) division reportedly focuses primarily on Google's
proprietary "PREF" cookie.  Google uses PREF cookies to uniquely track users
who utilize Google services or visit sites that contain Google Plus
"widgets" in order to show them personalized ads.  PREF cookies make this
possible because they contain numerical codes that enable websites to
identify a person's browser.  SSO shares this information with NSA's
offensive hacking division, Tailored Access Operations, which uses the
numerical identifiers to filter out the Internet communications of
individuals who are already under suspicion so it can send them malicious
software that gives the agency access to their computers.  The information
gleaned from PREF cookies, which does not contain personal information such
as names and email addresses, also is reportedly shared with the U.K.'s
Government Communications Headquarters.  The documents do not address the
nature of the cyberattacks carried out by the NSA with the help of PREF
cookies, and it is unclear how NSA is obtaining PREF cookies, or whether
Google is providing them to the agency.
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/

------------------------------

Date: Wed, 18 Dec 2013 12:13:44 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: MacBook webcams vs. spying

  "The built-in cameras on Apple computers were designed to prevent this,
  says Stephen Checkoway, a computer science professor at Johns Hopkins and
  a co-author of the study. "Apple went to some amount of effort to make
  sure that the LED would turn on whenever the camera was taking images,"
  Checkoway says. The 2008-era Apple products they studied had a "hardware
  interlock" between the camera and the light to ensure that the camera
  couldn't turn on without alerting its owner ..."
    http://j.mp/1dne8bt  (*The Washington Post* via NNSquad)

 - - -

There is considerable variation in how these hardware/software interlocks
are implemented, and for some it remains impossible to use the camera
without lighting the light. But this is something manufacturers can fix to
always be true -- it's not rocket science. In fact, protecting yourself from
the camera is pretty easy -- just cover it up when not in use. Integral mics
are much harder to protect against, and really, they also need hardwired
activity lights in this day and age.

------------------------------

Date: Fri, 06 Dec 2013 12:14:55 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Two million log-ins stolen from Facebook, Google, ADP payroll
  processor" (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 4 Dec 2013
The attackers are using the 'Pony' botnet command-and-control server software
http://www.infoworld.com/d/security/two-million-log-ins-stolen-facebook-google-adp-payroll-processor-232051

------------------------------

Date: Sat, 7 Dec 2013 16:28:35 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: French cybersecurity agency says they forged Google certificates
  due to ... "human error"

  "As a result of a human error which was made during a process aimed at
  strengthening the overall IT security of the French Ministry of Finance,
  digital certificates related to third-party domains which do not belong to
  the French administration have been signed by a certification authority of
  the DGTrsor (Treasury) which is attached to the IGC/A."
     http://j.mp/1boGSAZ  (ANSSI via NNSquad)

"Human error" ... Yeah.

------------------------------

Date: Sat, 14 Dec 2013 16:36:49 -0500
From: David Farber <farber () gmail com>
Subject: The Mission to De-Centralize the Internet (Joshua Kopstein)

Joshua Kopstein, *The New Yorker* blog, 13 Dec 2013
http://www.newyorker.com/online/blogs/elements/2013/12/the-mission-to-decentralize-the-internet.html?goback=%2Egde_1430_member_5817512945197801473#%21

THE MISSION TO DECENTRALIZE THE INTERNET

In the nineteen-seventies, the Internet was a small, decentralized
collective of computers. The personal-computer revolution that followed
built upon that foundation, stoking optimism encapsulated by John Perry
Barlow's 1996 manifesto ``A Declaration of the Independence of Cyberspace.''
Barlow described a chaotic digital utopia, where ``netizens'' self-govern
and the institutions of old hold no sway. ``On behalf of the future, I ask
you of the past to leave us alone,'' he writes. ``You are not welcome among
us. You have no sovereignty where we gather.''

This is not the Internet we know today. Nearly two decades later, a
staggering percentage of communications flow through a small set of
corporations -- and thus, under the profound influence of those companies and
other institutions. Google, for instance, now comprises twenty-five per cent
of all North American Internet traffic; an outage last August caused
worldwide traffic to plummet by around forty per cent.

Engineers anticipated this convergence. As early as 1967, one of the key
architects of the system for exchanging small packets of data that gave
birth to the Internet, Paul Baran, predicted the rise of a centralized
``computer utility'' that would offer computing much the same way that power
companies provide electricity. Today, that model is largely embodied by the
information empires of Amazon, Google, and other cloud-computing
companies. Like Baran anticipated, they offer us convenience at the expense
of privacy.

Internet users now regularly submit to terms-of-service agreements that give
companies license to share their personal data with other institutions, from
advertisers to governments. In the U.S., the Electronic Communications
Privacy Act, a law that predates the Web, allows law enforcement to obtain
without a warrant private data that citizens entrust to third
parties -- including location data passively gathered from cell phones and
the contents of e-mails that have either been opened or left unattended for
a hundred and eighty days. As Edward Snowden's leaks have shown, these vast
troves of information allow intelligence agencies to focus on just a few key
targets in order to monitor large portions of the world's population.

One of those leaks, reported by the Washington Post in late October,
revealed that the National Security Agency secretly wiretapped the
connections between data centers owned by Google and Yahoo, allowing the
agency to collect users' data as it flowed across the companies'
networks. Google engineers bristled at the news, and responded by encrypting
those connections to prevent future intrusions; Yahoo has said it plans to
do so by next year. More recently, Microsoft announced it would do the same,
as well as open ``transparency centers'' that will allow some of its
software's source code to be inspected for hidden back doors. (However, that
privilege appears to only extend to ``government customers.'') On Monday,
eight major tech firms, many of them competitors, united to demand an
overhaul of government transparency and surveillance laws.

Still, an air of distrust surrounds the U.S. cloud industry. The
N.S.A. collects data through formal arrangements with tech companies;
ingests Web traffic as it enters and leaves the U.S.; and deliberately
weakens cryptographic standards. A recently revealed document detailing the
agency's strategy specifically notes its mission to ``influence the global
commercial encryption market through commercial relationships'' with
companies developing and deploying security products.

One solution, espoused by some programmers, is to make the Internet more
like it used to be -- less centralized and more distributed. Jacob Cook, a
twenty-three-year-old student, is the brains behind ArkOS, a lightweight
version of the free Linux operating system. It runs on the credit-card-sized
Raspberry Pi, a thirty-five dollar microcomputer adored by teachers and
tinkerers. It's designed so that average users can create personal clouds to
store data that they can access anywhere, without relying on a distant data
center owned by Dropbox or Amazon. It's sort of like buying and maintaining
your own car to get around, rather than relying on privately owned
taxis. Cook's mission is to ``make hosting a server as easy as using a
desktop P.C. or a smartphone,'' he said.

Like other privacy advocates, Cook's goal isn't to end surveillance, but to
make it harder to do en masse. ``When you couple a secure, self-hosted
platform with properly implemented cryptography, you can make N.S.A.-style
spying and network intrusion extremely difficult and expensive,'' he told me
in an e-mail.

Persuading consumers to ditch the convenience of the cloud has never been an
easy sell, however. In 2010, a team of young programmers announced Diaspora,
a privacy-centric social network, to challenge Facebook's centralized
dominance. A year later, Eben Moglen, a law professor and champion of the
Free Software movement, proposed a similar solution called the Freedom
Box. The device he envisioned was to be a small computer that plugs into
your home network, hosting files, enabling secure communication, and
connecting to other boxes when needed. It was considered a call to
arms -- you alone would control your data.

But, while both projects met their fund-raising goals and drummed up a good
deal of hype, neither came to fruition. Diaspora's team fell into disarray
after a disappointing beta launch, personal drama, and the appearance of new
competitors such as Google+; apart from some privacy software released last
year, Moglen's Freedom Box has yet to materialize at all.

``There is a bigger problem with why so many of these efforts have failed''
to achieve mass adoption, said Brennan Novak, a user-interface designer who
works on privacy tools. The challenge, Novak said, is to make decentralized
alternatives that are as secure, convenient, and seductive as a Google
account. ``It's a tricky thing to pin down,'' he told me in an encrypted
online chat. ``But I believe the problem exists somewhere between the
barrier to entry (user-interface design, technical difficulty to set up, and
over-all user experience) versus the perceived value of the tool, as seen by
Joe Public and Joe Amateur Techie.''

One of Novak's projects, Mailpile, is a crowd-funded e-mail application with
built-in security tools that are normally too onerous for average people to
set up and use -- namely, Phil Zimmermann's revolutionary but never widely
adopted Pretty Good Privacy. ``It's a hard thing to explain.  A lot of
peoples' eyes glaze over,'' he said. Instead, Mailpile is being designed in
a way that gives users a sense of their level of privacy, without knowing
about encryption keys or other complicated technology. Just as important,
the app will allow users to self-host their e-mail accounts on a machine
they control, so it can run on platforms like ArkOS.

``There already exist deep and geeky communities in cryptology or
self-hosting or free software, but the message is rarely aimed at
non-technical people,'' said Irina Bolychevsky, an organizer for
Redecentralize.org, an advocacy group that provides support for projects
that aim to make the Web less centralized.

Several of those projects have been inspired by Bitcoin, the math-based
e-money created by the mysterious Satoshi Nakamoto. While the peer-to-peer
technology that Bitcoin employs isn't novel, many engineers consider its
implementation an enormous technical achievement. The network's
``nodes'' -- users running the Bitcoin software on their
computers -- collectively check the integrity of other nodes to ensure that
no one spends the same coins twice. All transactions are published on a
shared public ledger, called the ``block chain,'' and verified by
``miners,'' users whose powerful computers solve difficult math problems in
exchange for freshly minted bitcoins. The system's elegance has led some to
wonder: if money can be decentralized and, to some extent, anonymized, can't
the same model be applied to other things, like e-mail?

Bitmessage is an e-mail replacement proposed last year that has been called
the ``the Bitcoin of online communication.'' Instead of talking to a central
mail server, Bitmessage distributes messages across a network of peers
running the Bitmessage software. Unlike both Bitcoin and e-mail, Bitmessage
``addresses'' are cryptographically derived sequences that help encrypt a
message's contents automatically. That means that many parties help store
and deliver the message, but only the intended recipient can read
it. Another option obscures the sender's identity; an alternate address
sends the message on her behalf, similar to the anonymous ``re-mailers''
that arose from the cypherpunk movement of the nineteen-nineties.

Another ambitious project, Namecoin, is a P2P system almost identical to
Bitcoin. But instead of currency, it functions as a decentralized
replacement for the Internet's Domain Name System. The D.N.S. is the
essential ``phone book'' that translates a Web site's typed address
(www.newyorker.com) to the corresponding computer's numerical I.P. address
(192.168.1.1). The directory is decentralized by design, but it still has
central points of authority: domain registrars, which buy and lease Web
addresses to site owners, and the U.S.-based Internet Corporation for
Assigned Names and Numbers, or I.C.A.N.N., which controls the distribution
of domains.

The infrastructure does allow for large-scale takedowns, like in 2010, when
the Department of Justice tried to seize ten domains it believed to be
hosting child pornography, but accidentally took down eighty-four thousand
innocent Web sites in the process. Instead of centralized registrars,
Namecoin uses cryptographic tokens similar to bitcoins to authenticate
ownership of ``.bit'' domains. In theory, these domain names can't be
hijacked by criminals or blocked by governments; no one except the owner can
surrender them.

Solutions like these follow a path different from Mailpile and ArkOS. Their
peer-to-peer architecture holds the potential for greatly improved privacy
and security on the Internet. But existing apart from commonly used
protocols and standards can also preclude any possibility of widespread
adoption. Still, Novak said, the transition to an Internet that relies more
extensively on decentralized, P2P technology is ``an absolutely essential
development,'' since it would make many attacks by malicious
actors -- criminals and intelligence agencies alike -- impractical.

Though Snowden has raised the profile of privacy technology, it will be up
to engineers and their allies to make that technology viable for the
masses. ``Decentralization must become a viable alternative,'' said Cook,
the ArkOS developer, ``not just to give options to users that can self-host,
but also to put pressure on the political and corporate institutions.''

``Discussions about innovation, resilience, open protocols, data ownership
and the numerous surrounding issues,'' said Redecentralize's Bolychevsky,
``need to become mainstream if we want the Internet to stay free,
democratic, and engaging.''

------------------------------

Date: Mon, 16 Dec 2013 11:25:12 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: The Dumbest Privacy Case of the Year

In Dave Farber's IP distribution, Stewart Baker contributed an item with the
above subject line, with three candidates for such an award.  Go to Dave's
site for all the subtended URLs.  I have simplified this for RISKS.  Stewart
notes that All Three Awards -- and All the Nominees -- Are Listed Here:
http://www.skatingonstilts.com/skating-on-stilts/dubious-achievements-in-privacy-law-introducing-the-2013-privies.html

  a.  Boston Police Department (Commissioner William Evans)
      Record Your Talk with Boston Police, Face Felony Wiretap Charges

When Taylor Harding called the Boston Police Department's press spokesman
about his case, he recorded the call and posted it to YouTube.  At which
point the Boston police charged him with felony wiretapping.  Pretty stupid,
but don't blame the cops.  Blame privacy law.

Under Massachusetts law, it's a righteous bust, thanks to the privacy
advocates who persuaded the Massachusetts legislature that both participants
in a call had to agree before the call could be recorded.  Spurred by a
technological panic, the legislature couldn't have been clearer about its
intent: "The uncontrolled development and unrestricted use of modern
electronic surveillance devices pose grave dangers to the privacy of all
citizens of the Commonwealth.  Therefore, the secret use of such devices by
private individuals must be prohibited.''

Chalk up another unintended consequence for privacy advocates trying to stop
the march of technology. As the tools for recording conversations and even
video spread to everyone, the two-party consent law doesn't make sense and
is mostly enforced only on behalf of the rich and powerful.  So this case
was almost nominated in the category "Worst Use of Privacy Law to Protect
Power and Privilege."  But in the end, the Boston Police Department was
ridiculed into dropping the case.  Turns out that the police don't quite
have as much power and privilege as the technorati.  Which is really only
comforting if you think the technorati lynch mob will never come for you.

  b.  Joffe v. Google (Hon. Jay Bybee, Ninth Circuit)

"Radio Waves Aren't Radio. Publicly Accessible Broadcasts Aren't Publicly
Accessible. And #$kjhi&#^- ..."

When Google's Street View car collected wi-fi signals from the homes and
businesses it passed, it only gathered information that anyone could have
gathered without leaving the street.  The users who hadn't secured their
wi-fi signals decided to shoot the messenger, suing Google for illegally
wiretapping them.  Kind of a long shot legal claim, since the law exempts
the capturing of radio broadcasts and publicly accessible communications;
there's not much doubt that wi-fi uses radio waves and can be accessed by
the public if it's not secured.  But Judge Bybee of the Ninth Circuit wasn't
deterred by either of the barriers to holding Google liable.
He decided that radio communications are only those things we hear on the
AM-FM dial.  As for being publicly accessible, he writes, why that's
ridiculous: if you listened to wi-fi signals on an AM radio, "they would
sound indistinguishable from random noise."

Come to think of it, so does this opinion.

  c.  FTC v. LabMD (Federal Trade Commission)

Stupid Mistake + Media Coverage = Unfair Practice

When LabMD set up security for its network, it didn't expect a rogue
employee to poke holes in its security by running Limewire, a program
notorious for sharing pirated music -- as well as any business or personal
records that happen to be on the same network. And it certainly didn't
expect a complaint from the Federal Trade Commission when Limewire shared a
spreadsheet with customer data.

There's no doubt that LabMD made a mistake, and a bad one. But the Federal
Trade Commission isn't empowered to correct every mistake made by American
businesses.  It only has authority to charge companies that have committed
"unfair practices."  What LabMD did may have been dumb; it may have been
sloppy; but you've got to strain pretty hard to call it an unfair
practice.  The FTC has been trying for years to become America's privacy
and security enforcer.  For just as long, Congress has refused to give it
that role.

You have to admire an agency with the *cojones* to argue that it can make
up its own legal authority as well as the offenses that it chooses to
punish.  Maybe if you look closely at the seal, you can see the agency's
true motto:  "Whatever It Takes:  Finding Ways To Punish Companies
Criticized by the New York Times Since 1914."

   d.  The Gmail Wiretapping Claims (Hon. Lucy Koh, N.D. Cal.)

Judge Uncovers Wiretap Plot with 425 Million Co-Conspirators

Is there anyone left who doesn't know that Google provides free email and
pays for it by serving ads tied to the content of your correspondence?  In
fact, it's the most popular free email service on the planet, endorsed by
425 million subscribers who voted with their feet for Gmail.

Apparently the Gmail business model was news to Lucy Koh, a federal judge in
San Francisco, who decided that all 425 million Gmail subscribers were dopes
who couldn't possibly have consented to Google's automated scanning of email
content, even though its terms of service said the company reserved the
right to "pre-screen, review, flag, [or] modify ... any or all Content from
any Service."  That language didn't count, Judge Koh said, because it didn't
tell consumers that Google was reviewing the mail to provide ads as well as
to find objectionable content.

Maybe Google could have written a clearer (though longer and therefore less
readable) document.  But the effect of Judge Koh's tortured reading was to
make Google potentially liable under the wiretap laws for tapping the
communications of all 425 million users, plus everyone they wrote to.  At
$10,000 per violation, that's a pretty heavy price for free email.  Not to
mention that, if you were one of the 424,999,999 subscribers who actually
understood the business model, it looks as though Judge Koh just exposed you
to liability for aiding and abetting the wiretapping of everyone you slyly
tricked into exchanging mail with you.  In fact, the result was so strained
that it couldn't even persuade a magistrate in the same court, who read her
opinion and ruled the other way despite being outranked by Judge Koh.  Oh,
and those spam filters you couldn't live without?  In a footnote, Judge Koh
suggests they're wiretapping too unless they have a consent clause that even
a federal judge can understand.

Before this decision, Judge Koh was most famous for telling an attorney for
Apple that he must be "smoking crack."  Judge Koh, in contrast, seems intent
on smoking the rubble of the Internet economy.

------------------------------

Date: Wed, 18 Dec 2013 10:06:09 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Where pass-the-hash attacks could be hiding" (Roger Grimes)

Roger A. Grimes | InfoWorld, 17 Dec 2013
Windows computer and service accounts, as opposed to user accounts,
can be especially vulnerable to hash theft. Here's how to reduce the risk
http://www.infoworld.com/d/security/where-pass-the-hash-attacks-could-be-hiding-232757

------------------------------

Date: 5 Dec 2013 14:58:51 -0500
From: "Bob Frankston" <bob2 () bob ma>
Subject: Re: New FCC Chairman appears to simultaneously endorse Net
  Neutrality and letting ISPs crush Net services and consumers (RISK-27.63)

When a scientist sees such a contradiction, it's an indication that is an
error in the hypothesis or statement of the problem. In this case this we
have yet another reminder that today's telecommunications policies modeled
on the ICC which regulated railroads no longer makes sense now that value is
created outside of the networks.

Yet we continue to treat each of these symptoms on their own. It's like
spending all our time analyzing each new perpetual motion machine without
figuring that the principles of thermodynamics.

Part of this is the risk of failing to see that business models are subject
to the same reality checks as technology. Science isn't just about physics
-- it's about learning from counterexamples. By ascribing these symptoms to
moral failings -- bad policies by bad people -- we fail to learn and simply
repeat history.

The bigger risk, perhaps, is that these just-so stories dominate the public
forum to the point that saying something like "another perpetual motion
machine" seems like crying wolf.

  [Further discussion on Dave Farber's IP.  PGN]

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.64
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.64 RISKS List Owner (Dec 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault