Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.80
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 17 Mar 2014 16:56:13 PDT

RISKS-LIST: Risks-Forum Digest  Monday 17 March 2014  Volume 27 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.80.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Malaysia Airlines Flight MH370 network hacked? (Andrew Douglass)
As the Web Turns 25, Its Creator Talks About Its Future (Nick Bilton)
What the Internet of 2025 Might Look Like (Brian R. Fitzgerald)
Cyberattacks Could Paralyze U.S., Former Defense Chief Warns
  (Patrick Thibodeau)
"The Future of Internet Freedom" (Eric E. Schmidt and Jared Cohen)
Worrying about NSA? Concentrate on Experian instead (George Sadowsky)
NSA wants to infect **millions** of computers (Dan Gillmor)
Who watches the watchers? (Henry Baker)
Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital Bridge" Gate
  (Bruce Kushnick)
Man called Bitcoin's father denies ties, leads LA car chase
  (Lauren Weinstein)
Re: Anne Rice (David E. Ross)
Re: TrustyCon and the RSA con NSA poll (the wharf rat)
Re: Apple's GotoFail Security Mess (John Beattie)
Re: Applied Systems Theory (George Ledin)
Re: Threat Modeling: Designing for Security (Paul Edwards)
BOOK: Rebecca Slayton: Arguments That Count (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 12 Mar 2014 14:23:39 -0400
From: Andrew Douglass <andrew () douglass org>
Subject: Malaysia Airlines Flight MH370 network hacked?

http://www.ibtimes.co.uk/malaysia-airlines-flight-mh370-could-jets-system-have-been-hacked-1439928

I'm hoping it's nonsense that such commingling would ever be approved in the
first place.

* The concern was that the passenger in-flight entertainment system would be
  connected to critical systems for managing the safety and maintenance of
  the aircraft.

* Passenger seatback entertainment systems come with ethernet and USB ports,
  which would in theory enable access to a hacker to the critical computer
  systems.

  [There is still lots of speculation regarding this incident, and lots
  of definitude that may or may not eventually be determined.  PGN]

------------------------------

Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: As the Web Turns 25, Its Creator Talks About Its Future
  (Nick Bilton)

Nick Bilton, *The New York Times*, 11 Mar 2014
  [Via ACM TechNews, Wednesday, March 12, 2014]

The creators of the World Wide Web, including Sir Tim Berners-Lee, worry
that companies could destroy the open nature of the Internet in their quest
to make more money.  The World Wide Web Foundation estimates that every
minute, billions of connected users send each other hundreds of millions of
messages, share 20 million photos, and exchange at least $15 million in
goods and services.  "I spent a lot of time trying to make sure people could
put anything on the Web, that it was universal," Berners-Lee says.
"Obviously, I had no idea that people would put literally everything on it."
However, despite all of the advances brought about by the World Wide Web, he
says people need to realize that a current battle around so-called network
neutrality could permanently harm the future of the Web.  "The Web should be
a neutral medium.  The openness of the Web is really, really important,"
Berners-Lee says.  "It's important for the open markets, for the economy,
and for democracy."  He plans to spend the next year working with Web
consortia to spread awareness of these issues.  "It's possible that people
end up taking the Web for granted and having it pulled out from underneath
them," he says.
http://bits.blogs.nytimes.com/2014/03/11/as-the-world-wide-web-turns-25-fear-about-its-future/

------------------------------

Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: What the Internet of 2025 Might Look Like (Brian R. Fitzgerald)

Brian R. Fitzgerald, *The Wall Street Journal*, 11 March 2014
  [Via ACM TechNews, Wednesday, March 12, 2014]

As the Internet approaches its 25-year anniversary, the Pew Research Center
has released responses from science and technology experts about what the
future Internet might look like.  Pew had asked a group of experts in
various fields what impact they thought the Internet would have in 2025 on
social, political, and economic processes.  Experts predict the Internet
will be thoroughly embedded in homes and integrated into people's daily
lives, with some noting a rise in wearable technology, massive open online
courses, and business model changes.  "We may literally be able to adjust
both medications and lifestyle changes on a day-by-day basis or even an
hour-by-hour basis, thus enormously magnifying the effectiveness of an ever
more understaffed medical delivery system," predicts University of
California, Berkeley software developer Aron Roberts.  Massachusetts
Institute of Technology senior research scientist David Clark says devices
will become increasingly autonomous.  "More and more, humans will be in a
world in which decisions are being made by an active set of cooperating
devices," Clark says.  Google chief Internet evangelist and ACM president
Vint Cerf says business models will need to adapt to the economics of
digital communication and storage.  He also says, "We may finally get to
Internet voting, but only if we have really strong authentication methods
available."
http://blogs.wsj.com/digits/2014/03/11/what-the-internet-of-2025-might-look-like/

------------------------------

Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Cyberattacks Could Paralyze U.S., Former Defense Chief Warns
  (Patrick Thibodeau)

Patrick Thibodeau, *Computerworld* 11 March 2014
  [Via ACM TechNews, Wednesday, March 12, 2014]

Former U.S. Secretary of Defense Leon Panetta on Tuesday said a large-scale
cyberattack against U.S. infrastructure is "the most serious threat in the
21st century."  Panetta emphasized the need for improved cyberdefense and
public education about cyberattack risks and said a large-scale attack could
"devastate our critical infrastructure and paralyze our nation."  He
compared the impact of a cyberattack to the damage caused by Hurricane
Sandy.  "We have to take steps to better defend ourselves against this
threat," Panetta said.  "The American people need to understand that that
this is not about hacking and identity theft, it has the potential for a
major attack on the United States."  Meanwhile, the U.S. Justice
Department's Richard Downing warned that international cybercriminals are
becoming more involved with organized crime, which makes their activities
harder to stop.  Downing also said extradition difficulties and evidence
gathering are obstacles to stopping cybercriminals, particularly in less
technically-advanced countries.  In addition, Georgetown University's
Catherine Lotrionte estimated that losses from international intellectual
property theft average about $300 billion a year.
http://www.computerworld.com/s/article/9246886/Cyberattacks_could_paralyze_U.S._former_defense_chief_warns

------------------------------

Date: Wed, 12 Mar 2014 08:59:53 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: "The Future of Internet Freedom" (Eric E. Schmidt and Jared Cohen)

  The details aren't pretty. In Russia, the government has blocked tens of
  thousands of dissident sites; at times, all WordPress blogs and Russian
  Wikipedia have been blocked. In Vietnam, a new law called Decree 72 makes
  it illegal to digitally distribute content that opposes the government, or
  even to share news stories on social media.  And in Pakistan, sites that
  were available only two years ago - like Tumblr, Wikipedia and YouTube -
  are increasingly replaced by unconvincing messages to "Surf Safely."
http://bits.blogs.nytimes.com/2014/03/10/at-sxsw-snowden-speaks-about-n-s-a-spying/?hp
A later version appeared as an op-ed in *The New York Times* on 12 Mar 2014.

------------------------------

Date: March 10, 2014 at 1:34:06 PM EDT
From: George Sadowsky <george.sadowsky () gmail com>
Subject: Worrying about NSA? Concentrate on Experian instead

14 Mar 2014 (via Dave Farber)
Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
http://http://krebsonsecurity.com

In October 2013, KrebsOnSecurity published an exclusive story detailing how
a Vietnamese man running an online identity theft service bought personal
and financial records on Americans directly from a company owned by
Experian, one of the three major U.S. credit bureaus. Today's story looks
deeper at the damage wrought in this colossal misstep by one of the nation's
largest data brokers.

Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID
theft service Superget.info.

Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty
to running an identity theft service out of his home in Vietnam. Ngo was
arrested last year in Guam by U.S. Secret Service agents after he was lured
into visiting the U.S. territory to consummate a business deal with a man he
believed could deliver huge volumes of consumers' personal and financial
data for resale.

But according to prosecutors, Ngo had already struck deals with one of the
world's biggest data brokers: Experian. Court records just released last
week show that Ngo tricked an Experian subsidiary into giving him direct
access to personal and financial data on more than 200 million Americans.

------------------------------

Date: March 12, 2014 at 12:24:32 PM EDT
From: Dan Gillmor <dan () gillmor com>
Subject: NSA wants to infect **millions** of computers (via Dave Farber)

Even paranoid people were underestimating the threat, it seems:

https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/

------------------------------

Date: Tue, 11 Mar 2014 16:53:07 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Who watches the watchers?

A.k.a. "Quis custodiet ipsos custodes?" -- a Latin phrase attributed to the
Roman poet Juvenal.

http://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%3F

A version of Russell's Paradox states "The barber is a man in town who
shaves all those, and only those, men in town who do not shave themselves."
This "diagonalization" argument is also used to prove the undecidability of
logical problems.

http://en.wikipedia.org/wiki/Barber_paradox

Clearly, Senator Feinstein, as one of the watchdogs of the intelligence
agencies, has been just as shocked and surprised as the rest of us to find
out how lawless and ungovernable these intelligence agencies have become.
But the ancient Romans clearly understood the problem that the watchers all
too easily become unwatchable.

http://www.washingtonpost.com/world/national-security/transcript-sen-dianne-feinstein-says-cia-searched-intelligence-committee-computers/2014/03/11/200dc9ac-a928-11e3-8599-ce7295b6851c_story.html

Feinstein: CIA searched Senate computers

Transcript: Sen. Dianne Feinstein says CIA searched Intelligence Committee
computers

Sen. Dianne Feinstein on Tuesday morning accused the CIA of violating
federal law, detailing how the agency secretly removed documents from
computers used by the Senate Intelligence Committee.  The following is a
complete transcript of Feinstein's speech, courtesy of Federal News Service.

Good morning.  Over the past week, there have been numerous press articles
written about the Intelligence Committee's oversight review of the
detention and interrogation program of the CIA.  Specifically, press
attention has focused on the CIA's intrusion and search of the Senate
Select Committee's computers, as well as the committee's acquisition
of a certain internal CIA document known as the `Panetta Review.' I
rise today to set the record straight and to provide a full accounting of
the facts and history.

Let me say up front that I come to the Senate floor reluctantly.  Since
January 15th, 2014, when I was informed of the CIA search of this
committee's network, I've been trying to resolve this dispute in a
discreet and respectful way.

I have not commented in response to media requests for additional
information on this matter, however the increasing amount of inaccurate
information circulating now cannot be allowed to stand unanswered.

The origin of this study, the CIA's detention and interrogation program,
began operations in 2002, though it was not until September, 2006 that
members of the intelligence committee, other than the chairman and the vice
chairman were briefed.  In fact, we were briefed by then-CIA Director Hayden
only hours before President Bush disclosed the program to the public.

A little more than a year later, on December 6th, 2007, a New York Times
article revealed the troubling fact that the CIA had destroyed video tapes
of some of the CIA's first interrogations using so-called enhanced
techniques.  We learned that this destruction was over the objections of
President Bush's White House counsel and the director of national
intelligence.

After we read -- excuse me -- read about the tapes of the destruction in the
newspapers, Director Hayden briefed the Senate Intelligence Committee.  He
assured us that this was not destruction of evidence, as detailed records of
the interrogations existed on paper in the form of CIA operational tables
describing the detention conditions and the day-to-day CIA interrogations.

The CIA director stated that these cables were, quote, a more than adequate
representation, end quote, of what would have been on the destroyed tapes.
Director Hayden offered at that time, during Senator Jay Rockefeller's
chairmanship of the committee, to allow members or staff review these
sensitive CIA operational cables, that the videotapes -- given that the
videotapes had been destroyed.

Chairman Rockefeller sent two of his committee staffers out to the CIA on
nights and weekends to review thousands of these cables, which took many
months.  By the time the two staffers completed their review into the
CIA's early interrogations in early 2009, I had become chairman of the
committee and President Obama had been sworn into office.

The resulting staff report was chilling.  The interrogations and the
conditions of confinement at the CIA detentions sites were far different and
far more harsh than the way the CIA had described them to us.

As a result of the staff initial report, I proposed and then-Vice Chairman
Bond agreed and the committee overwhelmingly approved that the committee
conduct an expansive and full review of the CIA's detention and
interrogation program.

On March 5th, 2009, the committee voted 14-1 to initiate a comprehensive
review of the CIA detention and interrogation program.

Immediately, we sent a request for documents to all relevant executive
branch agencies, chiefly among them the CIA.  The committee's preference was
for the CIA to turn over all responsive documents to the committee's office,
as had been done in previous committee investigations.

Director Panetta proposed an alternative arrangement, to provide literally
millions of pages of operational cables, internal emails, memos and other
documents pursuant to a committee's document request at a secure location in
northern Virginia.  We agreed, but insisted on several conditions and
protections to ensure the integrity of this congressional investigation.

Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director
Panetta and I agreed in an exchange of letters that the CIA was to provide
a, quote, stand-alone computer system, end quote, with a, quote, network
drive segregated from CIA networks, end quote, for the committee that would
only be accessed by information technology personnel at the CIA who would,
quote, not be permitted to share information from the system with other CIA
personnel, except as otherwise authorized by the committee, end quote.

It was this computer network that notwithstanding our agreement with
Director Panetta was searched by the CIA this past January -- and once
before, which I will later describe.

In addition to demanding that the documents produced for the committee be
reviewed at a CIA facility, the CIA also insisted on conducting a
multi-layered review of every responsive document before providing the
document to the committee.  This was to ensure the CIA did not mistakenly
provide documents unrelated to the CIA's detention and interrogation program
or provide documents that the president could potentially claim to be
covered by executive privilege.

While we viewed this as unnecessary, and raised concerns that it would delay
our investigation, the CIA hired a team of outside contractors who otherwise
would not have had access to these sensitive documents to read multiple
times each of the 6.2 million pages of documents produced before providing
them to fully cleared committee staff conducting the committee's oversight
work.  This proved to be a slow and very expensive process.

The CIA started making documents available electronically to the committee's
staff at the CIA leased facility in mid-2009.  The number of pages ran
quickly to the thousands, tens of thousands, the hundreds of thousands and
then into the millions.  The documents that were provided came without any
index, without any organizational structure.  It was a true document dump
that our committee staff had to go through and make sense of.

In order to piece together the story of the CIA's detention and
interrogation program, the committee staff did two things that will be
important as I go on.  First, they asked the CIA to provide an electronic
search tool so they could locate specific relevant documents for their
search among the CIA-produced documents, just like you would use a search
tool on the Internet to locate information.

Second, when the staff found a document that was particularly important or
that might be referenced in our file report, they would often print it or
make a copy of the file on their computer so they could easily find it
again.  There are thousands of such documents in the committee's secure
spaces at the CIA facility.

Now, prior removal of documents by CIA.  In early 2010, the CIA was
continuing to provide documents and the committee staff was gaining
familiarity with the information it had already received.  In May of 2010,
the committee staff noticed that the documents had been provided for the
committee -- that had been provided for the committee's review were no
longer accessible.

Staff approached the CIA personnel at the off-site location, who initially
denied that documents had been removed.  CIA personnel then blamed
information technology personnel, who were almost all contractors, for
removing the documents themselves without direction or authority.

And then the CIA stated that the removal of the documents was ordered by the
White House.  When the White -- when the committee approached the White
House, the White House denied giving the CIA any such order.

After a series of meetings, I learned that on two occasions CIA personnel
electronically removed committee access to CIA documents after providing
them to the committee.  This included roughly 870 documents or page of
documents that were removed in February 2010; and secondly, roughly another
50 that were removed in mid-May 2010.  This was done without the knowledge
or approval of committee members or staff, and in violation of our written
agreements.  Further, this type of behavior would not have been possible had
the CIA allowed the committee to conduct the review of documents here in the
Senate.  In short, this was the exact sort of CIA interference in our
investigation that we sought to avoid at the outset.

I went up to the White House to raise the issue with the then- White House
counsel.  In May 2010, he recognized the severity of the situation and the
great implications of executive branch personnel interfering with an
official congressional investigation.  The matter was resolved with a
renewed commitment from the White House counsel and the CIA that there would
be no further unauthorized access to the committee's network or removal of
access to CIA documents already provided to the committee.

On May 17th, 2010, the CIA's then-director of congressional affairs
apologized on behalf of the CIA for removing the documents.  And that as far
as I was concerned put the incidents aside.  This event was separate from
the documents provided that were part of the internal Panetta review, which
occurred later and which I will describe next.

At some point in 2010, committee staff searching the documents that had been
made available found draft versions of what is now called the internal
Panetta review.  We believe these documents were written by CIA personnel to
summarize and analyze the materials that had been provided to the committee
for its review.  The Panetta review documents were no more highly classified
than other information we had received for our investigation.  In fact, the
documents appeared based on the same information already provided to the
committee.  What was unique and interesting about the internal documents was
not their classification level but rather their analysis and acknowledgment
of significant CIA wrongdoing.

To be clear, the committee staff did not hack into CIA computers to obtain
these documents, as has been suggested in the press. [...]

  [This is a much longer item, but truncated for RISKS.  PGN]

------------------------------

Date: Fri, 7 Mar 2014 14:24:03 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital
  Bridge" Gate (Bruce Kushnick)

On March 7, 2014 at 3:28:16 PM, Bruce Kushnick (bruce () newnetworks com) wrote:
Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital Bridge" Gate
http://www.huffingtonpost.com/bruce-kushnick/the-contime-merger-do-we-_b_4839339.html

It is now clear that while Governor Christie is embroiled in 'bridgegate',
which is about clogging and blocking of traffic movement over a bridge,
another scandal is brewing. Christie's New Jersey Board of Public Utilities
is about to close the digital highways to 1/3 or 1/2 of the State's
residential and business customers, not to mention harming schools,
libraries, hospitals or the municipalities' services and economic growth in
these areas.

President Obama has announced plans for 'bridging the digital divide'. In
this scandal, Governor Christie's State Commission, his Attorney General's
Office and the state Consumer Rate Counsel are planning to allow Verizon to
simply erase the laws and commitments to have 100% of Verizon New Jersey's
territory upgraded, replacing the old copper wires with a fiber optic
service capable of 45 Mbps in both directions -- and it was supposed to be
done by the year 2010.

That's right. Back in 1991, Verizon New Jersey claimed it would make New
Jersey the first fully fiberized state with a plan called "Opportunity New
Jersey". Customers paid Verizon about $15 billion dollars in excess phone
charges (and tax perks) to do this construction for over two decades, not to
mention additional rate increases along the way-- and these increase have
been built into current rates for the last 2+ decades.

And yet, on 29 Jan 2014, the NJ Board of Public Utilities (NJBPU) offered
Verizon a stipulation agreement that will extinguish this commitment, which
is only partially done. I'll get back to this.

I wasn't suspicious until I started digging into why the NJBPU would take
this ridiculous path. In fact, the State had actually woken up in 2012 and
issued a 'show cause order', asking Verizon why two towns, Greenwich and
Stow Creek, weren't already upgraded. And in 2013, the State ordered Verizon
to do the work.

But, what caught my eye was this -- two weeks before, on January 14th, 2014,
a new President of the Board of Public Utilities was installed and she was
not only chosen by Governor Christie, but is part of his cabinet.

"Dianne Solomon was named by Governor Christopher J. Christie as President
to the N.J. Board of Public Utilities (BPU) on January 14, 2014. President
Dianne Solomon also serves as a member of the Governor's Cabinet. President
Solomon was nominated by Governor Chris Christie to serve as Commissioner to
the Board of Public Utilities on April 17, 2013, and confirmed by the New
Jersey Senate on June 27, 2013."  And all the State had to do was to just
enforce the laws. All it had to say was - 'You didn't complete the job. Now
upgrade 100% of your state territory or we'll audit the books and have you
give back the money'

Instead, we ask - Is it a coincidence that the State decided to erase the
laws at this juncture? Does Governor Christie know about this or was it his
decision?

There's an underbelly to this.

To read the rest of this article:

http://www.huffingtonpost.com/bruce-kushnick/the-contime-merger-do-we-_b_4839339.html

------------------------------

Date: Thu, 6 Mar 2014 16:27:34 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Man called Bitcoin's father denies ties, leads LA car chase

http://j.mp/1fbZgvV  (Reuters, via NNSquad)

  A Japanese American man thought to be the reclusive multi-millionaire
  father of Bitcoin emerged from a modest Southern California home and
  denied involvement with the digital currency before leading reporters on a
  freeway car chase to the local headquarters of the Associated Press ...
  Newsweek included a photograph and a described a short interview, in which
  Nakamoto said he was no longer associated with Bitcoin and that it had
  been turned over to other people. The magazine concluded that the man was
  the same Nakamoto who founded Bitcoin ...  He was mobbed by reporters and
  told them he was looking for someone who understood Japanese to buy him a
  free lunch...  "I'm not involved in Bitcoin. Wait a minute, I want my free
  lunch first. I'm going with this guy," Nakamoto said, pointing at a
  reporter from AP...  "I'm not in Bitcoin, I don't know anything about it,"
  the man said again while walking down the street with several cameras at
  his heels ...

You just can't make this stuff up -- even here in L.A.

------------------------------

Date: Thu, 06 Mar 2014 13:33:03 -0800
From: "David E. Ross" <david () rossde com>
Subject: Re: Anne Rice (RISKS-27.79)

I find it interesting that, of all people, Anne Rice opposes the use of
pseudonyms.  She wrote several erotic novels under the pseudonyms Anne
Rampling and A. N. Roquelaure, presumably to hide the fact of her
authorship.

------------------------------

Date: Thu, 6 Mar 2014 22:43:58 -0500 (EST)
From: "the wharf rat" <wrat () panix com>
Subject: Re: TrustyCon and the RSA con NSA poll (RISKS-27.79_

If 52% of the RSA conference attendees support NSA surveillance in its
current form, it might just mean that the NSA has a lot of people attending
the RSA conference.

  [Or more likely friends of the family?  PGN]

------------------------------

Date: Thu, 13 Mar 2014 21:32:14 +0000
From: John Beattie <jkb () hignfy demon co uk>
Subject: Re: Apple's GotoFail Security Mess (RISKS-27.76)

  http://catless.ncl.ac.uk/Risks/27.76.html#subj8   #GotoFail

My compiler tells me when there is unreachable code. Why doesn't Apple's?
Especially, why doesn't Apple's when it is being used to compile crypto code?

I don't agree with Langley at Google: whoever was responsible for this was
deeply unprofessional as a software engineer.

------------------------------

Date: Mon, 10 Mar 2014 12:42:28 -0700
From: George Ledin <ledin () sonoma edu>
Subject: Re: Applied Systems Theory

The Inside Risks article by Nancy Leveson and William Young (CACM, February
2014, Vol.57, No.2, pages 31-35) is an excellent overview of the
systems-theoretic approach applied to the thorny problems of safety and
security.

William and Nancy frame the differences between the concepts of safety and
security as rooted in the intents of the actions and the benevolence or
malevolence of the actors. It is an ancient conceptual structure developed
over centuries of experience. It is what distinguishes intentional torts
(civil wrongs) from negligence. The difference is crisp, even if negligent
behavior escalates to recklessness. Greater liability attaches depending on
the seriousness level of the result. The issue at hand is action versus
inaction, for there are consequences either way. The medieval but brilliant
notion of scienter deals with how innocent or guilty is the actor's
foreknowledge of the event.

Put simply, safety is the (relative) freedom from the occurrence or risk of
injury or loss. Security is the (relative) assurance that the danger of
injury or loss is mitigated. Therefore security is the (relative) guarantee
of safety. As Nancy and William state, an actor's purpose has limited
relevance.

The problem is the lack of remedies or, more succinctly, the immaturity of
computer science, and, especially, software engineering.  We are stuck
somewhere between art (beautiful code) and pell-mell technological advance
in response to perceived needs or just for the heck of it, with the latter
ironically better done than the former.  Never mind what for - that's for
society to sort out.

My own thinking about malware (malicious or malevolent, but also malformed,
malignant and malappropriate) is that society gets what it deserves
irrespective of consciousness or lack thereof. The fact that most software
projects are examples of sloppiness, that security is almost always an
afterthought, and that zero-day exploits are a given, says that we are
complicit with the "bad guys" - whoever they are.  They are teaching us a
lesson - the same lesson, essentially, repeatedly, and we remain
unlearned. Worse than unlearned: unbothered.

Vulnerabilities or threats? Leveson and Young are correct. Focusing on
vulnerabilities, threats can, and ought to, be tested. And retested.
Knowing one's weaknesses has to be useful; benign neglect is so obviously
imprudent. This was my message anent teaching viruses, worms, trojans, and
other digital agents of devastation. It is, for obscure reasons, a message
that continues to be ignored. There is a strange predilection toward a force
majeure approach to best practices. When everyone is ignorant, ignorance is
excusable. Off the hook thanks to acts of God.

The holistic way recommended by the authors is destined, unfortunately, to
be overlooked. There are only so many hours in our busy days. And as I said,
thus far there are no remedies, the FTC does not know what to do, and a
regulatory agency dedicated to digital security is a political
impossibility. But let us keep trying.

------------------------------

Date: Sat, 8 Mar 2014 10:10:47 +1100
From: Paul Edwards <paule () cathicolla com>
Subject: Re: Threat Modeling: Designing for Security (Shostack, RISKS-27.79)

When it comes to measuring and communicating threats, the most ineffective
example in recent memory was the Homeland Security Advisory System -- which
was a color-coded terrorism threat advisory scale.  The system was rushed
into use and its output of colors was not clear.

This movie is quite old, but still resonates on a number of levels:

<http://www.zefrank.com/redalert/index_better.html>

------------------------------

Date: Mon, 17 Mar 2014 11:37:50 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: BOOK: Rebecca Slayton: Arguments That Count

Rebecca Slayton
Arguments That Count:
  Physics, Computing, and Missile Defense, 1949-2012
MIT Press, Cambridge Massachusetts and London England
xi+325 pp. (including 179 references and a copious 21-page index)
2013

This book is a delightful and remarkably insightful exploration how the
three topics in the subtitle were interrelated during the stated 63-year
time span.  It should be of considerable interest particularly to younger
people who might be wondering how we got to where we are technologically,
politically, economically, and otherwise (although some of us older folks
have lived through it, and are still likely to find many new nuggets they
did not know).  The book will also be very valuable to nontechnical folks of
all ages.  It is very readable.

It is also very well researched (although I found an error in the first full
paragraph on Page 168: `ARPA' should be `NSA', relating to something in
1973).

The table of contents lists these chapter titles:

1. Software and the Race against Surprise Attack
2. Framing an ``Appallingly Complex'' System
3. Complexity and the ``Art or Evolving Science'' of Software
4. ``No Technological Solution''
5. What Crisi?  Software in the ``Safeguard'' Debate
6. The Politics of Complex Technology
7. The Political Economy of Software Engineering
8. Nature and Technology in the Star Wars Debate
9. Conclusion: Complexity Unbound

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.80
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.80 RISKS List Owner (Mar 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]