Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.81
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 22 Mar 2014 17:27:53 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 22 March 2014  Volume 27 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.81.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Turkish Censorship Increases (tkalama)
``We'll Eradicate Twitter,'' Turkey's Prime Minister Vows (NPR)
Turkey Twitter users flout Erdogan ban on micro-blogging site
  (Brian Randell)
Researchers discover credential-stealing Unix-based server botnet
  (Antone Gonsalves)
Prominent security mailing list Full Disclosure shuts down
  indefinitely (Lucian Constantin)
Snowden: Big revelations to come, reporting them is not a crime
  (David Rowan)
Bloomberg: Adobe Gift of Solar Phone Chargers Prompts U.S. Inquiry
  (Gabe Goldberg)
Pentagon Withholds Internal Report About Flawed $2.7 Billion Intel Program
  (Paul Saffo)
Microsoft Leak and Privacy (Lauren Weinstein)
Insider threat dynamics: "Ex-Microsoft employee arrested" (Alex Krutov)
Dan Geer's brilliant talk at RSA (Mark Seiden)
Integrated Formal Methods, iFM 2014 (Diego Latella)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 18 Mar 2014 09:55:47 +0200
From: tkalama <tkalama1 () gmail com>
Subject: Turkish Censorship Increases

  [This is the first of three items on this rapidly unfolding thread.  PGN]

Already having banned close to 40,000 web sites, the religious AKP
government is now taking further steps to increase the internet censorship
in Turkey.

This has been the result of the surfacing of many video and audio recordings
of the top government officials, including the prime minister himself,
taking bribes and laundering money ranging in the millions of dollars and
euros.  In one recording for example, just ahead of the recent police raid
at their prime minister's house, the prime minister's son is heard to talk
to his dad, mentioning that he already got rid of most of the money at home,
having a "mere 30 million euros" left at home to disperse of.

Anxious to prevent voters from learning about the governmental corruption
just ahead of the local elections, the government has hastily passed laws
for easier censoring of the internet.  the new laws will require all service
providers to keep complete records of the activities of all their customers
for at least two years, and will allow the government to block any web site
by just phoning the head of the internet commission that they have set up.

Typically this has so far been done by altering the DNS servers that the
service providers maintain, so that the "objectionable" site was not
reachable.  Many technically-savvy users have soon switched to alternative
DNS servers that provide the real information on such sites.  However, the
new censorship package mentions an IP-based block. In the world where a
single IP can service thousands of web sites, it remains to be seen how they
intend to do this.

So the country slips some more into the dark ages, just so that the
corruption remains hidden.

------------------------------

Date: Thu, 20 Mar 2014 17:06:54 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: ``We'll Eradicate Twitter,'' Turkey's Prime Minister Vows

  "Reeling from the anonymous release of audio that seems to implicate him
  in a corruption scandal, Turkey's Prime Minister Recep Tayyip Erdogan said
  his country would ban Twitter, no matter what the international community
  says."  http://j.mp/OFTxZA  (NPR / KUNM via NNSquad)

You'll recall he was a guest in Silicon Valley less than a year ago.

------------------------------

Date: March 21, 2014 at 6:56:38 AM EDT
From: "Brian Randell" <Brian.Randell () ncl ac uk>
Subject: Turkey Twitter users flout Erdogan ban on micro-blogging site
  (The Guardian via David Farber)

Turkish users of Twitter -- including the country's president -- have
flouted a block on the social media platform by using text messaging
services or disguising the location of their computers to continue posting
messages on the site.

Telecom regulators enforced four court orders to restrict access to Twitter
on Thursday night, just hours after the prime minister, Recep Tayyip
Erdogan, vowed to "eradicate" the micro-blogging platform in an election
speech.

The disruption followed previous government threats to clamp down on the
social media in Turkey and caused widespread outrage both inside and outside
of Turkey.  In a first reaction to the ban, Neelie Kroes, vice-president of
the EU commission, tweeted: "The Twitter ban in #Turkey is groundless,
pointless, cowardly. Turkish people and intl community will see this as
censorship. It is."

The hashtag #TwitterisblockedinTurkey quickly rose to the top trending term
globally.

Shortly after the Twitter ban came into effect around midnight, the
micro-blogging company tweeted instructions to users in Turkey on how to
circumvent it using text messaging services in Turkish and English. Turkish
tweeters were quick to share other methods of tiptoeing around the ban,
using "virtual private networks" (VPNs) -- which allow Internet users to
connect to the web undetected -- or changing the domain name settings on
computers and mobile devices to conceal their geographic whereabouts.

Some large Turkish news websites also published step-by-step instructions on
how to change DNS settings.

On Friday morning, Turkey woke up to lively birdsong: according to the
alternative online news site Zete.com, almost 2.5m tweets -- or 17,000
tweets a minute -- have been posted from Turkey since the Twitter ban went
into effect, thus setting new records for Twitter use in the country.

"Boss, my bird is still tweeting @RT_Erdogan," posted @Fakir_Bey. "And
yours?"

But it was not just critics of the government who took to Twitter after the
site was closed via a court order.

Ankara mayor Melih Gukcek, famous for his extensive and rather bullish use
of the micro-blogging site, was the first AK party politician to breach the
ban.  "I am able to tweet because my DNS settings allow it. That will
probably be banned tomorrow as well.  I hope that all those who are cursing
and using fake accounts will have learned their lesson," he tweeted, as usual
all in capitals.

The first cabinet member to post a tweet after the ban came into effect was
the deputy prime minister, Bulent Arinc, who informed his 1.34m followers of
an election rally in the city of Manisa. His message was retweeted more than
1,000 times in the first hour, causing much ridicule: "Oh dear, be careful,
Twitter has been banned by the "national will"," replied academic and
journalist Ayse Cavdar. "Don't show up here. Otherwise the "national will"
will close you down, too."

Meanwhile, deputy prime minister Ali Babacan said he expected the ban to be
temporary. "I don't think this will last too long. A mutual solution needs
to be found," Babacan told a local TV channel on Friday.

In a rare act of defiance, the Turkish president, Abdullah Gul, openly
criticised the ban -- via his Twitter account. "The shutdown of an entire
social platform is unacceptable," he tweeted. "Besides, as I have said many
times before, it is technically impossible to close down communication
technologies like Twitter entirely. I hope this measure will not last long."

Social media played a major role during last summer's anti-government
protest, prompting Erdogan to call Twitter "a menace to society".

Twitter has also been used to disseminate a series of incriminating audio
recordings revealing massive corruption inside the government.

Many expect more explosive revelations to be made via Twitter in the week
running up to local elections on 30 March. Two weeks ago Erdogan threatened
to ban both Facebook and Twitter, accusing social media users of abusing
these platforms for a "smear campaign" against his government.

http://www.theguardian.com/world/2014/mar/21/turkey-twitter-users-flout-ban-erdogan

Newcastle University, Newcastle upon Tyne, NE1 7RU   +44 191 222 7923
Brian.Randell () ncl ac uk  http://www.cs.ncl.ac.uk/people/brian.randell

  [Note: The version Brian sent has since been updated, so this is not the
  current version at the cited URL.  Also, I have trimmed the item just a
  little for RISKS, and eschewed Turkish diacritical marks.  PGN]

    [See also a similar article by Sebnem Arsu and Dan Bilefsky in *The New
    York Times*, 22 Mar 2014, p.6 in the National Edition.  PGN]

------------------------------

Date: Thu, 20 Mar 2014 13:48:53 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Researchers discover credential-stealing Unix-based server botnet
  (Antone Gonsalves)

Antone Gonsalves, InfoWorld, 20 Mar 2014
As many as 25,000 servers have been infected simultaneously with backdoor
Trojan used to steal credentials, send out spam, and redirect Web traffic
http://www.infoworld.com/d/security/researchers-discover-credential-stealing-unix-based-server-botnet-238687

opening text:

Cyber criminals are using sophisticated malware in compromising thousands of
Unix-based servers to spew spam and redirect a half million Web users to
malicious content per day, a security firm reported.

Dubbed Operation Windigo, the attack has been ongoing for more than two and
a half years and has compromised as many as 25,000 servers at one time,
anti-virus vendor ESET said Tuesday. Systems infected with the backdoor
Trojan are used in stealing credentials, redirecting Web traffic to
malicious content and sending as many as 35 million spam messages a day.

------------------------------

Date: Thu, 20 Mar 2014 13:46:42 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Prominent security mailing list Full Disclosure shuts down
  indefinitely (Lucian Constantin)

Lucian Constantin, InfoWorld, 19 Mar 2014
The administrator says he had enough after a member of the hacker
community tried to pressure him to remove unspecified content
http://www.infoworld.com/d/security/prominent-security-mailing-list-full-disclosure-shuts-down-indefinitely-238710

------------------------------

Date: Tuesday, March 18, 2014
From: *Dewayne Hendricks* <dewayne () warpspeed com>
Subject: Snowden: Big revelations to come, reporting them is not a crime
  (David Rowan)

Former leaker encourages companies to enable Web encryption.
David Rowan, Wired.co.uk, 18 Mar 2014
http://arstechnica.com/tech-policy/2014/03/snowden-big-revelations-to-come-reporting-them-is-not-a-crime/

This story originally appeared on Wired UK.

Edward Snowden made a surprise appearance on the TED stage in Vancouver
today -- using a Beam telepresence robot from "somewhere in Russia."

Snowden, in his second remote talk in eight days after an appearance at SXSW
Interactive in Texas, urged online businesses to encrypt their websites
immediately. "The biggest thing that an Internet company in America can do
today, right now, without consulting lawyers, to protect users of the
Internet around the world, is to enable Web encryption on every page you
visit," he said. "If you look at a copy of 1984 on Amazon, the NSA can see a
record of that, the Russians, the French can -- the world's library is
unencrypted. This is something we need to change, not just for Amazon -- all
companies need to move to an encrypted browsing habit by default."

Snowden said the leaks from his document cache would continue. "There are
absolutely more revelations to come," he said. "Some of the most important
[publishing] to be done is yet to come."

He argued against personalizing his own role in leaking the documents to
prompt debate. "Who I am really doesn't matter at all. If I'm the worst
person in the world, you can hate me and move on. What really matters is the
kind of Internet we want, the kind of relationship with society... I
wouldn't use words like hero or traitor. I'm an American and a citizen."

He said he struggled to find a way to leak the intelligence documents in as
responsible a way as he could. "We did a lot of good things in the
intelligence community. But there are also things that go too far...
decisions made in secret without the public's awareness, the public's
consent... When I really came to struggle with these issues, I thought to
myself, how can I do these things in the most responsible way?" That was
through responsible media. "The first amendment of the US constitution
guarantees us a free press -- to challenge the government but also to work
together with the government, without putting our national security at
risk. By working with journalists, by putting all of my information to the
American people, we've had a robust debate with a deep investment by the US
government, which is resulting in benefits for everyone." There has been no
evidence "of even a single incident" whereby the leaks have caused harm.

He said the NSA's PRISM program allowed the US government to "deputize
corporate America to do its dirty work for the NSA." "Much of the debate in
the US [about PRISM] is it's just [about collecting] metadata. PRISM is
about content. Even though some of these companies, Yahoo's one, challenged
them in court, they all lost -- they weren't tried by an open court but a
secret court. Fifteen federal judges have reviewed these programs and found
them to be lawful, but what they don't tell you is these are secret judges
in secret courts of law." These courts had received 34,000 requests to
access information and turned down just 11, he said. "These aren't the
people we want deciding what the role of corporate America should be." [...]

------------------------------

Date: Tue, 11 Mar 2014 11:18:48 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Bloomberg: Adobe Gift of Solar Phone Chargers Prompts U.S. Inquiry

Bloomberg, 11 Mar 2014

Someone in Adobe Systems Inc.'s marketing department thought it would be a
good idea to send Pentagon personnel solar chargers for their mobile
phones. The result was a criminal investigation by the U.S. Navy.

To read the entire article, go to http://bloom.bg/1fmHfuR

------------------------------

Date: Wed, 19 Mar 2014 06:53:12 -0700
From: Paul Saffo <paul () saffo com>
Subject: Pentagon Withholds Internal Report About Flawed $2.7 Billion Intel
  Program

  [Long item, PGN-pruned for RISKS.]

http://www.foreignpolicy.com/articles/2014/03/18/exclusive_pentagon_withholds_report_2.7_billion_intel_program

Why won't senior officials show Congress evidence of a cheaper,
off-the-shelf alternative to the military's Afghan battlefield needs?

The Army has spent years defending a multibillion-dollar intelligence system
that critics say costs too much and does too little. A new internal report
has found that there's a simple, relatively inexpensive program that could
handle many of the same jobs at a fraction of the cost. For the past eight
months, though, the Pentagon has kept the report hidden away.

Members of Congress have been asking Defense Department officials to send
them the assessment, a copy of which was obtained by Foreign Policy, but the
Pentagon has yet to do so. At issue is the Army's Distributed Common Ground
System, expected to cost nearly $11 billion over 30 years and built by a
consortium of major Beltway contractors, including Raytheon, Northrop
Grumman, Lockheed Martin, and General Dynamics. The system is meant to give
troops on the ground an easy way to collect intelligence about terrorists
and enemy fighters, and then create detailed reports and maps that they can
share with each other to plan and conduct operations. But critics -- and
even some troops -- have long complained that the system doesn't actually
work. They say it's too slow and hard to use, and that it has left them
searching for alternatives in the war zone.

The system's high cost and technical failings prompted a search for other
options. Palantir Technologies, a fast-growing Silicon Valley firm, told the
Pentagon that its off-the-shelf systems could accomplish most of the same
tasks but cost far less -- millions, rather than billions. The Marine Corps,
Special Operations forces, the CIA, and a host of other government agencies
already use it. Army officials, though, said Palantir wasn't up to the
job. Now, a 57-page report by the Pentagon's acquisitions arm basically says
the Army was wrong to dismiss the Palantir system. The study instead gives
Palantir high marks on most of the Army's 20 key requirements for the
intelligence system, including the ability to analyze large amounts of
information, including critical data about terrorist networks and the
locations of explosive devices, and synchronize it in a way that helps
troops on the ground combat their enemies more effectively.

Palantir "can be utilized to partially meet DCGS-A requirements," the report
concludes, using the acronym for the Distributed Common Ground System.

The report is likely to sharpen concerns about the Distributed Common Ground
System, which has been facing mounting criticism on Capitol Hill.  Rep. Jim
Moran (D-Va.), one of many long-time detractors, had asked the Pentagon for
its findings as recently as last month.

"It's a scandal that commercially available, battlefield-proven technology
is ready to go at a fraction of the billions of dollars the Pentagon is
spending to build a similar analysis tool in-house," Moran said in a
statement to FP. "I appreciate [Under Secretary of Defense for Acquisition,
Technology and Logistics] Frank Kendall taking this issue seriously, and
look forward to hopefully resolving it once and for all when the long
overdue report's findings are finally released."

The report, commissioned roughly one year ago, won't deal a fatal blow to
the controversial Army program. But it raises new questions about why the
service is wedded to its own system and why officials have been so quick to
dismiss Palantir's capabilities, especially at a time when the Pentagon's
budget is shrinking and Congress is pressing Defense Department officials to
find ways of saving money.  [...]

------------------------------

Date: March 19, 2014 at 13:56:12 EDT
From: "John F. McMullen" <johnmac13 () gmail com <javascript:;>>
Subject: L. Gordon Crovitz: America's Internet Surrender

  [John McMullen via Dewayne Hendricks via Dave Farber.  I'm on John's list
  for other items, but apparently not for stuff he sends to Dewayne.  PGN]

I agree with the content of the article and, is most often the case,
everything my friend the erudite Esther Dyson says (she's quoted in the
piece).  It seems to me that we must arouse public opinion, most importantly
in the technology and media sectors, and bring pressure to this surrender.
The ITU sanctioning of the cutting off of Internet access by repressive
governments is outrageous -- it's one thing to recognize that it exists
(Putin just showed us that it does); it's another thing to legitimize it --
the US cannot be a party to this.  -- john

OPINION
L. Gordon Crovitz, America's Internet Surrender;
By unilaterally retreating from online oversight, the White House pleased
regimes that want to control the Web.
18 Mar 2014

http://online.wsj.com/news/articles/SB10001424052702303563304579447362610955656

The Internet is often described as a miracle of self-regulation, which is
almost true. The exception is that the United States government has had
ultimate control from the beginning. Washington has used this oversight only
to ensure that the Internet runs efficiently and openly, without political
pressure from any country.

This was the happy state of affairs until last Friday, when the Obama
administration made the surprise announcement it will relinquish its
oversight of the Internet Corporation for Assigned Names and Numbers, or
Icann, which assigns and maintains domain names and Web addresses for the
Internet. Russia, China and other authoritarian governments have already
been working to redesign the Internet more to their liking, and now they
will no doubt leap to fill the power vacuum caused by America's unilateral
retreat.

Why would the U.S. put the open Internet at risk by ceding control over
Icann? Administration officials deny that the move is a sop to critics of
the National Security Agency's global surveillance. But many foreign leaders
have invoked the Edward Snowden leaks as reason to remove U.S.
control -- even though surveillance is an entirely separate topic from
Internet governance.

According to the administration's announcement, the Commerce Department
will not renew its agreement with Icann, which dates to 1998. This means,
effective next year, the U.S. will no longer oversee the "root zone file,"
which contains all names and addresses for websites world-wide. If
authoritarian regimes in Russia, China and elsewhere get their way, domains
could be banned and new ones not approved for meddlesome groups such as
Ukrainian-independence organizations or Tibetan human-rights activists.

Until late last week, other countries knew that Washington would use its
control over Icann to block any such censorship. The U.S. has protected
engineers and other nongovernment stakeholders so that they can operate an
open Internet. Authoritarian regimes from Moscow to Damascus have cut off
their own citizens' Internet access, but the regimes have been unable to
undermine general access to the Internet, where no one needs any
government's permission to launch a website. The Obama administration has
now endangered that hallmark of Internet freedom.

The U.S. role in protecting the open Internet is similar to its role
enforcing freedom of the seas. The U.S. has used its power over the Internet
exclusively to protect the interconnected networks from being closed off,
just as the U.S. Navy protects sea lanes. Imagine the alarm if America
suddenly announced that it would no longer patrol the world's oceans.

The Obama administration's move could become a political issue in the U.S.
as people realize the risks to the Internet. And Congress may have the
ability to force the White House to drop its plan: The general counsel of
the Commerce Department opined in 2000 that because there were no imminent
plans to transfer the Icann contract, "we have not devoted the possibly
substantial staff resources that would be necessary to develop a legal
opinion as to whether legislation would be necessary to do so."

Until recently, Icann's biggest controversy was its business practice of
creating many new domains beyond the familiar .com and .org to boost its
revenues. Internet guru Esther Dyson, the founding chairwoman of Icann
(1998-2000), has objected to the imposition of these unnecessary costs on
businesses and individuals. That concern pales beside the new worries raised
by the prospect of Icann leaving Washington's capable hands. "In the end,"
Ms. Dyson told me in an interview this week, "I'd rather pay a spurious tax
to people who want my money than see [Icann] controlled by entities who want
my silence."

Icann has politicized itself in the past year by lobbying to end U.S.
oversight, using the Snowden leaks as a lever. The Icann chief executive,
Fadi Chehade', last fall called for a global Internet conference in April
to be hosted by Brazilian President Dilma Rousseff. Around that time, Ms.
Rousseff, who garnered headlines by canceling a White House state dinner
with President Obama, reportedly to protest NSA surveillance of her and her
countrymen, also denounced U.S. spying in a speech at the United Nations.
Mr. Chehade' said of the speech: "She spoke for all of us that day."

The Obama administration has played into the hands of authoritarian
regimes. In 2011, Vladimir Putin -- who, as Russia took over Crimea in recent
days, shut down many online critics and independent media -- set a goal of
"international control over the Internet."

In the past few years, Russia and China have used a U.N. agency called the
International Telecommunication Union to challenge the open Internet. They
have lobbied for the ITU to replace Washington as the Icann overseer. They
want the ITU to outlaw anonymity on the Web (to make identifying dissidents
easier) and to add a fee charged to providers when people gain access to
the Web "internationally" -- in effect, a tax on U.S.-based sites such as
Google  and Facebook. The unspoken aim is to discourage global Internet
companies from giving everyone equal access.

The Obama administration was caught flat-footed at an ITU conference in 2012
stage-managed by authoritarian governments. Google organized an online
campaign against the ITU, getting three million people to sign a petition
saying that "a free and open world depends on a free and open web." Former
Obama aide Andrew McLaughlin proposed abolishing the ITU, calling it "the
chosen vehicle for regimes for whom the free and open Internet is seen as an
existential threat." Congress unanimously opposed any U.N. control over the
Internet.

But it was too late: By a vote of 89-55, countries in the ITU approved a
new treaty granting authority to governments to close off their citizens'
access to the global Internet. This treaty, which goes into effect next
year, legitimizes censorship of the Web and the blocking of social media.
In effect, a digital Iron Curtain will be imposed, dividing the 425,000
global routes of the Internet into less technically resilient pieces.

The ITU is now a lead candidate to replace the U.S. in overseeing Icann.
The Commerce Department says it doesn't want to transfer responsibility to
the ITU or other governments, but has suggested no alternative. Icann's CEO,
Mr. Chehad=E9, told reporters after the Obama administration's announcement
that U.S. officials are "not saying that they'd exclude governments --
governments are welcome, all governments are welcome."

Ms. Dyson calls U.N. oversight a "fate worse than death" for the Internet.

The alternative to control over the Internet by the U.S. is not the
elimination of any government involvement. It is, rather, the involvement
of many other governments, some authoritarian, at the expense of the U.S.
Unless the White House plan is reversed, Washington will hand the future of
the Web to the majority of countries in the world already on record hoping
to close the open Internet.

Mr. Crovitz, a former publisher of The Wall Street Journal, writes the
weekly Information Age column.

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>

------------------------------

Date: Thu, 20 Mar 2014 21:25:51 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Microsoft Leak and Privacy

Microsoft Software Leak Inquiry Raises Privacy Issues

  Microsoft accused the former employee of stealing company trade secrets in
  the form of software code for the Windows operating system, and leaking
  the software to a blogger. In an investigation, the company figured out
  who revealed the information by reading the emails and instant messages of
  the blogger on his Microsoft-operated Hotmail and message accounts.
http://j.mp/1ikJROA  (*The New York Times* via NNSquad)

Microsoft Says It Will Tighten Policies for Searching Hotmail, Outlook.com

  Microsoft said late Thursday that it will "evolve" its policies for
  searching through non-employee Hotmail and Outlook.com mail accounts in
  the wake of concern over its practices.  The company has come after fire
  after revelations it searched the account of a blogger to whom company
  information was leaked. http://j.mp/NyXaPU  (Recode via NNSquad)

------------------------------

Date: Fri, 21 Mar 2014 16:56:20 -0400
From: "Alex Krutov" <alex.krutov () gmail com>
Subject: Insider threat dynamics: "Ex-Microsoft employee arrested"

Microsoft security software for product key validation was part of the
intellectual property allegedly leaked by a Lebanon-based Microsoft employee
to a blogger in France.  The ex-employee was arrested in Seattle this week.

"[He is] also alleged to have stolen Microsoft's 'Activation Server Software
Development Kit,' a propriety system used to prevent the unauthorized
copying of Microsoft programs.  Speaking with the FBI, a Microsoft manager
said the software development kit 'could help a hacker trying to reverse
engineer the code' used to protect against software piracy, according to
charging papers.  Microsoft came to believe Kibkalo encouraged the blogger
to share it online so others could crack protections on Microsoft products,
the FBI agent said in charging papers unsealed Wednesday."
(http://www.seattlepi.com/local/article/Ex-Microsoft-employee-charged-with-passing-5331715.php)

That's in addition to the alleged leak of the Win 8 code.  Here is an
excerpt from a chat between the MSFT employee A. Kibkalo, PhD and the French
blogger (from the FBI report in the federal complaint
http://seattletimes.wpengine.netdna-cdn.com/microsoftpri0/files/2014/03/Kibk
alo-complaint.pdf):

Kibkalo: I would leak enterprise today probably

Blogger: Hmm -- are you sure you want to do that? lol

Kibkalo: why not?

Blogger: 1st time I speak with a "real" leaker since Zuko era

Kibkalo: Mm -- To be honest, in nwin7_rtm and nwin7_sp1 I leaked 250GB :)

MSFT relied on the terms of use to access the content of the blogger's
hotmail account and didn't get a subpoena.

------------------------------

Date: Thursday, March 6, 2014
From: *Mark Seiden* <mis () seiden com>
Subject: Dan Geer's brilliant talk at RSA

  [via Dave Farber]

http://geer.tinho.net/geer.rsa.28ii14.txt

my favorite quote, so far:

"We know, and have known for some time, that traffic analysis is more
powerful than content analysis.  If I know everything about to whom you
communicate including when, where, with what inter-message latency, in what
order, at what length, and by what protocol, then I know you.  If all I have
is the undated, unaddressed text of your messages, then I am an
archaeologist, not a case officer.  The soothing mendacity of proxies for
the President saying "It's only metadata" relies on the ignorance of the
listener.  Surely no one here is convinced by "It's only metadata" but let
me be clear: you are providing that metadata and, in the evolving definition
of the word "public," there is no fault in its being observed and retained
indefinitely.  Harvard Law professor Jonathan Zittrain famously noted that
if you preferentially use online services that are free, "You are not the
customer, you're the product."  Why?  Because what is observable is
observed, what is observed is sold, and users are always observable, even
when they are anonymous."

------------------------------

Date: Tue, 18 Mar 2014 11:09:39 +0100
From: Diego Latella <Diego.Latella () isti cnr it>
Subject: Integrated Formal Methods, iFM 2014

CALL FOR PAPERS [Trimmed for RISKS. PGN]

11th International Conference on integrated Formal Methods, iFM 2014

Co-located with the 11th International Symposium on  Formal Aspects of
Component Software, FACS 2014
September 9 -- 12, 2014, Bertinoro, Italy
http://ifm2014.cs.unibo.it

IMPORTANT DATES
- Abstract Submission: April 17, 2014
- Paper submission: April 25, 2014
- Paper notification: June 6, 2014
- Final version paper: June 27, 2014

OBJECTIVES AND SCOPE Applying formal methods may involve modeling different
aspects of a system which are best expressed using different formalisms.
Correspondingly, different analysis techniques may be used to examine
different system views, different kinds of properties, or simply in order to
cope with the sheer complexity of the system. The iFM conference series
seeks to further research into hybrid approaches to formal modeling and
analysis; i.e., the combination of (formal and semi-formal) methods for
system development, regarding modeling and analysis, and covering all
aspects from language design through verification and analysis techniques to
tools and their integration into software engineering practice.

Areas of interest include but are not limited to:

- Formal and semiformal modeling notations;
- Integration of formal methods into software engineering practice;
- Refinement;
- Theorem proving;
- Tools;
- Logics;
- Model checking;
- Model transformations;
- Semantics;
- Static Analysis;
- Type Systems;
- Verification;
- Case Studies;
- Experience reports

CONFERENCE LOCATION
iFM 2014 is organized by the University of Bologna and will take place at
the Centro Residenziale Universitario in Bertinoro, a small medieval hilltop
town 50km east of Bologna.

INVITED SPEAKERS
iFM 2014 will have the following keynote speakers jointly with FACS 2014:
- Rocco De Nicola (IMT Lucca)
- Sophia Drossopoulou (Imperial College)
- Jean-Bernard Stefani (INRIA)
- Helmut Veith (TU Wien)

WORKSHOPS
There are four workshops on two days, on September 9 and September 12, 2014;
iFM takes place September 9 -- 11, FMCO takes place September 10 -- 12:
- Harnessing Theories for Tool Support in Software (TTSS)
- Logics and Model-checking for Self-* Systems (MOD*)
- Tools and Methods for Cyber-Physical Systems of Systems
- ENVISAGE Contracts for SLAs
Further information is on the web site.

SUBMISSION GUIDELINES [see the website]
https://www.easychair.org/account/signin.cgi?conf=ifm2014

GENERAL CHAIR
- Gianluigi Zavattaro, University of Bologna, Italy

iFM PROGRAMME COMMITTEE CHAIRS:
- Elvira Albert, Complutense University of Madrid, Spain
- Emil Sekerinski, McMaster University, Canada

FMCO and iFM WORKSHOP CHAIR
- Elena Giachino, University of Bologna, Italy

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.81
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.81 RISKS List Owner (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]