Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.75
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 21 Feb 2014 14:28:32 PST

RISKS-LIST: Risks-Forum Digest  Friday 21 February 2014  Volume 27 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.75.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
United Airlines Can't Seem to Keep Its Computers and Systems Running
  (Jonathan B Spira)
Oregon voter registration database hacked, then offline for 10 days
  (Michael Lloyd and Yuxing Zheng)
Legend EMR (Richard I Cook)
The Snowden privacy panic has spread to medical research (Tom Gray)
Spy Chief Says Snowden Took Advantage of Perfect Storm ...
  (David E. Sanger and Eric Schmitt)
'TheMoon' worm infects Linksys routers (Lucian Constantin via Gene Wirchenko)
Well.ca loses customer credit card data in security breach" (Candice So)
New Silk Road hit with $2.6 million heist due to known Bitcoin flaw
  (Cyrus Farivar)
The furniture is watching you (Mark Thorson)
Smarter caller-id spoofing (Tony Luck)
Cryptography Breakthrough Could Make Software Unhackable (WiReD)
Venezuela's Internet Crackdown Escalates into Regional  Blackout (EFF)
Bing censoring Chinese language search results for users in the US
  (*The Guardian*)
DARPA Thinks the Future of Surveillance Looks Like Siri (Patrick Tucker
  via ACM TechNews)
Because of DRM, The Entire Copyright Monopoly Legislation is a Lie
  (Rick Falkvinge via Dewayne Hendricks)
Why is the US a decade behind Europe on 'chip & pin' cards? (Jeremy Ardley)
Re: NSF: 1/4 of Americans think sun goes 'round the earth... (Andy Walker)
American science education (Rich Schroeppel)
Re: High School educated Air Traffic Controllers (Steve Lamont)
David Cole: "Can Privacy Be Saved?" (Bruce Schneier)
GPS / GNSS vulnerabilities (Martyn Thomas)
Re: GPS pioneer warns on network's security (Bob Frankston)
UK is expanding their screwed up mandated porn filters to include
  more topics they can screw up (Lauren Weinstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wednesday, February 19, 2014
From: *Jonathan B Spira* <jspira () basex com>
Subject: United Airlines Can't Seem to Keep Its Computers and Systems Running

  [Via Dave Farber]

*United Airlines Reservation System Crashes (Again)
<http://www.frequentbusinesstraveler.com/2014/02/united-airlines-reservation-system-crashes-again/>
http://accura.cc/59hctv

"United Airlines' computer systems failed Wednesday [19 Feb 2014] morning
and the problem caused significant disruptions for passengers who had
planned travel on the airline.

A spokesman for the airline said that its Shares passenger service system
failed at 9 a.m. Eastern Time.  The disruption lasted approximately 30
minutes but it was followed by sporadic failures that continued throughout
the morning., ..."

------------------------------

Date: Mon, 17 Feb 2014 13:07:14 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Oregon voter registration database hacked, then offline for 10 days
  (Michael Lloyd and Yuxing Zheng)

Michael Lloyd and Yuxing Zheng, *The Oregonian*
Oregon Secretary of State Kate Brown warned businesses Thursday about a
fraudulent invoice making the rounds.
http://www.oregonlive.com/politics/index.ssf/2014/02/frustrations_mount_as_oregon_s.html

Frustrations are mounting more than a week after a breach of the Oregon
secretary of state's website caused elections and business databases to go
offline. State officials say they're still investigating how the intrusion
from a foreign entity occurred and don't know when the databases will
return.

The attack "appears to be an orchestrated intrusion from a foreign entity
and not the result of any employee activities," the agency reported on its
website this week.

The department's Central Business Registry and ORESTAR, the state's online
campaign finance reporting system, were temporarily taken offline as a
precaution after officials detected "an intrusion" around 4 Feb. Since
then, business attorneys haven't been able to look up existing business
names, and campaign finance officials have not been able to report
transactions.

The outage could lead to missed deadlines and increased costs for businesses
as attorneys spend extra time filing documents, said Shawn Lindsay, a
business attorney and a Republican former state representative.

The breach also raises questions about the security of the agency's other
databases, including the voters database, which contains personal
information that isn't publicly available, Lindsay said.

The voters database is on a separate server and was not affected by last
week's breach, state officials say. Credit card data is also safe.

------------------------------

Date: Sat, 8 Feb 2014 10:34:51 +0100
From: Richard I Cook MD <ricookmd () gmail com>
Subject: Legend EMR

In my most recent Velocity talk I made the point that applications gradually
take on safety implications as their use becomes wider and they become more
integrated into work. This is surely true for the Electronic Medical Records
and will become true for many applications now considered `nice' or `useful'
-- i.e., nonessential.  Although not directed towards a safety goal (and
therefore exempt from the usual requirements for devices intended to make or
assure safety) useful artifacts gradually insinuate themselves into
operations that are themselves essentially risky. It is then that their
safety-ness becomes apparent.

Unfortunately, the shift in use is not accompanied by reliability
improvements. It is the same COTS stuff at the end as the beginning.

The reaction of those responsible to accomplish the tasks that the apps do
will be to develop low-cost and easily-deployed means to accomplish the
functions when the IT doesn't work. Much of this is in the form of paper:
Copies of schedules, copies of availability, printed versions of planning
guides are easy to maintain and cost very little.

------------------------------

Date: February 7, 2014 at 7:56:56 PM EST
From: Tom Gray <tom_gray_grc () yahoo com>
Subject: The Snowden privacy panic has spread to medical research

  [Via Dave Farber's IP list]

The Snowden privacy panic has spread to medical research. This is a problem.
*The Daily Telegraph*
http://blogs.telegraph.co.uk/technology/marthagilltech/100012335/the-snowden-privacy-panic-has-spread-to-medical-research-this-is-a-problem/

Since the Snowden revelations everyone has been panicking about privacy.
Google, Twitter, Facebook and Yahoo are racing to show users how well they
can protect their data. Government contractors are double-scrutinising new
hires and encrypting everything in sight. But there's about to be one
cautious move too many, and it's a serious threat to medical research.

The European Parliament is proposing a new law which will effectively
illegalise a NHS database of patient records, along with many large research
projects. The idea had been kicking around for a while, but progress ground
to a halt last year. After Snowden though, the kicking enthusiastically
returned.

------------------------------

Date: Wed, 12 Feb 2014 03:39:30 -0500
From: David Farber <farber () gmail com>
Subject: Spy Chief Says Snowden Took Advantage of Perfect Storm ...
  (David E. Sanger and Eric Schmitt)

David E. Sanger and Eric Schmitt, *The New York Times, 11 Feb 2014
http://www.nytimes.com/2014/02/12/us/politics/spy-chief-says-snowden-took-advantage-of-perfect-storm-of-security-lapses.html?hp&_r=0

WASHINGTON -- The director of national intelligence acknowledged Tuesday
that nearly a year after the contractor Edward J. Snowden `scraped' highly
classified documents from the National Security Agency's networks, the
technology was not yet fully in place to prevent another insider from
stealing top-secret data on a similarly large scale.

The director, James R. Clapper Jr., testifying before the Senate Armed
Services Committee, said Mr. Snowden had taken advantage of a `perfect
storm' of security lapses. He also suggested that as a highly trained
systems administrator working for Booz Allen Hamilton, which provides
computer services to the agency, Mr. Snowden knew how to evade the
protections in place.

``He knew exactly what he was doing,'' Mr. Clapper said. ``And he was
pretty skilled at staying below the radar, so what he was doing wasn't
visible.''

But Mr. Clapper confirmed the outlines of a New York Times report that the
former N.S.A. contractor had used a web crawler, a commonly available piece
of software, to sweep up a huge trove of documents.

Mr. Clapper also said, for the first time, that some of the information
Mr. Snowden is believed to possess could expose the identities of undercover
American operatives as well as foreigners who have been recruited by United
States spy agencies. The information Mr. Snowden has released so far through
several newspapers and a new digital news organization that began publishing
on Monday has not revealed the names of agents or operatives, and it is
unclear how much of that information he took with him when he fled the
United States.  [Truncated for RISKS...]

------------------------------

Date: Tue, 18 Feb 2014 09:43:38 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "'TheMoon' worm infects Linksys routers" (Lucian Constantin)

Lucian Constantin, InfoWorld, 18 Feb 2014
A self-replicating program infects Linksys routers by exploiting an
authentication bypass vulnerability
http://www.infoworld.com/d/security/themoon-worm-infects-linksys-routers-236404

------------------------------

Date: Wed, 19 Feb 2014 09:50:23 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Well.ca loses customer credit card data in security breach"
  (Candice So)

Candice So, *IT Business*. 18 Feb 2014
http://www.itbusiness.ca/news/well-ca-loses-customer-credit-card-data-in-security-breach/46993

selected text:

In an e-mail to its customers today, Well.ca said one of its service
providers was "illegally compromised" between 22 Dec 2013 and 7 Jan 2014.
...  The service provider then informed Well.ca about two weeks ago [a delay
of about one month], and Well.ca got further confirmation about the breach
from its credit card provider less than a week ago.

------------------------------

Date: Sun, 16 Feb 2014 18:51:29 -0800
From: Gene Wirchenko <genew () telus net>
Subject: New Silk Road hit with $2.6 million heist due to known Bitcoin flaw
  (Cyrus Farivar)

Cyrus Farivar, Ars Technica, 14 Feb 2014
"Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again.
http://arstechnica.com/security/2014/02/new-silk-road-hit-with-2-6-million-heist-due-to-known-bitcoin-flaw/

------------------------------

Date: Wed, 19 Feb 2014 14:57:50 -0800
From: Mark Thorson <eee () sonic net>
Subject: The furniture is watching you

Another company, Steelcase, which puts sensors in office furniture and
buildings to see how workers interact, thinks the real opportunity for
workplace monitoring is far from the call-centre floor -- in opaque
creative departments and even boardrooms, where time is especially precious.

David Lathrop, its director of research and strategy, says the sensors are
now so cheap they can be put "practically everywhere", arguing that
employees could benefit by tracking their own performance.  Improving the
productivity of top executives "has a disproportionate effect on the
company", he adds.

http://www.ft.com/cms/s/2/d56004b0-9581-11e3-9fd6-00144feab7de.html

------------------------------

Date: Thu, 20 Feb 2014 18:20:35 +0000
From: "Luck, Tony" <tony.luck () intel com>
Subject: Smarter caller-id spoofing

My cell phone just rang with caller-id announcing that it was my teenage
daughter. I answered in a rush because being a typical teenager she would
rather use any other method of communication rather than a voice call - so I
figured it must be urgent.

It wasn't. It wasn't even her. It was the "Card Holder Services" spammers
saying they wanted to reduce my interest rates.

But the question is - How did they decide spoof her number when calling me?

Possibly they managed to scrape her "contacts" from her phone using some
rogue application?

Perhaps they have scraped the caller-id database and noticed that we have
phone numbers close together and the same last name?

However they did it - the value of caller-id when deciding whether to take a
call just hit zero.

------------------------------

Date: Mon, 3 Feb 2014 15:10:39 -0800
From: Lauren Weinstein <privacy () vortex com>
Subject: Cryptography Breakthrough Could Make Software Unhackable

  "Secure program obfuscation would be useful for many applications, such as
  protecting software patches, obscuring the workings of the chips that read
  encrypted DVDs, or encrypting the software controlling military
  drones. More futuristically, it would allow people to create autonomous
  virtual agents that they could send out into the computing "cloud" to act
  on their behalf. If, for example, you were heading to a remote cabin in
  the woods for a vacation, you could create and then obfuscate a computer
  program that would inform your boss about e-mails you received from an
  important client, or alert your sister if your bank balance dropped too
  low. Your passwords and other secrets inside the program would be safe."
    http://j.mp/1dZ6bHP  (*WiRed*)

 - - -

And so handy to hide viruses, spies, and other evil in, too!

------------------------------

Date: Thu, 20 Feb 2014 20:04:38 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Venezuela's Internet Crackdown Escalates into Regional Blackout

http://j.mp/1oYIQ29  (EFF via NNSquad)

  "For the last month, Venezuela has been caught up in widespread protests
  against its government. The Maduro administration has responded by
  cracking down on what it claims as being foreign interference online. As
  that social unrest has escalated, the state's censorship has widened: from
  the removal of television stations from cable networks, to the targeted
  blocking of social networking services, and the announcement of new
  government powers to censor and monitor online. Last night, EFF received
  reports from Venezuelans of the shutdown of the state Internet provider in
  San Cristbal, a regional capital in the west of the country."

------------------------------

Date: Tue, 11 Feb 2014 15:53:04 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Bing censoring Chinese language search results for users in the US

http://j.mp/1m4Epns  (*The Guardian* via NNSquad)

  "Microsoft's search engine Bing appears to be censoring information for
  Chinese language users in the US in the same way it filters results in
  mainland China.  Searches first conducted by anti-censorship campaigners
  at FreeWeibo, a tool that allows uncensored search of Chinese blogs, found
  that Bing returns radically different results in the US for English and
  Chinese language searches on a series of controversial terms.  These
  include Dalai Lama, June 4 incident (how the Chinese refer to the
  Tiananmen Square protests of 1989), Falun Gong and FreeGate, a popular
  Internet workaround for government censorship."

------------------------------

Date: Fri, 21 Feb 2014 11:57:22 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Israel Electric Opens Cyber-War Room to Defend Against Power-Grid
  Hacks (Gwen Ackerman)

Gwen Ackerman, Bloomberg, 19 Feb 2014
http://www.bloomberg.com/news/2014-02-19/israel-electric-opens-cyber-war-room-to-defend-against-power-grid-hacks.html

Israel's main power company opened a cyber "war room" this week to defend
its systems around the clock from hackers. Technicians at Israel Electric
will monitor as many as 400 million cyber-attacks and hacking attempts a
day.

"There are hundreds of thousands of attempts to infiltrate Israel Electric's
networks every day," Israel Electric Chairman Yiftach Ron-Tal said in an
e-mailed statement yesterday. "We are talking here about a threat on a
national level."

Prime Minister Benjamin Netanyahu has said that one goal of his government
is to turn Israel into a world leader in cyber-technologies.  In 2012,
Netanyahu formed the National Cyber Bureau, which said last month that it
plans to establish an emergency-response team for cyber-attacks. President
Shimon Peres has spent the last month making public appearances to promote
Israeli technology, including cyber-security.

In the past three years, the country's cyber-security industry has grown
from a few dozen companies to about 220 that have raised more than $400
million, according to the Tel Aviv-based IVC Research Center. Twenty
multinational companies now operate online-security development centers in
Israel. [...]

------------------------------

Date: Mon, 10 Feb 2014 11:47:01 -0500 (EST)
From: "ACM TechNews" <technews () hq acm org>
Subject: DARPA Thinks the Future of Surveillance Looks Like Siri

Patrick Tucker, *Defense One*, 6 Feb 2014

U.S. Defense Advanced Research Projects Agency (DARPA) Information
Innovation Office director Dan Kaufman says an innovation gap exists as the
private sector advances in areas in which the government was once primarily
responsible for research breakthroughs.  Kaufman hopes to close that gap,
and notes that DARPA has made its most recent big data research effort part
of the DARPA Open Catalog, which aims to open more of the agency's software
and science research to the public.  For example, he says improved
encryption can help provide both privacy and security.  "What if there was a
way to collect the data but encrypt it so that people couldn't use it in a
way that wasn't approved?" Kaufman asks.  In the future, spying on data will
be more difficult even as data proliferates across multiple channels, says
Kaufman, pointing to DARPA's PROCEED program, which successfully
demonstrated fully homomorphic encryption for cloud environments, previously
thought to be impossible.  DARPA also will use advanced machine learning to
help the Defense Department manage threats, enabling security experts to
interact with an algorithm that learns what to look for and improves results
through continued interaction.
http://www.defenseone.com/technology/2014/02/darpa-thinks-future-surveillance-looks-siri/78419/?oref=d-interstitial-continue

------------------------------

Date: Wednesday, February 12, 2014
From: *Dewayne Hendricks* <dewayne () warpspeed com>
Subject: Because of DRM, The Entire Copyright Monopoly Legislation is a Lie
  (Rick Falkvinge)

Rick Falkvinge, *Torrent Freak*, 9 Feb 2014 [via Dave Farber]
http://torrentfreak.com/drm-entire-copyright-monopoly-legislation-lie-140209/>

Cory Doctorow had a brilliant column in The Guardian, which was very long
and went into quite a bit of legislative history, but the key takeaway hit
the nail right on the head.

The entire copyright legislation is a lie, a facade, a mirage. There are no
exceptions, there are no expirations, there is no fair use. The reason the
situation has been allowed to degrade to this point is a small but important
detail called DRM (Digital Restriction Measures).

Since the turn of the century publishers are allowed to embed technical
obstacles called Digital Restriction Measures in anything they publish, and
these measures set and enforce a vastly expanded set of restrictions over
and above ordinary copyright monopoly law. The original law loses its
effect in the clause that says that any disabling of such Digital
Restriction Measures is illegal in the US and EU.

The net effect of this is that the DRM portion of copyright law, as it
stands today, is permitting publishers to dictate whatever terms they like
and call it `copyright', overriding the rest of that law.

Ordinary copyright monopoly law says that the monopoly eventually expires.
That's just not true, because mostly everything published today has
DRM, which says the monopoly does not expire.

Ordinary copyright monopoly law says you have a right to enjoy your
purchased works in various formats, places, and ways (in your car, in your
home, on your bike, when you like). DRM has made sure that's not in
the lawbooks anymore, because publishers didn't want it that way.

So let's look closer at what the copyright monopoly law really look
like, with DRM in place and protected by law as is today.

Publishers don't want you to buy stories in another country and
enjoy them at home? At odds with ordinary copyright law, but with DRM,
publishers can totally override that.

Publishers want the copyright law to say that purchased books can't even be
shared between family members? Perfectly doable with DRM-fabricated
copyright law, even if the ordinary copyright law would have dropped a ton
of bricks on those publishers.

Publishers want the ability to remotely remove a book you've bought from
your bookshelf, even as you have it in your home? Say, Just fine with DRM.

Digital Restriction Measures were never -- never -- supposed to prevent
copying.  If you wanted to copy a DRM-ridden work, you could do so without
problem; the DRM would follow along to the copy just fine. DRM is a usage
restriction, not a copy restriction, and most importantly, as Doctorow puts
it:

DRM is the right for publishers to make up their own copyright law. [...]

------------------------------

Date: Tue, 04 Feb 2014 20:38:17 +0800
From: Jeremy Ardley <jeremy.ardley () gmail com>
Subject: Why is the US a decade behind Europe on 'chip and pin' cards?
  (RISKS-27.73)

Chip and PIN doesn't actually increase security. Chip & PIN cards have a
fall-back mode when the chip fails and revert to standard magnetic stripe
operation or even mechanical imprint.

It's trivial to create a card with a broken chip and forged or broken
magnetic stripe.

It gets slightly more complex with the RFID version of Chip and PIN. The
cards have three levels of degradation. Either the RFID fails or the RFID
reader fails - both quite common in my experience. Then the Chip can fail -
again common, and finally the stripe can fail forcing a reversion to
mechanical imprint.

There is also the issue of bank terminal acceptance of cards. In one store I
am obliged to initially present my RFID card which is declined as not
accepted at that terminal. Then I have to insert the card to have the chip
read and it is again declined because the terminal won't accept electronic
AMEX. Finally I am allowed to swipe the card. I must do it in that order
because of the store rules.

There is also the issue of Card-not-present purchases such as telephone or
Internet purchases in which the chip plays no part whatsoever.

What RFID cards do do is decrease security due to various scams involving
portable RFID readers. A second risk is banks have different automatic
authorisation levels depending on the type of verification used. In my case
RFID authentication has a relatively high dollar value for automatic
authorisation, so anyone taking my card can make multiple purchases up to
$100 each with no signature or PIN. If the card reverts to simple chip mode
or swipe mode then a PIN is required for all purchases.

All in all Chip cards and in particular RFID Chip cards are convenient but
overall less secure than ordinary swipe cards -- at least from a user
perspective.

------------------------------

Date: Sun, 16 Feb 2014 12:40:38 +0000
From: Andy Walker <news () cuboid co uk>
Subject: Re: NSF: 1/4 of Americans think sun goes 'round the earth...

The state of education around the world is often a source of innocent
amusement, but this particular item is perhaps not as "bad" as it seems.
Firstly, it is certain that the great majority of humans throughout history
have believed this, if they have thought about the problem at all.
Secondly, it's not a problem that impinges on the daily life of anyone.
Thirdly, if the theory of General Relativity is to be accepted, then
heliocentrism is no better a belief than geocentrism [or galactocentrism or
...]; we should pick co-ordinates for convenience, not dogma.

------------------------------

Date: Sun, 16 Feb 2014 14:39:54 -0700
From: Rich Schroeppel <rcs () xmission com>
Subject: American science education

NSF: 1/4 of Americans think sun goes 'round the earth...

This is cherry picking from the NSF report.  (Read it.)  Although the state
of American science knowledge is spotty, this particular example overstates
the problem.  Note also that Americans stack up reasonably well compared
with people in other developed countries.

As an aside, I'll level a couple of other quibbles.

a) "Which goes around which" is science trivia, unimportant to everyday
   life.  Ask people about the freezing temperature for water.
b) I'm allowed to choose my frame of reference.  For practical purposes, the
   earth is stationary and the sun goes around the earth once a day.

------------------------------

Date: Sat, 15 Feb 2014 16:51:39 -0800
From: spl () tirebiter org (Steve Lamont)
Subject: High School educated Air Traffic Controllers

Rather than depend upon a biased source (reason.org is an arm of the
Koch Brothers Reason Foundation, which would probably like to abolish
the FAA and allow the invisible hand of the free market to rule the air
spaces), why don't we look at the job posting itself:

http://www.doleta.gov/usworkforce/whatsnew/eta_default.cfm?id=6050

  Air Traffic Control Specialist Recruitment: Alert on Upcoming
  Recruitment and Outreach Campaign by FAA

  29 Jan 2014

  The Federal Aviation Administration (FAA) has announced a nation-wide air
  traffic control specialist recruitment, outreach, and education program,
  extending the invitation for the workforce system to share this
  information with its program participants in advance of a public vacancy
  announcement expected on or about 10 Feb 2014. There are air traffic
  control positions available at FAA locations across the country, and the
  FAA encourages all interested individuals who are eligible to apply for
  these positions.

  Some background:

  The Federal Aviation Administration (FAA) has re-opened its Academy for
  training Air Traffic Controllers since it closed in the spring of
  2013. The FAA intends to hire around 3,000 people over the next year for
  these positions across the country. The FAA anticipates that they will be
  hiring in significant numbers over the next several years, given the fact
  that that Air Traffic Controllers must retire by age 56.

  Below are some key points of this new FAA hiring initiative:

  * FAA will post these positions on the USA Jobs website during the 10--21
    Feb period.

  * FAA will recruit nationwide.

  * The pay scale for Air Traffic Controllers ranges from GS-9 to GS-15
    (depending on the local area).

  * Individuals must start the FAA Academy or be conditionally hired by
    their 31st birthday.

  * Individuals must have 3 years of progressively responsible work
    experience, or a Bachelor's degree, or combination of education and work
    experience.

  * Individuals must meet medical and security requirements of being a
    government employee.

  * Veterans will receive Preference through the normal Federal Hiring
    process.

  * FAA is hosting a Virtual Career Fair on 12 Feb.

  Please visit www.FAA.gov/jobs jobs for Employment FAQs, Air Traffic
  Controller Fact Sheets, and promotional videos.

  FAA has also created 'Digital Kits' created for outreach and promotion,
  addressing eligibility for the position, application instructions, and
  other FAA positions in addition to the air traffic control jobs. Please
  visit www.faa.gov/jobs/recruiting_kit/

The FAA is not hiring J Random Dropout off the street and plopping them into
a controller's chair at LAX.  They're simply restarting an already existing
program that has been in hiatus.

------------------------------

Date: Wed, 19 Feb 2014 11:26:16 -0600
From: Bruce Schneier <schneier () schneier com>
Subject: David Cole: "Can Privacy Be Saved?"

http://www.nybooks.com/articles/archives/2014/mar/06/can-privacy-be-saved/

------------------------------

Date: Mon, 17 Feb 2014 10:08:47 +0000
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: GPS / GNSS vulnerabilities

The Royal Academy report that was mentioned in the latest RISKS digest is here:
http://raeng.org.uk/news/publications/list/reports/Global_Navigation_Systems.pdf

------------------------------

Date: 15 Feb 2014 21:50:25 -0500
From: "Bob Frankston" <bob2 () bob ma>
Subject: Re: GPS pioneer warns on network's security (Jones/Hoyos, R-27.74)

One approach is to harden the system but shouldn't we also be thinking about
a more generalized approach to getting location information that doesn't
depend on line-of-sight to satellites? We already do this using information
from cell towers and other sources but such approaches need to be resilient
and not naively trusting in the information they receive.

------------------------------

Date: Sun, 16 Feb 2014 20:18:54 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: UK is expanding their screwed up mandated porn filters to include
  more topics they can screw up

http://j.mp/M5rqkU  (Techdirt via NNSquad)

  "The UK government's futile and ham-fisted attempts to purge the Internet
  of all of its rough edges and naughty bits are about to see international
  escalation. The country is only really just kicking off their campaign to
  impose porn filters that not only often don't work, but also have so far
  managed to accidentally block numerous entirely legal and useful websites
  including technology news sites like Slashdot, digital rights groups like
  the EFF, rape counseling websites, and more. David Cameron's government
  has long-stated they want this filtering to eventually extend to websites
  deemed "extremist" by the government, and it appears that new proposals
  being drafted hope to make that a reality sooner rather than later."

Here's a plan. Cameron can just use "*" as his filter block directive and
avoid all the intermediate steps. No Web! No Problem!

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.75
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.75 RISKS List Owner (Feb 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]