Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.95
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 24 May 2014 21:39:50 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 24 May 2014  Volume 27 : Issue 95

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

"Adobe Creative Cloud crash shows that no cloud is too big to fail"
  (Serdar Yegulalp via Gene Wirchenko)
Public utility compromised after brute-force attack, DHS says" (Jeremy Kirk
  via GW)
"Microsoft acknowledges more errors, 80070371 and 80071A91, when
  installing Windows 8.1 Update/KB 2919355" (Woody Leonhard via GW)
"Hackers hit eBay database containing personal info" (Loek Essers via GW)
"'Do not track'? Oh what the heck, go ahead" (Zach Miners via GW)
"Mozilla plans semi-silent updates to tug laggards onto the
  newest Firefox" (Gregg Keizer via GW)
"What questions should we be asking about the eBay breach?" (Claudiu Popa
  via GW)
"Firefox will get DRM copy protection despite Mozilla's concerns"
  (Jeremy Kirk via GW)
"Privacy takes a beating in the FBI's kangaroo court" (Robert X. Cringely
  via GW)
"U.S. charges Chinese Army members with cyber espionage" (Serdar Yegulalp
  via GW)
"Another privacy threat: DNS logging and how to avoid it"
  (Woody Leonhard via GW)
Use of license-plate photo databases is raising privacy concerns
  (Robert Faturechi via Jim Reisert)
California approves test of self-driving cars on public roads (Megan Geuss)
Comcast, Time Warner Cable still have the angriest customers (Ars Technica
  via NNSquad)
Technocreep, by Thomas P. Keenan (PGN)
Abridged info on RISKS (comp.risks)


Date: Mon, 19 May 2014 11:31:43 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Adobe Creative Cloud crash shows that no cloud is too big to fail"
  (Serdar Yegulalp)

Serdar Yegulalp | InfoWorld, 16 May 2014
Adobe's ID services went down for over 24 hours, leaving Creative
Cloud users -- and a great many others -- locked out of their
software and accounts

selected text:

A problem with Adobe Creative Cloud locked users of Adobe's software out of
their programs -- and a good deal else on top of that -- for more than 24
hours starting Wednesday night.

But every other Adobe service that used Adobe's ID system was also affected,
as noted by The Register's Alistair Dibbs. At least one "national [UK]
newspaper" wasn't able to publish its Adobe DPS tablet edition on Thursday
because of the outage.

The breadth and duration of Adobe's service interruption ranks as further
evidence that no cloud infrastructure is too big or too important to
fail. Dropbox went down for 16 hours in January of 2013, and Google Drive
experienced a similar 17-hour meltdown of its own in March. One estimate has
put the cost of major-league cloud outages at some $71 million since 2007,
but failures like Adobe's -- where a single piece of failing infrastructure
brings down multiple systems --have most likely driven that estimate far


Date: Thu, 22 May 2014 14:26:45 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Public utility compromised after brute-force attack, DHS says"
  (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 21 May 2014
The utility, which was not identified, used a simple password system
and had been compromised before


Date: Mon, 19 May 2014 11:28:23 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft acknowledges more errors, 80070371 and 80071A91,
  when installing Windows 8.1 Update/KB 2919355" (Woody Leonhard)

Woody Leonhard | InfoWorld, 16 May 2014
There's confirmation of two more bugs and a Stop 0x7B 'Blue Screen'
as Microsoft re-issues the patch, changing metadata but no programs


Date: Thu, 22 May 2014 14:25:01 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Hackers hit eBay database containing personal info" (Loek Essers)

Loek Essers, InfoWorld, 21 May 2014
Users are asked to change passwords after attackers compromised
employee log-in credentials


Date: Thu, 22 May 2014 14:23:18 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "'Do not track'? Oh what the heck, go ahead" (Zach Miners)

Zach Miners, InfoWorld, 22 May 2014
The browser privacy system is in tatters, and most websites either
don't honor DNT or interpret it in different ways


Date: Fri, 23 May 2014 11:16:57 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Mozilla plans semi-silent updates to tug laggards onto the
  newest Firefox" (Gregg Keizer)

Gregg Keizer, Computerworld, InfoWorld. 19 May 2014
Will likely kick off process in June to get more Firefox users on the
latest version with the new Australis UI

opening text:

Mozilla is preparing nearly-silent upgrades to get customers stuck on older
versions of Firefox onto the newest edition, according to notes on the
company's website and its bug-tracking database.

The plan is to start upgrading older Windows editions beginning with the
next stable release, Firefox 30, which is slated to ship June 10.

"In the next weeks we will [be] implementing a project to get users on older
versions of Firefox back onto the latest version," said Benjamin Smedberg on
a Mozilla developers planning discussion thread.  "We've confirmed ... that
about 2% of Firefox profiles are getting 'stuck' on older versions in each
release cycle, at least back to Firefox 22."

On his LinkedIn profile, Smedberg identifies himself as a Mozilla
engineering manager.

Smedberg said that Mozilla didn't know why some of its users continue to run
outdated versions of Firefox. But with Firefox's background update
mechanism, those users had to have explicitly switched off or at least
restricted updates.  [much more omitted.]

  Well, let me answer that for you, Mr. Smedberg.  1) I like to know what is
  running on my system.  I program, and if an update causes a problem, I
  would at least like to know that there was an update.  Consequently, I
  prefer to update manually.  2) I installed version 29.  I detest the new
  interface and went back to version 28.  3) I do not like the frequent
  nagging (multiple times per day) to "upgrade" to 29.1.

  Does anyone know of a good browser that is not intrusive?  I would like
  one that runs NoScript or an equivalent.

  I have used Firefox since version 0.94, but there are other browsers.


Date: Thu, 22 May 2014 10:11:20 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "What questions should we be asking about the eBay breach?"

Claudiu Popa, *IT Business*, 21 May 2014

selected text:

Shortly after the eBay press release hit the wire, the media started calling
to ask for my feedback on the whys and the hows of this latest debacle.

With that firmly in mind, eBay's response was still entirely inadequate. The
press release, not addressed at the public but at the media, simply
indicated that a few employee accounts were used to gain access to a
database of user information.  That information included personal addresses,
emails, phone numbers, dates of birth, names and um -- don't worry: no
financial information. No passwords either, since they were encrypted.

There are plenty of positive, responsible, respectful ways to announce that
you dropped the ball on security. This announcement is not one of them,
unless it's just for the purpose of summarily complying with legislation.


Date: Mon, 19 May 2014 11:24:02 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Firefox will get DRM copy protection despite Mozilla's concerns"
  (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 15 May 2014
The company opposes DRM but has little choice lest users be cut off
from popular content services, Mozilla's CTO says

selected text:

Mozilla will upgrade its Firefox browser with copyright protection
technology, fearing a loss of users if they can't play protected content
from services like Netflix, Hulu and Amazon.

The organization has long opposed DRM (Digital Rights Management)
technologies, which seek to prevent unauthorized sharing of content under
copyright protection. Critics say DRM also prevents legal uses of content,
such as a person moving it between two of their own devices.

DRM can also potentially leak users' private information, Gal wrote.  Many
DRM systems "fingerprint" a device, collecting identifying information so
they can prevent content from being played on a different device.


Date: Thu, 22 May 2014 14:18:16 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Privacy takes a beating in the FBI's kangaroo court"
  (Robert X. Cringely)

Robert X. Cringely, InfoWorld, 22 May 2014
The Feds ran roughshod over Lavabit, forcing it to shut down and
proving that in the privacy wars, the government is fighting to win
-- and fighting dirty


Date: Mon, 19 May 2014 15:04:53 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "U.S. charges Chinese Army members with cyber espionage"
  (Serdar Yegulalp)

Serdar Yegulalp, InfoWorld, 19 May 2014
Five members of the Chinese Army have been indicted for allegedly
hacking U.S. firms and stealing trade secrets


Date: Wed, 21 May 2014 11:26:08 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Another privacy threat: DNS logging and how to avoid it"
  (Woody Leonhard)

Woody Leonhard | InfoWorld, 21 May 2014
With AT&T now turning your DNS logs into a money-making proposition,
it's time to look at alternatives


Date: Mon, 19 May 2014 15:00:42 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Use of license-plate photo databases is raising privacy
 concerns (Robert Faturechi)

Robert Faturechi, *Los Angeles Times*, 16 May 2014

"A growing number of cameras -- hundreds around Los Angeles, thousands
nationwide -- are engaged in a simple pursuit: Taking pictures of license

The digital photos, automatically snapped by cameras mounted on cars and
street poles and then tagged with time and location, are transmitted to
massive databases running on remote computer servers.  Cops can then search
those databases to track the past whereabouts of drivers.

Law enforcement officials say the data collection is invaluable for tracking
down stolen cars and catching fugitives.

But such databases are also being built by private firms, which can sell
access to anyone willing to pay, such as lenders, repo workers and private
investigators. That is raising worries among privacy advocates and
lawmakers, who say the fast-growing industry is not only ripe for conflicts
of interest but downright invasive."



Date: May 21, 2014 at 6:46:10 AM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: California approves test of self-driving cars on public roads
  (Megan Geuss)

Megan Geuss, Ars Technica, 20 May 2014 (Via Dave Farber)

Regulations take effect mid-September; rules for the public may come this

On Tuesday, the California Department of Motor Vehicles (DMV) officially
approved rules to allow the testing of autonomous vehicles on public
roads. The rules will take effect September 16, 2014.

The move has been a long time coming, with the DMV promising back in
December 2013 that it would post regulations for public use of self-driving
cars and then holding a public hearing in January to address concerns about
them. These new rules will set a statewide standard for all
manufacturers. (Although Google has been running pilot programs in Mountain
View and elsewhere, it's not the only company pursuing an automated vehicle
-- Nvidia told Ars last week that Audi has plans to incorporate a ``cruise
control for stop-and-go traffic'' feature in one of its cars come 2015.)

Bryant Walker Smith, a fellow at the Center for Automotive Research at
Stanford (CARS), told Ars that the new rules could change how manufacturers
proceed with their testing. ``The DMV has a really, really difficult task,
and I was impressed with the thoughtfulness of their approach,'' he
said. ``I would say that anyone who is reading these documents will have to
read very closely.''

According to the adopted regulatory text that the California DMV posted on
Tuesday, a manufacturer which wants to test autonomous vehicles has to apply
for a testing permit, certify its drivers to test the cars, and secure a $5
million insurance or safety bond. The testing permit must be renewed after
one year or else it expires.

During the tests, an operator must remain in the driver's seat at all times
and must obtain an ``Autonomous Vehicle Testing (AVT) Program Test Vehicle
Operator Permit'' from the DMV. To obtain such a permit, the operator must
go through a training program put together by the manufacturer and approved
by the DMV, which includes ``defensive driver training, including practical
experience in recovering from hazardous driving scenarios'' as well as
``instruction that matches the level of the autonomous test vehicle
driver's experience operating the specific type of automated driving
system technology with the level of technical maturity of the automated
system.''  ...


Date: Mon, 19 May 2014 21:11:03 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Comcast, Time Warner Cable still have the angriest customers

(Ars Technica via NNSquad)

  "Merging cable giants are the worst-rated companies in the worst-rated

At least they're consistent.


Date: Fri, 23 May 2014 15:34:26 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Technocreep, by Thomas P. Keenan

Thomas P. Keenan
Technocreep: The Surrender of Privacy and the Capitalization of Intimacy
OR Books, 2014 (http://www.orbooks.com/catalog/technocreep/)

Throughout this book, it is clear that creeps are creeping with increasing
creepiness.  Every chapter in this book is a self-contained gem, full of
timely and important thoughts that relate to the present time and to our
future.  Sensor Creep and Tracking Creep are very ominous.  Government Creep
is especially pithy: ``One of the creepiest aspects of technology is that
you never really know who or what to believe anymore.''

Thomas P. Keenan has done a wonderful job in threading so many seemingly
disparate ideas into the single notion of `creep'.  Indeed, creeping is
generally thought of as going forward; however, in many of his examples, we
may actually be creeping (if not lurching) backward.  This book is an must
read for everyone interested in RISKS -- technologists, legislators and
government officials, ordinary citizens, and even luddites.

  As an aside, I note that The Internet of Things (IOT, or IoT if you
  prefer) -- perhaps one of the very biggest opportunities for creep of all
  -- might eventually create an Identity (ID) something akin to a URL for
  almost any object you can possibly imagine, including you personally.  If
  Technocreep ever realizes the total dis-anthropomorphization of the human
  race by treating people as Things, we may all have idiotically become


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.95

  By Date           By Thread  

Current thread:
  • Risks Digest 27.95 RISKS List Owner (May 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]