Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 28.01
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 11 Jun 2014 11:12:55 PDT

RISKS-LIST: Risks-Forum Digest  Thursday 11 June 2014  Volume 28 : Issue 01

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Total Parenteral Nutrition software recall (Richard I Cook)
A Computer Risk to Your Sleeping (jared gottlieb)
Web browsing is copyright infringement, publishers argue (David Kravets
  via Dewayne Hendricks)
When the Landline Is a Lifeline (Jon Brodkin via Dewayne Hendricks)
IT pro gets 4 years in prison for sabotaging ex-employer's system
  (Chris Kanaracus via Monty Solomon)
"Serious flaw in GnuTLS library endangers SSL clients and systems"
  (Lucian Constantin via Gene Wirchenko)
Smart TVs subverted by radio attack (Michel Kabay)
USDA and Submachine Guns: Latest Example of Mission Creep as
  Federal Policing Expands (Dave Farber)
Computer passes Turing Test for first time by convincing judges it is a
  13-year-old boy (Dante D'Orazio via Dewayne Hendricks)
Would a Google car sacrifice you for the sake of the many? (David Weinberger
  via David Farber, Andrew Lippman)
Internet Giants Erect Barriers to Spy Agencies (David Sanger and
  Nicole Perlroth via Lauren Weinstein)
Cellphone operator reveals scale of government snooping (AP item
  via Lauren Weinstein)
U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
  (Kim Zetter via Dewayne Hendricks)
Why Are the US Marshals at the Center of All These Pen Registers?
  (emptywheel via David S. H. Rosenthal)
Google Offers New Encryption Tool (Nicole Perlroth via Monty Solomon)
"Redmond is patching Windows 8 but NOT Windows 7, say security bods"
  (Darren Pauli via Gene Wirchenko)
EPIC reports Google to advertise on Nest thermostat, etc.
  (EPIC via Harry Hochheiser)
FBI informant's role in cyberattacks by AntiSec (Prashanth Mundkur)
Abridged info on RISKS (comp.risks)


Date: Sun, 25 May 2014 10:50:47 +0200
From: "Richard I Cook, MD" <ricookmd () gmail com>
Subject: Total Parenteral Nutrition software recall

Total parenteral nutrition (intravenous feeding) is complicated to
administer and there are tools to assist in the preparation of
individualized dosing.  Because such nutrition is typically administered
weeks to years and the composition needs to change frequently (in instances,
daily) and because patients receiving this sort of treatment are invariably
quite ill, even relatively small flaws in the calculations can produce
significant physiological disturbances.



Date: Wed, 4 Jun 2014 09:40:25 -0600
From: jared gottlieb <jared () netspace net au>
Subject: A Computer Risk to Your Sleeping

A computer software and GUI sourced incident waking up a town in Colorado

Lafayette's 3 a.m. tornado-siren misfire blamed on human error,
'less-than-intuitive' software.
Officials say 'work around' in place, but new software needed.
Lafayette's tornado sirens mistakenly sound for 8 minutes in middle of night.

The Boulder County Sheriff's Office has determined that human error and a
"less-than-intuitive" software system were to blame for mistakenly off
Lafayette's tornado sirens in the middle of the night last month.

On May 22, Lafayette's emergency sirens were triggered at 3:07 a.m. by a
pager notification for an unrelated police operation. The sirens sounded for
about eight minutes until Boulder County dispatchers -- alerted by incoming
calls from concerned Lafayette residents -- shut them down at 3:15 a.m.,
officials said. ...

After investigators recreated the chain of events, officials said a
dispatcher accidentally set off the alarms while trying to send a staff
notification through the Computer Aided Dispatch (CAD) system, the same
software that launches the alert sirens, according to a release.

Officials believe that while trying to send out the notification, the
dispatcher received an error message and then tried to click an "OK" to
close the box. But the button to activate the alert sirens is directly
underneath the "OK" button in the error box, and the investigators believe
the dispatcher "inadvertently" selected that option. ...

Officials with the Boulder County Sheriff's Office dispatch center -- which
handles Lafayette police dispatch duties -- said it they have developed a
"work around" that will make it easier for dispatchers to confirm where
their pages are going. But they said the ultimate solution is to have the
Lafayette sirens operated through a standalone software system similar to
the one used by all other Boulder County alert sirens.



Date: Thursday, June 5, 2014
From: *Dewayne Hendricks* <dewayne () warpspeed com>
Subject: Web browsing is copyright infringement, publishers argue
  (David Kravets)

David Kravets, Ars Technica, 5 Jun 2014
Thankfully, European top court rules against the publishers' "irrational"

Europeans may browse the Internet without fear of infringing copyrights, as
the EU Court of Justice ruled Thursday in a decision that ends a four-year
legal battle threatening the open Internet.

It was the European top court's second wide-ranging cyber ruling in less
than a month. The court ruled May 13 that Europeans had a so-called "right
to be forgotten" requiring Google to delete "inadequate" and "irrelevant"
data upon requests from the public. That decision is spurring thousands of
removal requests.

In this week's case, the court slapped down the Newspaper Licensing
Agency's (NLA) claim that the technological underpinnings of Web surfing
amounted to infringement.

The court ruled that "on-screen copies and the cached copies made by an
end-user in the course of viewing a website satisfy the conditions" of
infringement exemptions spelled out in the EU Copyright Directive. The
NLA's opponent in the case was the Public Relations Consultants Association
(PRCA). The PR group hailed the decision.

"We are utterly delighted that the CJEU has accepted all of our arguments
against the NLA, which represents eight national newspapers. The Court of
Justice, like the Supreme Court before them, understands that the NLA's
attempts to charge for reading online content do not just affect the PR
world, but the fundamental rights of all EU citizens to browse the
Internet," PRCA Director General Francis Ingham said. "This is a huge step
in the right direction for the courts as they seek ways to deal with the
thorny issues of Internet use and copyright law."

The NLA is the body that distributes reproductions of newspaper content,
including the Guardian's. Its main argument was the cost that the licensing
public relations companies pay for the reproductions should factor in to
what is temporarily copied on a reader's computer.

David Pugh, the NLA's managing director, said opponents were making the
case out to be as if the sky was falling, but it's not, he said. Pugh
believed the issue was much narrower than portrayed.

"In our view, [the temporary copying] exception is designed to protect ISPs
and telecoms companies when they're transmitting data from A to B in
networks. The PR spin put on this case was that if our ruling was allowed
to stand then users of the Internet would be criminalized for using a
browser, but that's never been what it's about," he said. [...]


Date: Thursday, June 5, 2014
From: *Dewayne Hendricks* <dewayne () warpspeed com>
Subject: When the Landline Is a Lifeline (Jon Brodkin)

Jon Brodkin, *The New York Times* (via Dave Farber), 4 Jun 2014

AT&T and Verizon are pushing hard to shift traditional landline service,
which has mostly operated over copper lines, to a system of Internet-based
phones by around 2020. If the Federal Communications Commission approves the
switch as is, it could come as a shock to the 96 million Americans who still
rely on landlines.

The change itself is inevitable: the old copper lines are aging and
expensive to maintain. And the new system is already in use. As of December
2012, 42 million Americans had Internet-based phones. But moving to an all
Internet-based network will benefit Americans only if the F.C.C. is able to
protect them in the shift.

The new phones have some major technical flaws. They can't hold up during
long power failures or connect all emergency phone calls. But there are also
regulatory problems: The change in service could free the telecom industry
from its obligation to guarantee universal access and fair prices to

As a result, people in remote or rural areas who rely on landlines could
end up paying a lot for a bad deal.

So-called common carrier rules have long required phone companies to offer
services to everyone, at reasonable rates. But in a series of decisions
beginning in 2002, the F.C.C. classified broadband Internet as an
``information service'' instead of a telecommunication service, freeing it
from these rules. For now, the F.C.C. hasn't weighed in on where the
Internet-based phones -- also called VoIP, for voice over Internet protocol
-- stand, leaving them in regulatory limbo.

While the new phones all rely on the Internet, they don't all use the same
delivery mechanism. Fiber and cable are more reliable carriers than the
wireless network that cellphones also rely on. Without new regulations,
phone companies could refuse wired Internet service to remote areas where
it's not profitable to build it -- a good 25 percent of AT&T's service area.

One key upside to the old telephone network is that it can draw electricity
from the copper wires, keeping residents connected to emergency services
even when power failures render lights and cellphones useless for days.
Alarm systems and medical alert devices often still rely on the traditional
landline system, and those will need to be safely moved to new networks.
Regardless, the phone companies are pushing ahead, sometimes without
permission from the F.C.C. In 2012, after Hurricane Sandy destroyed much of
the copper infrastructure in western Fire Island, N.Y., Verizon didn't want
to fix the phone lines. Instead, it proposed replacing them with Voice
Link, a substitute that connects to the cellular network.

Residents and government officials protested that these phones would be
less reliable and unable to last through power failures like the one that
had just crippled the island. Voice Link isn't compatible with fax machines
and medical alert systems, and its terms of service note that 911 calls
might not even go to emergency service providers but can be legally routed
to Verizon operators. [...]


Date: Sun, 25 May 2014 17:59:18 -0400
From: Monty Solomon <monty () roscom com>
Subject: IT pro gets 4 years in prison for sabotaging ex-employer's system
  (Chris Kanaracus)

Chris Kanaracus, Computerworld, 21 May 2014
Ricky Joe Mitchell must also pay more than $500,000 in restitution and fines

A former network engineer for oil and gas company EnerVest has been
sentenced to four years in federal prison after pleading guilty in January
to sabotaging the company's systems badly enough to disrupt its business
operations for a month.

Ricky Joe Mitchell of Charleston, West Virginia, must also pay $428,000 in
restitution and a $100,000 fine, according to an announcement this week from
U.S. Attorney Booth Goodwin's office.

In June 2012, Mitchell found out he was going to be fired from EnerVest and
in response he decided to reset the company's servers to their original
factory settings. He also disabled cooling equipment for EnerVest's systems
and disabled a data-replication process. ...



Date: Tue, 03 Jun 2014 12:43:03 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Serious flaw in GnuTLS library endangers SSL clients and systems"
  (Lucian Constantin)

Lucian Constantin, InfoWorld, 03 Jun 2014
Serious flaw in GnuTLS library endangers SSL clients and systems
A vulnerability patched in the GnuTLS library can potentially be
exploited from malicious servers to execute malware on computers


Date: Mon, 9 Jun 2014 08:25:41 -0400
From: Michel Kabay <mekabay () gmail com>
Subject: Smart TVs subverted by radio attack

In yet another demonstration of what happens when design includes weak
security, we have the appalling possibility that, say, Monty Python reruns
could be replaced by FAUX News broadcasts. Of course, some people argue that
FAUX News is actually a satirical series anyway.



Date: Sun, 8 Jun 2014 03:59:04 -0400
From: "Dave Farber via ip" <ip () listbox com>
Subject: USDA and Submachine Guns: Latest Example of Mission Creep as
  Federal Policing Expands



Date: Jun 8, 2014 4:14 PM
From: "Dewayne Hendricks" <dewayne () warpspeed com>
Subject: Computer passes Turing Test for first time by convincing judges
   it is a 13-year-old boy (Dante D'Orazio)

Dante D'Orazio, *The Verge*, 8 Jun 2014 (via Dave Farber)


Eugene Goostman seems like a typical 13-year-old Ukrainian boy -- at least,
that's what a third of judges at a Turing Test competition this Saturday
thought. Goostman says that he likes hamburgers and candy and that his
father is a gynecologist, but it's all a lie. This boy is a program created
by computer engineers led by Russian Vladimir Veselov and Ukrainian Eugene

That a third of judges were convinced that Goostman was a human is
significant -- at least 30 percent of judges must be swayed for a computer
to pass the famous Turing Test. The test, created by legendary computer
scientist Alan Turing in 1950, was designed to answer the question "Can
machines think?" and is a well-known staple of artificial intelligence

Goostman passed the test at the Turing Test 2014 competition in London on
Saturday, and the event's organizers at the University of Reading say it's
the first computer succeed. Professor Kevin Warwick, a visiting professor
at the university, noted in a release that "some will claim that the Test
has already been passed." He added that "the words Turing Test have been
applied to similar competitions around the world," but "this event involved
the most simultaneous comparison tests than ever before, was independently
verified and, crucially, the conversations were unrestricted."

The program nearly passed the test back in 2012, when 29 percent of judges
at another competition decided that it was a human. Despite the achievement,
the results are far from conclusive and they do not mean that the machines
are taking over the world -- no matter what you read on the Internet. The
program is scripted with a personality that likely assisted in convincing
judges, and it is not the artificial intelligence you know from sci-fi
movies. This is no HAL from 2001: A Space Odyssey. For instance, the Turing
Test doesn't hinge on whether the computer's responses are correct or not --
it only involves the "humanness" of its answers. The test is carried out
over a text chat. Goostman's "age" may have also helped it pass the test. As
Veselov notes, "Our main idea was that he can claim that he knows anything,
but his age also makes it perfectly reasonable that he doesn't know
everything." [...]


Date: Sun, 8 Jun 2014 22:03:19 -0400
From: "David Farber via ip" <ip () listbox com>
Subject: Would a Google car sacrifice you for the sake of the many?
  (David Weinberger)


Plus: Networked Road Neutrality

1. The programmed morality of networked cars

Google self-driving cars are presumably programmed to protect their
passengers. So, when a traffic situation gets nasty, the car you're in will
take all the defensive actions it can to keep you safe.

But what will robot cars be programmed to do when there's lots of them on
the roads, and they're networked with one another?

We know what we as individuals would like. My car should take as its Prime Directive: ``Prevent my passengers from 
coming to harm.'' But when the cars are networked, their Prime Directive well might be: ``Minimize the amount of harm 
to humans overall.'' And such a directive can lead a particular car to sacrifice its humans in order to keep the total 
carnage down. Asimov's Three Rules of Robotics don't provide enough guidance when the robots are in constant and 
instantaneous contact and have fragile human beings inside of them.

It's easy to imagine cases. For example, a human unexpectedly darts
into a busy street. The self-driving cars around it rapidly communicate and
algorithmically devise a plan that saves the pedestrian at the price of
causing two cars to engage in a Force 1 fender-bender and three cars to
endure Force 2 minor collisions -- but only if the car I happen to be
in intentionally drives itself into a concrete piling, with a 95% chance of
killing me. All other plans result in worse outcomes, where
``worse'' refers to some scale that weighs monetary damages,
human injuries, and human deaths.

Or, a broken run-off pipe creates a dangerous pool of water on the highway
during a flash storm. The self-driving cars agree that unless my car
accelerates and rams into a concrete piling, all other configurations of
joint actions result in a tractor trailing jack-knifing, causing lots of
death and destruction. Not to mention The Angelic Children's Choir
school bus that would be in harm's way. So, the swarm of robotic
cars makes the right decision and intentionally kills me.

In short, the networking of robotic cars will change the basic moral
principles that guide their behavior. Non-networked cars are presumably
programmed to be morally-blind individualists trying to save their
passengers without thinking about others, but networked cars will probably
be programmed to support some form of utilitarianism that tries to minimize
the collective damage. And that's probably what we'd
want. Isn't it?

But one of the problems with utilitarianism is that there turns out to be
little agreement about what counts as a value and how much it counts. Is
saving a pedestrian more important than saving a passenger? Is it always
right try to preserve human life, no matter how unlikely it is that the
action will succeed and no matter how many other injuries it is likely to
result in? Should the car act as if its passenger has seat-belted
him/herself in because passengers should do so? Should the cars be more
willing to sacrifice the geriatric than the young, on the grounds that the
young have more of a lifespan to lose? And won't someone please think about
the kids -- those adorable choir kids?

We're not good at making these decisions, or even at having rational
conversations about them. Usually we don't have to, or so we tell
ourselves. For example, many of the rules that apply to us in public spaces,
including roads, optimize for fairness: everyone waits at the same stop
lights, and you don't get to speed unless something is relevantly different
about your trip: you are chasing a bad guy or are driving someone who
urgently needs medical care.

But when we are better able control the circumstances, fairness isn't always
the best rule, especially in times of distress. Unfortunately, we don't have
a lot of consensus around the values that would enable us to make joint
decisions. We fall back to fairness, or pretend that we can have it all. Or
we leave it to experts, as with the rules that determine who gets organ
transplants. It turns out we don't even agree about whether it's
morally right to risk soldiers' lives to rescue a captured comrade.

Fortunately, we don't have to make these hard moral decisions. The people
programming our robot cars will do it for us.

2. Networked Road Neutrality

Imagine the roadways are full of self-driving vehicles. Imagine that Google
remains in the lead, and the bulk of the cars carry their brand. And assume
that these cars are in networked communication with one another.

Can we assume that Google will support Networked Road Neutrality, so that
all cars are subject to the same rules, and there is no discrimination based
on contents (= passengers), origin, destination, or purpose of the trip?

Or would Google let you pay a premium to take the ``fast
lane''? (For reasons of network optimization the fast lane probably
wouldn't actually be a designated lane but well might look much more like
how frequencies are dynamically assigned in an age of ``smart
radios.'') We presumably would be ok with letting emergency vehicles
go faster than the rest of the swarm, but how about letting the rich folks
pay to go faster by programming the other robot cars to give way when a car
with its ``Move aside!'' bit is on?

Let's say Google supports a strict version of Networked Road
Neutrality. But, suppose Comcast starts to make cars, and programs them to
get ahead of the cars that choose to play by the rules. Would Google cars
take action to block the Comcast cars from switching lanes to gain a speed
advantage -- perhaps forming a cordon around them? Would that be
legal? Would selling a virtual fast lane on a public roadway be legal in the
first place? And who gets to decide? The FCC?

One thing is sure: It'll be a golden age for lobbyists.


Date: Sunday, June 8, 2014
From: *Andrew Lippman* <lip () media mit edu>
Subject: Would a Google car sacrifice you for the sake of the many?

  [Via Dave Farber's IP distribution.  PGN]

It's easy to imagine dystopian outcomes and unanticipated consequences for
all actions.  Can the author of this note comment on the likelihood of the
occasion he postulates, or the likelihood of such programming?  To date,
there is no evidence of such programming and no reason to foresee it.

On the other hand, there is quite good reason to expect that as the number
of autonomous vehicles grows, we can expect safer roads, less stressed
drivers, and relief from rush hour agony behind the wheel [*].  We already
almost do that with lane change alarms and active cruise control.  We are
one short step away from letting go the wheel entirely in many
circumstances.  Further, a more likely path for these cars to take is that
the require an an attentive driver well before they own the roadways.  We
should live so long!

This kind of argument is reminiscent of the argument raised over caller ID
twenty-five years ago.  Yes, it can be misused, but are we better off for
it? I think so.

   [* PGN adds, What could possibly go wrong?  Some RISKS readers may
   disagree with this sentence, based on all sorts of threats,
   vulnerabilities, and past experience with human nature.]


Date: Fri, 6 Jun 2014 19:42:28 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Internet Giants Erect Barriers to Spy Agencies

David Sanger and Nicole Perlroth, *The New York Times* via NNSquad, 6 Jun 2014

  "Just down the road from Google's main campus here, engineers for the
  company are accelerating what has become the newest arms race in modern
  technology: They are making it far more expensive and far more difficult
  for the National Security Agency and the intelligence arms of other
  governments around the world to pierce their systems."


Date: Fri, 6 Jun 2014 20:25:39 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Cellphone operator reveals scale of government snooping

*The Washington Post* via  NNSquad

  "But the most explosive revelation in Vodaphone's report is that in six
  countries, authorities require direct access to an operator's network,
  bypassing legal niceties like warrants and eliminating the need to get
  case-by-case cooperation from phone-company employees. It did not name the
  countries for legal reasons and to safeguard employees working there."


Date: June 4, 2014 at 9:53:09 AM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
  (Kim Zetter)

Kim Zetter, *WiReD*, 3 Jun 2014  (via Dave Farber)

A routine request in Florida for public records regarding the use of a
surveillance tool known as stingray took an extraordinary turn recently when
federal authorities seized the documents before police could release them.

The surprise move by the U.S. Marshals Service stunned the American Civil
Liberties Union, which earlier this year filed the public records request
with the Sarasota, Florida, police department for information detailing its
use of the controversial surveillance tool.

The ACLU had an appointment last Tuesday to review documents pertaining to a
case investigated by a Sarasota police detective. But marshals swooped in at
the last minute to grab the records, claiming they belong to the
U.S. Marshals Service and barring the police from releasing them.

ACLU staff attorney Nathan Freed Wessler called the move ``truly
extraordinary and beyond the worst transparency violations'' the group has
seen regarding documents detailing police use of the technology.

``This is consistent with what we've seen around the country with federal
agencies trying to meddle with public requests for stingray information,''
Wessler said, noting that federal authorities have in other cases invoked
the Homeland Security Act to prevent the release of such records. ``The feds
are working very hard to block any release of this information to the

Stingrays, also known as IMSI catchers, simulate a cellphone tower and trick
nearby mobile devices into connecting with them, thereby revealing their
location. A stingray can see and record a device's unique ID number and
traffic data, as well as information that points to its location. By moving
a stingray around, authorities can triangulate a device's location with
greater precision than is possible using data obtained from a carrier's
fixed tower location.

The records sought by the ACLU are important because the organization has
learned that a Florida police detective obtained permission to use a
stingray simply by filing an application with the court under Florida's
``trap and trace'' statute instead of obtaining a probable-cause
warrant. Trap and trace orders generally are used to collect information
from phone companies about telephone numbers received and called by a
specific account. A stingray, however, can track the location of cell
phones, including inside private spaces.

The government has long asserted it doesn't need a probable-cause warrant to
use stingrays because the device doesn't collect the content of phone calls
and text messages, but instead operates like pen-registers and
trap-and-traces, collecting the equivalent of header information. The ACLU
and others argue that the devices are more invasive than a trap-and-trace.

Recently, the Tallahassee police department revealed it had used stingrays
at least 200 times since 2010 without telling any judge because the device's
manufacturer made the police department sign a non-disclosure agreement that
police claim prevented them from disclosing use of the device to the
courts. ...


Date: June 4, 2014 at 12:18:08 EDT
From: "David S. H. Rosenthal" <dshr () abitare org>
Subject: Why Are the US Marshals at the Center of All These Pen Registers?

Re: U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
[Note:  This comment comes to RISKS via Dewayne Hendricks and Dave Farber).

U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU
Kim Zetter
Jun 3 2014

Why Are the US Marshals at the Center of All These Pen Registers?
By emptywheel
Jun 4 2014

The US Marshal Service shows up prominently in two Pen Register stories from

First, as part of a great story from WSJ's Jen Valentino-Devries mapping out
how many federal criminal electronic records requests never get unsealed?

In eight years as a federal magistrate judge in Texas, Brian Owsley approved
scores of government requests for electronic surveillance in connection with
criminal investigations -- then sealed them at the government's request. The
secrecy nagged at him.

So before he left the bench last year, the judge decided to unseal more than
100 of his own orders, along with the government's legal justification for
the surveillance. The investigations, he says, involved ordinary crimes such
as bank robbery and drug trafficking, not ``state secrets.'' Most had long
since ended.

A senior judge halted the effort with a one-paragraph order that offered no
explanation for the decision and that itself was sealed.

She released this summary of all the Federal Pen Register/Trap and Trace
requests in 2012. As she pointed out on Twitter, the greatest number of
requests don't come from FBI. They come from the USMS, which submitted
almost half of all requests that year, with 9,132.

Then, the ACLU revealed that, just before an appointment to view Sarasota,
Florida's requests under the Pen Register authority to use Stingray IMSI
catchers to identify cell locations, the US Marshals declared control over
the records, claiming they had deputized the local cop who had made the
requests. [...]


Date: Thursday, June 5, 2014
From: *Monty Solomon* <monty () roscom com>
Subject: Google Offers New Encryption Tool

Nicole Perlroth, *The New York Times*, 3 Jun 2014

The National Security Agency's snooping is about to get more difficult.

Google on Tuesday released the source code for a new extension to its Chrome
browser that will make it a lot easier for users to encrypt their email.

The tool, called End-to-End, uses an open-source encryption standard,
OpenPGP, that will allow users to encrypt their email from the time it
leaves their web browser until it is decrypted by the intended recipient. It
will also allow users to easily read encrypted messages sent to their web
mail service. The tool will require that users and their recipients use
End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the NSA.  Despite numerous cryptographic
advances over the past 20 years, end-to-end email encryption like PGP and
GnuPG is still remarkably labor-intensive and require a great deal of
technical expertise. User mistakes -- not errors in the actual cryptography --
often benefited the NSA in its decade-long effort to foil encryption. ...





Date: Mon, 09 Jun 2014 09:39:06 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Redmond is patching Windows 8 but NOT Windows 7, say security bods"

Darren Pauli, *The Register*, 6 Jun 2014
New tool checks differences, could lead to 0-day bonanza


Date: Mon, 9 Jun 2014 01:34:16 +0000
From: Harry Hochheiser <harry () alum mit edu>
Subject: EPIC reports Google to advertise on Nest thermostat, etc.

Although the invasiveness of the advertising is the obvious first concern, a
bigger problem would seem to lie in the implications of the data that might
be collected. Will Google be able to infer -- and sell to advertisers --
details about household habits? Who's been at home when, and what have they
eaten?  Can we really believe that no information would leak from these
gadgets back to Google's data centers?  [HH]

EPIC Alert, Volume 21.10, 30 May 2014 <http://www.epic.org>
Google Plans Advertising on Appliances, Including Nest Thermostat

In a letter to the US Securities and Exchange Commission, Google announced
plans to place targeted ads on Google-controlled appliances.  "A few years
from now, we and other companies could be serving ads and other content on
refrigerators, car dashboards, thermostats, glasses, and watches, to name
just a few possibilities," Google wrote. The proposal raises significant
privacy concerns for the "Internet of Things." Earlier in 2014, EPIC warned
the FTC about Google's acquisition of Nest Labs, maker of a smart
thermostat, stating, "Google regularly collapses the privacy policies of the
companies it acquires."  Nevertheless, the Commission approved Google's
acquisition without further review.

 [Lots of URLs included in the EPIC Alert, truncated for RISKS.  PGN]


Date: Sat, 7 Jun 2014 01:15:33 -0700
From: Prashanth Mundkur <prashanth.mundkur () gmail com>
Subject: FBI informant's role in cyberattacks by AntiSec

Daily Dot and Motherboard have come out with reporting based on access to
sealed documents from the Monsegur trial.  Daily Dot focuses on the domestic
Stratfor hack, while Motherboard focuses on the international hacks, mainly


Monsegur was complimented for his "extraordinary cooperation" with the FBI.
Indeed, the word 'extraordinary' appears an extraordinary number of times in
his sentencing transcript:


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 28.01

  By Date           By Thread  

Current thread:
  • Risks Digest 28.01 RISKS List Owner (Jun 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]