info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 28.65
67 views
Skip to first unread message
RISKS List Owner
May 26, 2015, 7:24:18 PM5/26/15
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Tuesday 25 May 2015 Volume 28 : Issue 65
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.65.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The atrocious security of Trident nuclear subs (Henry Baker)
Amtrak, After Derailment, Told to Expand Automatic Brake Use (NYTimes
via Monty Solomon)
A world ripe for the picking / Diploma mill edition (NYTimes via
Bob Frankston)
Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions (more)
Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
at Its Expense (more)
Text of Axact's Response to The New York Times (more)
Net Neutrality (Melissa Silmore via Dewayne Hendricks)
John Deere: of course you "own" your tractor, but only if you agree to let
... (Gabe Goldberg)
Inside Google's Secret War Against Ad Fraud (Adage)
Risks of online test taking (Jeremy Epstein)
Secret files reveal police feared that Trekkies could turn on society
(Elizabeth Roberts via Henry Baker)
HTTPS-crippling attack threatens ten thousands of Web and mail servers
(Ars Technica)
Paranoid defence controls could criminalise teaching encryption
(The Conversation)
US proposes tighter export rules for computer security tools
(Jeremy Kirk via Richard Forno)
Africa's Worst New Internet Censorship Law Could be Coming to S.A. (EFF)
"The Venom vulnerability: Little details bite back" (Paul Venezia)
Only 3% of people aced Intel's phishing quiz (Jeff Jedras)
URL-spoofing bug in Safari could enable phishing attacks (Lucian Constantin)
New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)
Critical vulnerability in NetUSB driver exposes millions of routers
to hacking (Lucian Constantin)
The Body Cam Hacker Who Schooled the Police (Medium)
Cybersecurity letter to the President 19-May-2015 (John Denker)
Is security really stuck in the Dark Ages? (Network World)
Adult dating site hack exposes millions of users (Geoff White via
Henry Baker)
Man tries to report Starbucks vulnerability, is accused of fraud
(Sakurity)
A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
(NYTimes)
Some People Do More Than Text While Driving (NYTimes)
Re: Drug database: third-party doctrine (Harlan Rosenthal)
Re: All cars must have tracking devices (Chris Drewe)
Re: Banned Researcher Commandeered a Plane (Erling Kristiansen)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 May 2015 05:18:07 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: The atrocious security of Trident nuclear subs
While the TSA fondly fondles all of us prior to getting on a commercial
airplane flight, the security of a British Trident nuclear submarine is less
than that of a posh nightclub!
"It's harder to get into most nightclubs than it is to get into the Green
Area. There's still the pin code system to get through the gate! Oh wait,
No there's not, it's broke, and anyone standing there that has thrown their
security pass in or *not*, will get buzzed through. If you have a Green
area pass or any old green card you can just show it to them from about 3
metres away (if the boat's on the first berths; if not 1 metre) then get
Buzzed Through!!"
"Missile Compartment 4 deck turns into a gym. There are people sweating
their asses of [sic] between the missiles, people rowing between a blanket
of s**t because the sewage system is defective, sometimes the s**t sprays
onto the fwd starboard missile tubes and there's also a lot of rubbish
stored near the missile tubes."
"There were a few incidents of people in the gym dropping weights near the
nuclear weapon's firing units. I heard one person joke about how he
accidentally throw a weight and it nearly hit a missiles firing unit."
"I sent this report on the 05/05/15 to every major newspaper, freelance
journalists, and whistle-blower I could find. It is now the 12/05/15. I've
had one email reply;"
http://www.theguardian.com/uk-news/2015/may/18/navy-whistleblower-on-run-alleged-trident-safety-failings
ALSO:
Navy whistleblower on the run after exposing alleged Trident safety failings
MoD launches investigation into claims of Able Seaman William McNeilly, who
says he will hand himself into police.
Josh Halliday
Monday 18 May 2015 09.18 BST Last modified on Monday 18 May 2015 12.15 BST
A Royal Navy submariner who blew the whistle on a catalogue of alleged
security failings around the Trident nuclear programme has said he will hand
himself in to police.
http://cryptome.org/2015/05/william-mcneilly.pdf
Able Seaman William McNeilly, 25, a newly qualified engineer, claimed that
Britain's nuclear deterrent was a ``disaster waiting to happen'' in a report
detailing 30 alleged safety and security breaches, including a collision
between HMS Vanguard and a French submarine during which a senior officer
thought: ``We're all going to die.''
McNeilly wrote that a chronic manpower shortage meant that it was ``a matter
of time before we're infiltrated by a psychopath or a terrorist; with this
amount of people getting pushed through.''
The police and Royal Navy launched a hunt for the whistleblower after he failed to report back for work last week at the Faslane submarine base on the Clyde. But on Monday morning McNeilly said he would hand himself over to the authorities despite facing a possible prosecution under the Official Secrets Act 1989.
Speaking to the BBC, he said: ``I'm not hiding from arrest; I will be back
in the UK in the next few days and I will hand myself in to the police.
Prison -- such a nice reward for sacrificing everything to warn the public
and government. Unfortunately that's the world we live in. I know it's a
lot to sacrifice and it is a hard road to walk down, but other people need
to start coming forward.''
In the 19-page report, titled The Secret Nuclear Threat, published online
alongside a picture of his UK passport and Royal Navy identity card,
McNeilly said he wanted ``to break down the false images of a perfect
system that most people envisage exists.''
He described bags going unchecked and said it was ``harder getting into
most nightclubs'' than into control rooms, with broken pin code systems
and guards failing to check passes. ``All it takes is someone to bring a
bomb on board to commit the worst terrorist attack the UK and the world has
ever seen,'' he wrote.
McNeilly, who said he was on patrol with HMS Victorious from January to
April, accused Royal Navy bosses of covering up a collision between HMS
Vanguard and a French submarine in the Atlantic Ocean in February 2009.
At the time Ministry of Defence officials played down the incident and said
the Vanguard had suffered only `scrapes'. But McNeilly said a Royal
Navy chief who was on board at the time told him afterwards: ``We thought,
this is it -- we're all going to die.''
The more senior submariner allegedly told McNeilly that the French vessel
``took a massive chunk out of the front of HMS Vanguard'' and grazed the
side of the boat. Bottles of high-pressured air came loose in the
collision, he claimed, meaning the Royal Navy submarine had to return slowly
to Faslane to prevent them from exploding.
He also raised concerns about a number of his fellow seamen, including one
whose hobbies he claimed were killing small animals and watching extreme
pornography. Another submariner, whom he named only as Pole, had threatened
to kill two fellow navy personnel and was routinely aggressive, McNeilly
claimed.
He described how HMS Vanguard's missile compartment doubled up as a gym,
leading to potentially disastrous mishaps when seamen dropped weights near
the boat's missile firing system.
McNeilly said he raised these and other concerns through the chain of
command on multiple occasions, but that ``not once did someone even
attempt to make a change.'' [Long item truncated for RISKS. PGN]
------------------------------
Date: Sat, 16 May 2015 17:10:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amtrak, After Derailment, Told to Expand Automatic Brake Use
The Federal Railroad Administration said it had ordered the railroad to make
more use of technology that can automatically stop speeding trains.
http://www.nytimes.com/2015/05/17/us/federal-railroad-administration-orders-amtrak-to-expand-automatic-braking.html
------------------------------
Date: 18 May 2015 09:52:13 -0400
From: "Bob Frankston" <bob19...@bobf.frankston.com>
Subject: A world ripe for the picking / Diploma mill edition
http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html
Leveraging the use of unvetted sources for vetting. After all, if we can't
trust LinkedIn what we can trust? And now that the topology of social
relationships doesn't correspond to the topology of legal obligations the
world is ripe for the picking.
------------------------------
Date: Sun, 17 May 2015 22:05:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions
[More on Frankston's item follows. PGN]
Seen from the Internet, it is a vast education empire: hundreds of
universities and high schools, with elegant names and smiling professors at
sun-dappled American campuses.
Their websites, glossy and assured, offer online degrees in dozens of
disciplines, like nursing and civil engineering. There are glowing
endorsements on the CNN iReport website, enthusiastic video testimonials,
and State Department authentication certificates bearing the signature of
Secretary of State John Kerry.
http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html
Below is a partial list of sites analyzed by The New York Times and
determined most likely to be linked to Axact's operation in Karachi,
Pakistan.
http://www.nytimes.com/2015/05/17/world/asia/tracking-axacts-websites.html
------------------------------
Date: Tue, 19 May 2015 04:44:24 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
at Its Expense
The Pakistani company Axact threatened to sue a local blog, Pak Tea House,
merely for rounding up Twitter reaction to an expose'.
http://www.nytimes.com/2015/05/19/world/asia/axact-fake-diploma-company-threatens-pakistani-bloggers-who-laugh-at-its-expense.html
------------------------------
Date: Tue, 19 May 2015 09:48:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Text of Axact's Response to The New York Times
Text of Axact's Response to *The New York Times*
http://www.nytimes.com/2015/05/19/world/asia/text-of-axact-response-to-the-new-york-times.html
The Pakistani company Axact condemned a New York Times article that asserted
the company had reaped millions by selling fake diplomas.
------------------------------
Date: May 19, 2015 5:58 AM
From: "Hendricks Dewayne" <dew...@warpspeed.com>
Subject: Net Neutrality (Melissa Silmore)
[Note: This item comes from Dave Farber's IP List. DLH]
Melissa Silmore, Net Neutrality, May 2015 Issue
http://www.carnegiemellontoday.com/issues/may-2015-issue/feature-stories/net-neutrality/
Douglas Sicker was relaxing at home in Boulder, Colo., late on a summer
evening. It had been a busy day, and he was happy to settle down to watch
some HBO, ready for a few laughs. The computer science professor had led a
meeting of network engineers earlier in the day, followed by drinks with
the group. Afterwards, while the out-of-towners returned to their hotels,
he headed home.
On his screen, a clean-cut British comedian sat smiling, hands clasped atop
his desk, wearing a crisp blue shirt, burgundy tie, and sport coat. The
segment began unassumingly but quickly gathered steam; a 13-minute hilarious
and blistering rant, punctuated by photos, graphs, and laughter. On that
first Sunday in June 2014, John Oliver, host of HBO's Last Week Tonight,
managed the impossible. He transformed a technical, eye-glazing debate into
a pop-culture topic.
Net neutrality, Oliver began, ``two words that promise -- boredom,'' he said
while a stupefyingly monotonous CSPAN hearing played above his head. ``The
cable companies have figured out the great truth of America. If you want to
do something evil, put it inside something boring.''
``Net neutrality essentially means that all data has to be treated equally,''
Oliver went on, as the show played a news clip announcing that the Federal
Communications Commission (FCC) was opening the door for a two-tiered
system where giant internet service providers (ISPs), such as Comcast and
Verizon, could charge to send content more quickly. It would allow ``big
companies to buy their way into the fast lane, leaving everyone else in the
slow lane,'' he asserted.
As Oliver continued his witty entreaty for net neutrality, Sicker's ears
perked up. The FCC's Chief Technology Officer in 2010-11, and previously
senior advisor on the FCC's 2010 National Broadband Plan, was more than
mildly interested.
Amid the one-liners, Oliver displayed a line graph of Netflix's download
speeds falling during a very public spat with Comcast, then pointed out the
rapid improvement when terms were settled. ``That has all the ingredients of
a mob shakedown,'' he declared.
Ranting on about the cozy relationship the cable industry enjoys with
government, Oliver homed in on President Barack Obama's appointment of FCC
Chair Tom Wheeler. ``The guy who used to run the cable industry's lobbying
arm is now running the agency tasked with its regulation. That's the
equivalent of needing a babysitter and hiring a dingo!'' he exclaimed, below
a photo of a wolf-like creature leering over a baby. He even pictured
Comcast's chief executive officer in a metal top hat and car -- pointedly
perched on a Monopoly game board.
The pinnacle of the bit came at the end. With ceremonial music rising in the
background, Oliver stood and addressed the hordes of internet commenters, as
the web address for the FCC site loomed large onscreen. ``Good evening,
monsters,'' he exhorted, ``we need you to get out there and focus your
indiscriminate rage in a useful direction. ... Turn on caps lock and fly my
pretties. Fly! Fly!'' he screamed, as the credits began to roll.
Sicker was just one of a million viewers tuned in that evening (YouTube
views are now nearly 9 million) as were many of Sicker's colleagues from
the telecom sector. ``The next day, everyone was sharing links to that
clip,'' he recalls. ``People could not stop talking about it.''
That same day, the FCC comment site shut down, evidently flooded. Comments
eventually reached nearly 4 million. Those 13 minutes of razor-tongued
entertainment had galvanized the public to a new issue that has, in
reality, been under debate for more than a decade. [...]
------------------------------
Date: Tue, 19 May 2015 15:32:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: John Deere: of course you "own" your tractor, but only if you agree
to let ...
http://boingboing.net/2015/05/13/john-deere-of-course-you-ow.html
Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Tue, 19 May 2015 12:30:19 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Inside Google's Secret War Against Ad Fraud (Adage)
http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/
"Sasha is a member of Google's secretive antifraud team. The unit,
numbering more than 100, is locked in a war against an unknown quantity of
cybercriminals who are actively siphoning billions of dollars out of the
digital advertising industry, primarily via the creation of robotic
traffic that appears human. Mysterious to many even within Google, the
group has never spoken to an outsider about the way it hunts botnets, let
alone allowed someone into its offices to observe the process. But that
silence ended the moment Sasha opened his computer."
That's "Secret" ...
------------------------------
Date: Thu, 21 May 2015 08:01:26 +0300
From: Jeremy Epstein <jeremy.j...@gmail.com>
Subject: Risks of online test taking
Following is an excerpt from an e-mail I received from Fairfax County Public
Schools (Fairfax VA, near Washington DC). Relying on internet connectivity
without a backup plan, for a high stakes test - what could possibly go
wrong? [Standards of Learning are a set of state-wide standardized tests
taken by all elementary, middle school, and high school students.]
-----
[May 19] at approximately 12:30 p.m., Pearson Education, Inc., the company
which provides the computer delivery system for Virginia's online
Standards of Learning (SOL) tests, experienced an interruption in Internet
connectivity. The 90-minute service interruption today affected FCPS test
sites along with other school divisions throughout Virginia.
Students who had already begun testing before the interruption of Internet
service were not impacted. However, some students were unable to log on
to the system to take scheduled SOL tests and other students received
error messages when they tried to log off after completing tests. As a
result, some students had to wait in the test environment after they
completed their tests until connectivity was restored and they were able
to submit the tests.
The FCPS Office of Student Testing is working with schools to ensure that
all tests were submitted properly following the interruption. At this
time, we do not anticipate that any student responses on tests that were
submitted were lost.
In some cases, students started tests but, due to the interruption, were
unable to finish before the end of the school day; tests for these
students will need to be rescheduled. Some schools may have canceled SOL
testing because of the interruption and will notify students and families
when today;s SOL tests will be rescheduled.
------------------------------
Date: Thu, 21 May 2015 06:55:51 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Secret files reveal police feared that Trekkies could turn on
society (Elizabeth Roberts)
FYI -- I had to check the date on this article several times to convince
myself it wasn't April 1st. Beware Terrorist Trekkies!!!
No wonder TSA keeps checking my ears...
Elizabeth Roberts, *The Telegraph*, 17 May 2015
http://www.telegraph.co.uk/news/uknews/11611086/Secret-files-reveal-police-feared-that-Trekkies-could-turn-on-society.html
Scotland Yard kept a secret dossier on Star Trek and the X-Files in the run
up to the millennium amid security concerns trekkies at a convention. For
years Star Trek fans -- known as Trekkies -- have been the butt of jokes
about their penchant for wearing pointy ears and attending science fiction
conventions. But the police feared British fans of the cult American show
might boldly go a little too far one day.
It has emerged that Scotland Yard kept a secret dossier on Star Trek, The
X-Files, and other US sci fi shows amid fears that British fans would go mad
and kill themselves, turn against society or start a weird cult.
The American TV shows Roswell and Dark Skies and the film The Lawnmower Man
were also monitored to protect the country from rioting and cyber attacks.
Special Branch was concerned that people hooked on such material could go
into a frenzy triggered by the millennium leading to anarchy.
An undated confidential report to the Metropolitan Police, thought to have
been filed around 1998-99, listed concerns about conspiracy theorists who
believed the end of the world was nigh.
``Fuel is added to the fire by television dramas and feature films mostly
produced in America. These draw together the various strands of religion,
UFOs, conspiracies, and mystic events and put them in an entertaining
storyline.''
The report added: "Obviously this is not sinister in itself, what is of
concern is the devotion certain groups and individuals ascribe to the
contents of these programmes."
The dossier -- called UFO New Religious Movements and the Millennium -- was
drawn up in response to the 1997 mass suicide by 39 cultists in San Diego
known as Heaven's Gate. The group members were "ardent followers of The
X-Files and Star Trek" according to Special Branch. [...]
------------------------------
Date: Tue, 19 May 2015 23:11:18 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: HTTPS-crippling attack threatens ten thousands of Web and mail servers
(Ars via NNSquad)
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/
The vulnerability affects an estimated 8.4 percent of the top one million
websites and a slightly bigger percentage of mail servers populating the
IPv4 address space, the researchers said. The threat stems from a flaw in
the transport layer security protocol that websites and mail servers use
to establish encrypted connections with end-users. The new attack, which
its creators have dubbed Logjam, can be exploited against a subset of
servers that support the widely used Diffie-Hellman key exchange, which
allows two parties that have never met before to negotiate a secret key
even though they're communicating over an unsecured, public channel.
------------------------------
Date: Wed, 20 May 2015 07:56:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Paranoid defence controls could criminalise teaching encryption
((via NNSquad)
http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238
You might not think that an academic computer science course could be
classified as an export of military technology. But under the Defence
Trade Controls Act - which passed into law in April, and will come into
force next year - there is a real possibility that even seemingly
innocuous educational and research activities could fall foul of
Australian defence export control laws.
------------------------------
Date: May 21, 2015 12:00 PM
From: "Richard Forno" <rfo...@infowarrior.org>
Subject: US proposes tighter export rules for computer security tools
(Jeremy Kirk)
Jeremy Kirk, IT World, 20 May 2015 (link to the proposal is in the article.)
http://www.itworld.com/article/2925375/security/us-proposes-tighter-export-rules-for-computer-security-tools.html
The U.S. Commerce Department has proposed tighter export rules for computer
security tools, a potentially controversial revision to an international
agreement aimed at controlling weapons technology.
On Wednesday, the department published a proposal in the Federal Register
and opened a two-month comment period.
The changes are proposed to the Wassenaar Arrangement, an international
agreement reached in 1995, aimed at limiting the spread of ``dual use''
technologies that could be used for harm.
Forty-one countries participate in the Wassenaar Arrangement, and lists of
controlled items are revised annually.
The Commerce Department's Bureau of Industry and Security (BIS) is
proposing requiring a license in order to export certain cybersecurity
tools used for penetrating systems and analyzing network communications.
If asked by the BIS, those applying for a license ``must include a copy of
the sections of source code and other software (e.g., libraries and header
files) that implement or invoke the controlled cybersecurity functionality.
Items destined for export to government users in Australia, Canada, New
Zealand or the U.K. -- the so-called ``Five Eyes'' nations which the U.S.
belongs to -- would be subject to looser restrictions. Those nations'
intelligence agencies collaborate closely.
The proposal would modify rules added to the Wassenaar Arrangement in 2013
that limit the export of technologies related to intrusion and traffic
inspection.
The definition of intrusion software would also encompass ``proprietary
research on the vulnerabilities and exploitation of computers and
network-capable devices,'' the proposal said.
Tools that would not be considered intrusion software include hypervisors,
debuggers and ones used for reverse engineering software.
There has long been concern that software tools in the wrong hands could
cause harm. But security professionals who conduct security tests of
organizations often employ the same software tools as those used by
attackers.
Thomas Rid, a professor in the Department of War Studies at King's College
London, wrote on Twitter that the proposed export regulations ``seem too
broad; could even damage cybersecurity.''
Many private computer security companies sell information on software
vulnerabilities for commercial purposes, a practice that has been
criticized.
Those companies have defended their sales models, arguing that without a
financial incentive, the software vulnerabilities may not have been found,
which ultimately protects users. Many have policies that forbid selling
sensitive information to unvetted parties.
The proposal said there is a ``policy of presumptive denial for items that
have or support rootkit or zero-day exploit capabilities.''
Rootkits are hard-to-detect programs used for electronically spying on a
computer, and a zero-day exploit is attack code that can take advantage of
a software flaw.
Changes to the list of controlled items covered by the Wassenaar Agreement
are decided by consensus at its annual plenary meeting in December.
[It's better to burn out than fade away.]
------------------------------
Date: Thu, 21 May 2015 10:33:51 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Africa's Worst New Internet Censorship Law Could be Coming to
South Africa (EFF)
https://www.eff.org/deeplinks/2015/05/africas-worst-new-internet-censorship-law-could-be-coming-south-africa
Only once in a while does an Internet censorship law or regulation come
along that is so audacious in its scope, so misguided in its premises, and
so poorly thought out in its execution, that you have to check your
calendar to make sure April 1 hasn't come around again. The Draft Online
Regulation Policy recently issued by the Film and Publication Board (FPB)
of South Africa is such a regulation. It's as if the fabled prude
Mrs. Grundy had been brought forward from the 18th century, stumbled
across hustler.com on her first excursion online, and promptly cobbled
together a law to shut the Internet down. Yes, it's that bad.
------------------------------
Date: Fri, 22 May 2015 10:23:50 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "The Venom vulnerability: Little details bite back" (Paul Venezia)
http://www.infoworld.com/article/2922315/virtualization/venom-security-vulnerability-little-details-bite-back.html
Paul Venezia, The Deep End, InfoWorld, 18 May 2015
Bad attacks rarely come through the front door -- instead, the old
cracks let in the problems
selected text:
It's fittingly ironic that a vulnerability of this nature is vectored
through such an innocuous and fossilized function as a virtual floppy disk
driver; it's even more ironic that the bug in that code has existed since
2004.
------------------------------
Date: Fri, 22 May 2015 10:25:24 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Only 3% of people aced Intel's phishing quiz (Jeff Jedras)
Jeff Jedras, IT Business, 15 May 2015
http://www.itbusiness.ca/news/only-three-per-cent-of-people-aced-intels-phishing-quiz/55685
opening text:
We probably think we're pretty savvy when it comes to identifying online
attacks and phishing emails, Intel Security put us to the test and found us
lacking: 97 per cent of respondents were unable to identify all the examples
of phishing in their email security quiz.
------------------------------
Date: Fri, 22 May 2015 10:27:58 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "URL-spoofing bug in Safari could enable phishing attacks"
(Lucian Constantin)
Lucian Constantin, InfoWorld, 19 May 2015
Researcher develops code that can trick Safari into showing a
different URL in its address bar than the one currently loaded
http://www.infoworld.com/article/2923879/security/urlspoofing-bug-in-safari-could-enable-phishing-attacks.html
selected text:
The latest versions of Safari for Mac OS X and iOS are vulnerable to a
URL-spoofing exploit that could allow hackers to launch credible phishing
attacks.
The issue was discovered by security researcher David Leo, who published a
proof-of-concept exploit for it. Leo's demonstration consists of a Web page
hosted on his domain that, when opened in Safari, causes the browser to
display dailymail.co.uk in the address bar.
The ability to control the URL shown by the browser can, for example, be
used to easily convince users that they are on a bank's website when they
are actually on a phishing page designed to steal their financial
information.
------------------------------
Date: Fri, 22 May 2015 10:34:04 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)
Jeremy Kirk, InfoWorld, 20 May 2015
http://www.infoworld.com/article/2924732/security/new-logjam-encryption-flaw-puts-web-surfers-at-risk.html
LogJam is closely related to the FREAK security vulnerability and
involves downgrading TLS connections to a weak key
selected text:
The flaw, called LogJam, can allow an attacker to significantly weaken the
encrypted connection between a user and a Web or email server, said Matthew
D. Green, an assistant research professor in the department of computer
science at Johns Hopkins University.
------------------------------
Date: Fri, 22 May 2015 10:37:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Critical vulnerability in NetUSB driver exposes millions of
routers to hacking" (Lucian Constantin)
Lucian Constantin, InfoWorld, 20 May 2015
Tens of routers and other embedded devices from various manufacturers
likely have the flaw, security researchers say
http://www.infoworld.com/article/2924187/security/critical-vulnerability-in-netusb-driver-exposes-millions-of-routers-to-hacking.html
------------------------------
Date: Fri, 22 May 2015 10:57:42 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: The Body Cam Hacker Who Schooled the Police (Medium)
https://medium.com/backchannel/the-body-cam-hacker-who-schooled-the-police-c046ff7f6f13
Policies about where and when to turn cameras on, language to warn people
who are being filmed, and limits on using the footage in investigations
can address some of these concerns. But liberal public disclosure laws
like Washington's leave a gaping loophole. How can police departments
release videos to an eager public without invading the privacy of victims,
patients and bystanders on some of the worst days of their lives?
------------------------------
Date: May 20, 2015 at 12:29:54 AM EDT
From: John Denker <j...@av8n.com>
Subject: Cybersecurity letter to the President 19-May-2015 (via Dave Farber)
[To:]
President Barack Obama
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500
[...] We urge you to reject any proposal that U.S. companies deliberately
weaken the security of their products. We request that the White House
instead focus on developing policies that will promote rather than undermine
the wide adoption of strong encryption technology. Such policies will in
turn help to promote and protect cybersecurity, economic growth, and human
rights, both here and abroad.
[snip]
[approximately 150 signatories, including security experts and tech companies]
Full text at:
https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf
http://cdn.arstechnica.net/wp-content/uploads/2015/05/cryptoletter.pdf
Lots of news media have picked up on this, but distressingly few link to the
actual letter. Maybe I'm old-fashioned, but I think primary sources are
important.
[Also noted by Lauren Weinstein,
https://docs.google.com/document/d/1mX98l2Y05t_pV_gu_o_h4WezVajAXkca0NtZ7V9dQ_U/edit?hl=en&forcehl=1
who added. ``Not that it will likely make any difference in the final
analysis regardless of who is President or in Congress, but hope springs
eternal.'' PGN]
------------------------------
Date: Fri, 22 May 2015 21:27:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Is security really stuck in the Dark Ages? (Network World)
http://www.networkworld.com/article/2925171/security0/is-security-really-stuck-in-the-dark-ages.html
It had to be a bit of a jolt for more than 500 exhibitors and thousands of
attendees at RSA Conference 2015 last month, all pushing, promoting and
inspecting the latest and greatest in digital security technology: The
theme of RSA President Amit Yoran's opening keynote was that they are all
stuck in the Dark Ages. [via NNSquad]
------------------------------
Date: Sat, 23 May 2015 07:37:36 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Adult dating site hack exposes millions of users
Why should the FBI (Martin Luther King), the CIA (numerous Muslims) and the
NSA (LOVINT) have all the fun? Now we can all be extorted by non-govt
criminals, too. The honeyplot thickens...
Best LOL line of the article: "These sites are meant to be secure"
Geoff White, Channel4, 21 May 2015
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web
Hackers have struck one of the world's largest internet dating websites,
leaking the highly sensitive sexual information of almost four million users
onto the web. The stolen data reveals the sexual preferences of users,
whether they're gay or straight, and even indicates which ones might be
seeking extramarital affairs. In addition, the hackers have revealed email
addresses, usernames, dates of birth, postal codes and unique internet
addresses of users' computers.
Channel 4 News has been investigating the cyber underworld, discovering
which websites have been hacked and exposing the trade in personal
information of millions of people through so-called "dark web" sites.
Secretive forum
The investigation led to a secretive forum in which a hacker nicknamed
ROR[RG] posted the details of users of Adult FriendFinder. The site boasts
63 million users worldwide and claims more than 7 million British members.
It bills itself as a "thriving sex community", and as a result users often
share sensitive sexual information when they sign up.
The information of 3.9m Adult FriendFinder members has been leaked,
including those who told the site to delete their accounts.
Shaun Harper is one of those whose details have been published. "The site
seemed OK, but when I got into it I realised it wasn't really for me, I was
looking for something longer term. But by that time I'd already given my
information. You couldn't get into the site without handing over
information.
"I deleted my account, so I thought the information had gone. These sites
are meant to be secure."
[Long item truncated for RISKS. PGN]
------------------------------
Date: Sat, 23 May 2015 07:52:40 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Man tries to report Starbucks vulnerability, is accused of fraud
"The hardest part - responsible disclosure. Support guy honestly answered
there's absolutely no way to get in touch with technical department and he's
sorry I feel this way. Emailing InformationSe...@starbucks.com on
March 23 was futile (and it only was answered on Apr 29). After trying
really hard to find anyone who cares, I managed to get this bug fixed in
like 10 days." -- Egor Homakov [Sakurity via NNSquad]
http://sakurity.com/blog/2015/05/21/starbucks.html
------------------------------
Date: Sun, 17 May 2015 09:03:22 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
Few people looking to buy a state-of-the-art smartphone would even think
about a Russian model, but the makers of the YotaPhone aspire to change
that.
http://www.nytimes.com/2015/05/17/world/europe/a-russian-smartphone-has-to-overcome-rivals-and-jokes-about-origin.html
------------------------------
Date: Tue, 19 May 2015 09:41:16 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Some People Do More Than Text While Driving
Texting while driving has company. Some people are also using social media
services, taking selfies, and even making videos while they are behind the
wheel.
http://bits.blogs.nytimes.com/2015/05/19/some-people-do-more-than-text-while-driving/
------------------------------
Date: Sun, 17 May 2015 20:06:43 -0400
From: Harlan Rosenthal <Harlan.R...@verizon.net>
Subject: Re: Drug database: third-party doctrine (RISKS-28.64)
Maybe I'm too much of a programmer, but the word "voluntary" should mean
something. Most of the information we turn over today is NOT voluntary.
You can't get a prescription without revealing it to the pharmacist; the
pharmacist can't give it to you without revealing it to the state and
insurance databases; and all of this is required by law. The change in
accessibility over the years is a clear example of a difference of degree
becoming a difference of kind.
------------------------------
Date: Sun, 17 May 2015 22:45:38 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: All cars must have tracking devices (RISKS-28.63,64)
If level-crossing gates block the full width of the road then there's the
risk of vehicles being trapped as they close; if they only take half of the
road then they provide a better warning than just flashing lights, but
impatient drivers can zig-zag round them.
The *REAL* fundamental problem is that trains traveling at 120mph
(~200km/hr) or more can take several minutes/miles to stop -- which vehicle
drivers don't always seem to appreciate -- and ensuring that a train has
time to stop if the crossing is not clear would mean halting the traffic for
quite a while, thus increasing the risk of impatient drivers attempting to
cross anyway.
As I understand it, crashes or near-misses often happen on busy roads when a
line of slow-moving or stopped vehicles backs up across a level-crossing.
So the moral is -- always be sure that there's enough empty road on the
other side of the crossing for your vehicle before you drive onto it.
------------------------------
Date: Fri, 22 May 2015 21:14:56 +0200
From: Erling Kristiansen <erling.kr...@xs4all.nl>
Subject: Re: Banned Researcher Commandeered a Plane
Most publicity on this subject seems to focus on the specific hack and its
perpetrator, condemning his action. This diverts attention away from the
much more serious underlying problem: A hacker, using simple tools and a
trivial intrusion into a network box, succeeded in breaching the isolation
between the passenger network and a highly safety critical technical network
of the aircraft. This raises serious concerns about the overall network
design of the aircraft.
And more problems may be coming: Today, passenger and safety air/ground
communications are pretty well isolated from each other because they use
separate radio links and different technologies that do not readily mix.<br>
But one plausible future development option is a move towards integrating
everything into a single air/ground link, all using IP technology. So,
effectively, the closed aeronautical safety critical networks will come
together physically with the Internet in this link, being separated only
logically by routers, firewalls and the like. Just one compromised router
somewhere in the world could make the safety critical networks, on-board as
well as on the ground, reachable from the Internet. Physical isolation would
no longer be possible.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or
equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for
guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an
alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the
subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume,
ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.65
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.65.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The atrocious security of Trident nuclear subs (Henry Baker)
Amtrak, After Derailment, Told to Expand Automatic Brake Use (NYTimes
via Monty Solomon)
A world ripe for the picking / Diploma mill edition (NYTimes via
Bob Frankston)
Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions (more)
Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
at Its Expense (more)
Text of Axact's Response to The New York Times (more)
Net Neutrality (Melissa Silmore via Dewayne Hendricks)
John Deere: of course you "own" your tractor, but only if you agree to let
... (Gabe Goldberg)
Inside Google's Secret War Against Ad Fraud (Adage)
Risks of online test taking (Jeremy Epstein)
Secret files reveal police feared that Trekkies could turn on society
(Elizabeth Roberts via Henry Baker)
HTTPS-crippling attack threatens ten thousands of Web and mail servers
(Ars Technica)
Paranoid defence controls could criminalise teaching encryption
(The Conversation)
US proposes tighter export rules for computer security tools
(Jeremy Kirk via Richard Forno)
Africa's Worst New Internet Censorship Law Could be Coming to S.A. (EFF)
"The Venom vulnerability: Little details bite back" (Paul Venezia)
Only 3% of people aced Intel's phishing quiz (Jeff Jedras)
URL-spoofing bug in Safari could enable phishing attacks (Lucian Constantin)
New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)
Critical vulnerability in NetUSB driver exposes millions of routers
to hacking (Lucian Constantin)
The Body Cam Hacker Who Schooled the Police (Medium)
Cybersecurity letter to the President 19-May-2015 (John Denker)
Is security really stuck in the Dark Ages? (Network World)
Adult dating site hack exposes millions of users (Geoff White via
Henry Baker)
Man tries to report Starbucks vulnerability, is accused of fraud
(Sakurity)
A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
(NYTimes)
Some People Do More Than Text While Driving (NYTimes)
Re: Drug database: third-party doctrine (Harlan Rosenthal)
Re: All cars must have tracking devices (Chris Drewe)
Re: Banned Researcher Commandeered a Plane (Erling Kristiansen)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 May 2015 05:18:07 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: The atrocious security of Trident nuclear subs
While the TSA fondly fondles all of us prior to getting on a commercial
airplane flight, the security of a British Trident nuclear submarine is less
than that of a posh nightclub!
"It's harder to get into most nightclubs than it is to get into the Green
Area. There's still the pin code system to get through the gate! Oh wait,
No there's not, it's broke, and anyone standing there that has thrown their
security pass in or *not*, will get buzzed through. If you have a Green
area pass or any old green card you can just show it to them from about 3
metres away (if the boat's on the first berths; if not 1 metre) then get
Buzzed Through!!"
"Missile Compartment 4 deck turns into a gym. There are people sweating
their asses of [sic] between the missiles, people rowing between a blanket
of s**t because the sewage system is defective, sometimes the s**t sprays
onto the fwd starboard missile tubes and there's also a lot of rubbish
stored near the missile tubes."
"There were a few incidents of people in the gym dropping weights near the
nuclear weapon's firing units. I heard one person joke about how he
accidentally throw a weight and it nearly hit a missiles firing unit."
"I sent this report on the 05/05/15 to every major newspaper, freelance
journalists, and whistle-blower I could find. It is now the 12/05/15. I've
had one email reply;"
http://www.theguardian.com/uk-news/2015/may/18/navy-whistleblower-on-run-alleged-trident-safety-failings
ALSO:
Navy whistleblower on the run after exposing alleged Trident safety failings
MoD launches investigation into claims of Able Seaman William McNeilly, who
says he will hand himself into police.
Josh Halliday
Monday 18 May 2015 09.18 BST Last modified on Monday 18 May 2015 12.15 BST
A Royal Navy submariner who blew the whistle on a catalogue of alleged
security failings around the Trident nuclear programme has said he will hand
himself in to police.
http://cryptome.org/2015/05/william-mcneilly.pdf
Able Seaman William McNeilly, 25, a newly qualified engineer, claimed that
Britain's nuclear deterrent was a ``disaster waiting to happen'' in a report
detailing 30 alleged safety and security breaches, including a collision
between HMS Vanguard and a French submarine during which a senior officer
thought: ``We're all going to die.''
McNeilly wrote that a chronic manpower shortage meant that it was ``a matter
of time before we're infiltrated by a psychopath or a terrorist; with this
amount of people getting pushed through.''
The police and Royal Navy launched a hunt for the whistleblower after he failed to report back for work last week at the Faslane submarine base on the Clyde. But on Monday morning McNeilly said he would hand himself over to the authorities despite facing a possible prosecution under the Official Secrets Act 1989.
Speaking to the BBC, he said: ``I'm not hiding from arrest; I will be back
in the UK in the next few days and I will hand myself in to the police.
Prison -- such a nice reward for sacrificing everything to warn the public
and government. Unfortunately that's the world we live in. I know it's a
lot to sacrifice and it is a hard road to walk down, but other people need
to start coming forward.''
In the 19-page report, titled The Secret Nuclear Threat, published online
alongside a picture of his UK passport and Royal Navy identity card,
McNeilly said he wanted ``to break down the false images of a perfect
system that most people envisage exists.''
He described bags going unchecked and said it was ``harder getting into
most nightclubs'' than into control rooms, with broken pin code systems
and guards failing to check passes. ``All it takes is someone to bring a
bomb on board to commit the worst terrorist attack the UK and the world has
ever seen,'' he wrote.
McNeilly, who said he was on patrol with HMS Victorious from January to
April, accused Royal Navy bosses of covering up a collision between HMS
Vanguard and a French submarine in the Atlantic Ocean in February 2009.
At the time Ministry of Defence officials played down the incident and said
the Vanguard had suffered only `scrapes'. But McNeilly said a Royal
Navy chief who was on board at the time told him afterwards: ``We thought,
this is it -- we're all going to die.''
The more senior submariner allegedly told McNeilly that the French vessel
``took a massive chunk out of the front of HMS Vanguard'' and grazed the
side of the boat. Bottles of high-pressured air came loose in the
collision, he claimed, meaning the Royal Navy submarine had to return slowly
to Faslane to prevent them from exploding.
He also raised concerns about a number of his fellow seamen, including one
whose hobbies he claimed were killing small animals and watching extreme
pornography. Another submariner, whom he named only as Pole, had threatened
to kill two fellow navy personnel and was routinely aggressive, McNeilly
claimed.
He described how HMS Vanguard's missile compartment doubled up as a gym,
leading to potentially disastrous mishaps when seamen dropped weights near
the boat's missile firing system.
McNeilly said he raised these and other concerns through the chain of
command on multiple occasions, but that ``not once did someone even
attempt to make a change.'' [Long item truncated for RISKS. PGN]
------------------------------
Date: Sat, 16 May 2015 17:10:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amtrak, After Derailment, Told to Expand Automatic Brake Use
The Federal Railroad Administration said it had ordered the railroad to make
more use of technology that can automatically stop speeding trains.
http://www.nytimes.com/2015/05/17/us/federal-railroad-administration-orders-amtrak-to-expand-automatic-braking.html
------------------------------
Date: 18 May 2015 09:52:13 -0400
From: "Bob Frankston" <bob19...@bobf.frankston.com>
Subject: A world ripe for the picking / Diploma mill edition
http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html
Leveraging the use of unvetted sources for vetting. After all, if we can't
trust LinkedIn what we can trust? And now that the topology of social
relationships doesn't correspond to the topology of legal obligations the
world is ripe for the picking.
------------------------------
Date: Sun, 17 May 2015 22:05:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions
[More on Frankston's item follows. PGN]
Seen from the Internet, it is a vast education empire: hundreds of
universities and high schools, with elegant names and smiling professors at
sun-dappled American campuses.
Their websites, glossy and assured, offer online degrees in dozens of
disciplines, like nursing and civil engineering. There are glowing
endorsements on the CNN iReport website, enthusiastic video testimonials,
and State Department authentication certificates bearing the signature of
Secretary of State John Kerry.
http://www.nytimes.com/2015/05/18/world/asia/fake-diplomas-real-cash-pakistani-company-axact-reaps-millions-columbiana-barkley.html
Below is a partial list of sites analyzed by The New York Times and
determined most likely to be linked to Axact's operation in Karachi,
Pakistan.
http://www.nytimes.com/2015/05/17/world/asia/tracking-axacts-websites.html
------------------------------
Date: Tue, 19 May 2015 04:44:24 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
at Its Expense
The Pakistani company Axact threatened to sue a local blog, Pak Tea House,
merely for rounding up Twitter reaction to an expose'.
http://www.nytimes.com/2015/05/19/world/asia/axact-fake-diploma-company-threatens-pakistani-bloggers-who-laugh-at-its-expense.html
------------------------------
Date: Tue, 19 May 2015 09:48:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Text of Axact's Response to The New York Times
Text of Axact's Response to *The New York Times*
http://www.nytimes.com/2015/05/19/world/asia/text-of-axact-response-to-the-new-york-times.html
The Pakistani company Axact condemned a New York Times article that asserted
the company had reaped millions by selling fake diplomas.
------------------------------
Date: May 19, 2015 5:58 AM
From: "Hendricks Dewayne" <dew...@warpspeed.com>
Subject: Net Neutrality (Melissa Silmore)
[Note: This item comes from Dave Farber's IP List. DLH]
Melissa Silmore, Net Neutrality, May 2015 Issue
http://www.carnegiemellontoday.com/issues/may-2015-issue/feature-stories/net-neutrality/
Douglas Sicker was relaxing at home in Boulder, Colo., late on a summer
evening. It had been a busy day, and he was happy to settle down to watch
some HBO, ready for a few laughs. The computer science professor had led a
meeting of network engineers earlier in the day, followed by drinks with
the group. Afterwards, while the out-of-towners returned to their hotels,
he headed home.
On his screen, a clean-cut British comedian sat smiling, hands clasped atop
his desk, wearing a crisp blue shirt, burgundy tie, and sport coat. The
segment began unassumingly but quickly gathered steam; a 13-minute hilarious
and blistering rant, punctuated by photos, graphs, and laughter. On that
first Sunday in June 2014, John Oliver, host of HBO's Last Week Tonight,
managed the impossible. He transformed a technical, eye-glazing debate into
a pop-culture topic.
Net neutrality, Oliver began, ``two words that promise -- boredom,'' he said
while a stupefyingly monotonous CSPAN hearing played above his head. ``The
cable companies have figured out the great truth of America. If you want to
do something evil, put it inside something boring.''
``Net neutrality essentially means that all data has to be treated equally,''
Oliver went on, as the show played a news clip announcing that the Federal
Communications Commission (FCC) was opening the door for a two-tiered
system where giant internet service providers (ISPs), such as Comcast and
Verizon, could charge to send content more quickly. It would allow ``big
companies to buy their way into the fast lane, leaving everyone else in the
slow lane,'' he asserted.
As Oliver continued his witty entreaty for net neutrality, Sicker's ears
perked up. The FCC's Chief Technology Officer in 2010-11, and previously
senior advisor on the FCC's 2010 National Broadband Plan, was more than
mildly interested.
Amid the one-liners, Oliver displayed a line graph of Netflix's download
speeds falling during a very public spat with Comcast, then pointed out the
rapid improvement when terms were settled. ``That has all the ingredients of
a mob shakedown,'' he declared.
Ranting on about the cozy relationship the cable industry enjoys with
government, Oliver homed in on President Barack Obama's appointment of FCC
Chair Tom Wheeler. ``The guy who used to run the cable industry's lobbying
arm is now running the agency tasked with its regulation. That's the
equivalent of needing a babysitter and hiring a dingo!'' he exclaimed, below
a photo of a wolf-like creature leering over a baby. He even pictured
Comcast's chief executive officer in a metal top hat and car -- pointedly
perched on a Monopoly game board.
The pinnacle of the bit came at the end. With ceremonial music rising in the
background, Oliver stood and addressed the hordes of internet commenters, as
the web address for the FCC site loomed large onscreen. ``Good evening,
monsters,'' he exhorted, ``we need you to get out there and focus your
indiscriminate rage in a useful direction. ... Turn on caps lock and fly my
pretties. Fly! Fly!'' he screamed, as the credits began to roll.
Sicker was just one of a million viewers tuned in that evening (YouTube
views are now nearly 9 million) as were many of Sicker's colleagues from
the telecom sector. ``The next day, everyone was sharing links to that
clip,'' he recalls. ``People could not stop talking about it.''
That same day, the FCC comment site shut down, evidently flooded. Comments
eventually reached nearly 4 million. Those 13 minutes of razor-tongued
entertainment had galvanized the public to a new issue that has, in
reality, been under debate for more than a decade. [...]
------------------------------
Date: Tue, 19 May 2015 15:32:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: John Deere: of course you "own" your tractor, but only if you agree
to let ...
http://boingboing.net/2015/05/13/john-deere-of-course-you-ow.html
Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Tue, 19 May 2015 12:30:19 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Inside Google's Secret War Against Ad Fraud (Adage)
http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/
"Sasha is a member of Google's secretive antifraud team. The unit,
numbering more than 100, is locked in a war against an unknown quantity of
cybercriminals who are actively siphoning billions of dollars out of the
digital advertising industry, primarily via the creation of robotic
traffic that appears human. Mysterious to many even within Google, the
group has never spoken to an outsider about the way it hunts botnets, let
alone allowed someone into its offices to observe the process. But that
silence ended the moment Sasha opened his computer."
That's "Secret" ...
------------------------------
Date: Thu, 21 May 2015 08:01:26 +0300
From: Jeremy Epstein <jeremy.j...@gmail.com>
Subject: Risks of online test taking
Following is an excerpt from an e-mail I received from Fairfax County Public
Schools (Fairfax VA, near Washington DC). Relying on internet connectivity
without a backup plan, for a high stakes test - what could possibly go
wrong? [Standards of Learning are a set of state-wide standardized tests
taken by all elementary, middle school, and high school students.]
-----
[May 19] at approximately 12:30 p.m., Pearson Education, Inc., the company
which provides the computer delivery system for Virginia's online
Standards of Learning (SOL) tests, experienced an interruption in Internet
connectivity. The 90-minute service interruption today affected FCPS test
sites along with other school divisions throughout Virginia.
Students who had already begun testing before the interruption of Internet
service were not impacted. However, some students were unable to log on
to the system to take scheduled SOL tests and other students received
error messages when they tried to log off after completing tests. As a
result, some students had to wait in the test environment after they
completed their tests until connectivity was restored and they were able
to submit the tests.
The FCPS Office of Student Testing is working with schools to ensure that
all tests were submitted properly following the interruption. At this
time, we do not anticipate that any student responses on tests that were
submitted were lost.
In some cases, students started tests but, due to the interruption, were
unable to finish before the end of the school day; tests for these
students will need to be rescheduled. Some schools may have canceled SOL
testing because of the interruption and will notify students and families
when today;s SOL tests will be rescheduled.
------------------------------
Date: Thu, 21 May 2015 06:55:51 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Secret files reveal police feared that Trekkies could turn on
society (Elizabeth Roberts)
FYI -- I had to check the date on this article several times to convince
myself it wasn't April 1st. Beware Terrorist Trekkies!!!
No wonder TSA keeps checking my ears...
Elizabeth Roberts, *The Telegraph*, 17 May 2015
http://www.telegraph.co.uk/news/uknews/11611086/Secret-files-reveal-police-feared-that-Trekkies-could-turn-on-society.html
Scotland Yard kept a secret dossier on Star Trek and the X-Files in the run
up to the millennium amid security concerns trekkies at a convention. For
years Star Trek fans -- known as Trekkies -- have been the butt of jokes
about their penchant for wearing pointy ears and attending science fiction
conventions. But the police feared British fans of the cult American show
might boldly go a little too far one day.
It has emerged that Scotland Yard kept a secret dossier on Star Trek, The
X-Files, and other US sci fi shows amid fears that British fans would go mad
and kill themselves, turn against society or start a weird cult.
The American TV shows Roswell and Dark Skies and the film The Lawnmower Man
were also monitored to protect the country from rioting and cyber attacks.
Special Branch was concerned that people hooked on such material could go
into a frenzy triggered by the millennium leading to anarchy.
An undated confidential report to the Metropolitan Police, thought to have
been filed around 1998-99, listed concerns about conspiracy theorists who
believed the end of the world was nigh.
``Fuel is added to the fire by television dramas and feature films mostly
produced in America. These draw together the various strands of religion,
UFOs, conspiracies, and mystic events and put them in an entertaining
storyline.''
The report added: "Obviously this is not sinister in itself, what is of
concern is the devotion certain groups and individuals ascribe to the
contents of these programmes."
The dossier -- called UFO New Religious Movements and the Millennium -- was
drawn up in response to the 1997 mass suicide by 39 cultists in San Diego
known as Heaven's Gate. The group members were "ardent followers of The
X-Files and Star Trek" according to Special Branch. [...]
------------------------------
Date: Tue, 19 May 2015 23:11:18 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: HTTPS-crippling attack threatens ten thousands of Web and mail servers
(Ars via NNSquad)
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/
The vulnerability affects an estimated 8.4 percent of the top one million
websites and a slightly bigger percentage of mail servers populating the
IPv4 address space, the researchers said. The threat stems from a flaw in
the transport layer security protocol that websites and mail servers use
to establish encrypted connections with end-users. The new attack, which
its creators have dubbed Logjam, can be exploited against a subset of
servers that support the widely used Diffie-Hellman key exchange, which
allows two parties that have never met before to negotiate a secret key
even though they're communicating over an unsecured, public channel.
------------------------------
Date: Wed, 20 May 2015 07:56:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Paranoid defence controls could criminalise teaching encryption
((via NNSquad)
http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238
You might not think that an academic computer science course could be
classified as an export of military technology. But under the Defence
Trade Controls Act - which passed into law in April, and will come into
force next year - there is a real possibility that even seemingly
innocuous educational and research activities could fall foul of
Australian defence export control laws.
------------------------------
Date: May 21, 2015 12:00 PM
From: "Richard Forno" <rfo...@infowarrior.org>
Subject: US proposes tighter export rules for computer security tools
(Jeremy Kirk)
Jeremy Kirk, IT World, 20 May 2015 (link to the proposal is in the article.)
http://www.itworld.com/article/2925375/security/us-proposes-tighter-export-rules-for-computer-security-tools.html
The U.S. Commerce Department has proposed tighter export rules for computer
security tools, a potentially controversial revision to an international
agreement aimed at controlling weapons technology.
On Wednesday, the department published a proposal in the Federal Register
and opened a two-month comment period.
The changes are proposed to the Wassenaar Arrangement, an international
agreement reached in 1995, aimed at limiting the spread of ``dual use''
technologies that could be used for harm.
Forty-one countries participate in the Wassenaar Arrangement, and lists of
controlled items are revised annually.
The Commerce Department's Bureau of Industry and Security (BIS) is
proposing requiring a license in order to export certain cybersecurity
tools used for penetrating systems and analyzing network communications.
If asked by the BIS, those applying for a license ``must include a copy of
the sections of source code and other software (e.g., libraries and header
files) that implement or invoke the controlled cybersecurity functionality.
Items destined for export to government users in Australia, Canada, New
Zealand or the U.K. -- the so-called ``Five Eyes'' nations which the U.S.
belongs to -- would be subject to looser restrictions. Those nations'
intelligence agencies collaborate closely.
The proposal would modify rules added to the Wassenaar Arrangement in 2013
that limit the export of technologies related to intrusion and traffic
inspection.
The definition of intrusion software would also encompass ``proprietary
research on the vulnerabilities and exploitation of computers and
network-capable devices,'' the proposal said.
Tools that would not be considered intrusion software include hypervisors,
debuggers and ones used for reverse engineering software.
There has long been concern that software tools in the wrong hands could
cause harm. But security professionals who conduct security tests of
organizations often employ the same software tools as those used by
attackers.
Thomas Rid, a professor in the Department of War Studies at King's College
London, wrote on Twitter that the proposed export regulations ``seem too
broad; could even damage cybersecurity.''
Many private computer security companies sell information on software
vulnerabilities for commercial purposes, a practice that has been
criticized.
Those companies have defended their sales models, arguing that without a
financial incentive, the software vulnerabilities may not have been found,
which ultimately protects users. Many have policies that forbid selling
sensitive information to unvetted parties.
The proposal said there is a ``policy of presumptive denial for items that
have or support rootkit or zero-day exploit capabilities.''
Rootkits are hard-to-detect programs used for electronically spying on a
computer, and a zero-day exploit is attack code that can take advantage of
a software flaw.
Changes to the list of controlled items covered by the Wassenaar Agreement
are decided by consensus at its annual plenary meeting in December.
[It's better to burn out than fade away.]
------------------------------
Date: Thu, 21 May 2015 10:33:51 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Africa's Worst New Internet Censorship Law Could be Coming to
South Africa (EFF)
https://www.eff.org/deeplinks/2015/05/africas-worst-new-internet-censorship-law-could-be-coming-south-africa
Only once in a while does an Internet censorship law or regulation come
along that is so audacious in its scope, so misguided in its premises, and
so poorly thought out in its execution, that you have to check your
calendar to make sure April 1 hasn't come around again. The Draft Online
Regulation Policy recently issued by the Film and Publication Board (FPB)
of South Africa is such a regulation. It's as if the fabled prude
Mrs. Grundy had been brought forward from the 18th century, stumbled
across hustler.com on her first excursion online, and promptly cobbled
together a law to shut the Internet down. Yes, it's that bad.
------------------------------
Date: Fri, 22 May 2015 10:23:50 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "The Venom vulnerability: Little details bite back" (Paul Venezia)
http://www.infoworld.com/article/2922315/virtualization/venom-security-vulnerability-little-details-bite-back.html
Paul Venezia, The Deep End, InfoWorld, 18 May 2015
Bad attacks rarely come through the front door -- instead, the old
cracks let in the problems
selected text:
It's fittingly ironic that a vulnerability of this nature is vectored
through such an innocuous and fossilized function as a virtual floppy disk
driver; it's even more ironic that the bug in that code has existed since
2004.
------------------------------
Date: Fri, 22 May 2015 10:25:24 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Only 3% of people aced Intel's phishing quiz (Jeff Jedras)
Jeff Jedras, IT Business, 15 May 2015
http://www.itbusiness.ca/news/only-three-per-cent-of-people-aced-intels-phishing-quiz/55685
opening text:
We probably think we're pretty savvy when it comes to identifying online
attacks and phishing emails, Intel Security put us to the test and found us
lacking: 97 per cent of respondents were unable to identify all the examples
of phishing in their email security quiz.
------------------------------
Date: Fri, 22 May 2015 10:27:58 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "URL-spoofing bug in Safari could enable phishing attacks"
(Lucian Constantin)
Lucian Constantin, InfoWorld, 19 May 2015
Researcher develops code that can trick Safari into showing a
different URL in its address bar than the one currently loaded
http://www.infoworld.com/article/2923879/security/urlspoofing-bug-in-safari-could-enable-phishing-attacks.html
selected text:
The latest versions of Safari for Mac OS X and iOS are vulnerable to a
URL-spoofing exploit that could allow hackers to launch credible phishing
attacks.
The issue was discovered by security researcher David Leo, who published a
proof-of-concept exploit for it. Leo's demonstration consists of a Web page
hosted on his domain that, when opened in Safari, causes the browser to
display dailymail.co.uk in the address bar.
The ability to control the URL shown by the browser can, for example, be
used to easily convince users that they are on a bank's website when they
are actually on a phishing page designed to steal their financial
information.
------------------------------
Date: Fri, 22 May 2015 10:34:04 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)
Jeremy Kirk, InfoWorld, 20 May 2015
http://www.infoworld.com/article/2924732/security/new-logjam-encryption-flaw-puts-web-surfers-at-risk.html
LogJam is closely related to the FREAK security vulnerability and
involves downgrading TLS connections to a weak key
selected text:
The flaw, called LogJam, can allow an attacker to significantly weaken the
encrypted connection between a user and a Web or email server, said Matthew
D. Green, an assistant research professor in the department of computer
science at Johns Hopkins University.
------------------------------
Date: Fri, 22 May 2015 10:37:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Critical vulnerability in NetUSB driver exposes millions of
routers to hacking" (Lucian Constantin)
Lucian Constantin, InfoWorld, 20 May 2015
Tens of routers and other embedded devices from various manufacturers
likely have the flaw, security researchers say
http://www.infoworld.com/article/2924187/security/critical-vulnerability-in-netusb-driver-exposes-millions-of-routers-to-hacking.html
------------------------------
Date: Fri, 22 May 2015 10:57:42 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: The Body Cam Hacker Who Schooled the Police (Medium)
https://medium.com/backchannel/the-body-cam-hacker-who-schooled-the-police-c046ff7f6f13
Policies about where and when to turn cameras on, language to warn people
who are being filmed, and limits on using the footage in investigations
can address some of these concerns. But liberal public disclosure laws
like Washington's leave a gaping loophole. How can police departments
release videos to an eager public without invading the privacy of victims,
patients and bystanders on some of the worst days of their lives?
------------------------------
Date: May 20, 2015 at 12:29:54 AM EDT
From: John Denker <j...@av8n.com>
Subject: Cybersecurity letter to the President 19-May-2015 (via Dave Farber)
[To:]
President Barack Obama
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500
[...] We urge you to reject any proposal that U.S. companies deliberately
weaken the security of their products. We request that the White House
instead focus on developing policies that will promote rather than undermine
the wide adoption of strong encryption technology. Such policies will in
turn help to promote and protect cybersecurity, economic growth, and human
rights, both here and abroad.
[snip]
[approximately 150 signatories, including security experts and tech companies]
Full text at:
https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf
http://cdn.arstechnica.net/wp-content/uploads/2015/05/cryptoletter.pdf
Lots of news media have picked up on this, but distressingly few link to the
actual letter. Maybe I'm old-fashioned, but I think primary sources are
important.
[Also noted by Lauren Weinstein,
https://docs.google.com/document/d/1mX98l2Y05t_pV_gu_o_h4WezVajAXkca0NtZ7V9dQ_U/edit?hl=en&forcehl=1
who added. ``Not that it will likely make any difference in the final
analysis regardless of who is President or in Congress, but hope springs
eternal.'' PGN]
------------------------------
Date: Fri, 22 May 2015 21:27:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Is security really stuck in the Dark Ages? (Network World)
http://www.networkworld.com/article/2925171/security0/is-security-really-stuck-in-the-dark-ages.html
It had to be a bit of a jolt for more than 500 exhibitors and thousands of
attendees at RSA Conference 2015 last month, all pushing, promoting and
inspecting the latest and greatest in digital security technology: The
theme of RSA President Amit Yoran's opening keynote was that they are all
stuck in the Dark Ages. [via NNSquad]
------------------------------
Date: Sat, 23 May 2015 07:37:36 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Adult dating site hack exposes millions of users
Why should the FBI (Martin Luther King), the CIA (numerous Muslims) and the
NSA (LOVINT) have all the fun? Now we can all be extorted by non-govt
criminals, too. The honeyplot thickens...
Best LOL line of the article: "These sites are meant to be secure"
Geoff White, Channel4, 21 May 2015
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web
Hackers have struck one of the world's largest internet dating websites,
leaking the highly sensitive sexual information of almost four million users
onto the web. The stolen data reveals the sexual preferences of users,
whether they're gay or straight, and even indicates which ones might be
seeking extramarital affairs. In addition, the hackers have revealed email
addresses, usernames, dates of birth, postal codes and unique internet
addresses of users' computers.
Channel 4 News has been investigating the cyber underworld, discovering
which websites have been hacked and exposing the trade in personal
information of millions of people through so-called "dark web" sites.
Secretive forum
The investigation led to a secretive forum in which a hacker nicknamed
ROR[RG] posted the details of users of Adult FriendFinder. The site boasts
63 million users worldwide and claims more than 7 million British members.
It bills itself as a "thriving sex community", and as a result users often
share sensitive sexual information when they sign up.
The information of 3.9m Adult FriendFinder members has been leaked,
including those who told the site to delete their accounts.
Shaun Harper is one of those whose details have been published. "The site
seemed OK, but when I got into it I realised it wasn't really for me, I was
looking for something longer term. But by that time I'd already given my
information. You couldn't get into the site without handing over
information.
"I deleted my account, so I thought the information had gone. These sites
are meant to be secure."
[Long item truncated for RISKS. PGN]
------------------------------
Date: Sat, 23 May 2015 07:52:40 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Man tries to report Starbucks vulnerability, is accused of fraud
"The hardest part - responsible disclosure. Support guy honestly answered
there's absolutely no way to get in touch with technical department and he's
sorry I feel this way. Emailing InformationSe...@starbucks.com on
March 23 was futile (and it only was answered on Apr 29). After trying
really hard to find anyone who cares, I managed to get this bug fixed in
like 10 days." -- Egor Homakov [Sakurity via NNSquad]
http://sakurity.com/blog/2015/05/21/starbucks.html
------------------------------
Date: Sun, 17 May 2015 09:03:22 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
Few people looking to buy a state-of-the-art smartphone would even think
about a Russian model, but the makers of the YotaPhone aspire to change
that.
http://www.nytimes.com/2015/05/17/world/europe/a-russian-smartphone-has-to-overcome-rivals-and-jokes-about-origin.html
------------------------------
Date: Tue, 19 May 2015 09:41:16 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Some People Do More Than Text While Driving
Texting while driving has company. Some people are also using social media
services, taking selfies, and even making videos while they are behind the
wheel.
http://bits.blogs.nytimes.com/2015/05/19/some-people-do-more-than-text-while-driving/
------------------------------
Date: Sun, 17 May 2015 20:06:43 -0400
From: Harlan Rosenthal <Harlan.R...@verizon.net>
Subject: Re: Drug database: third-party doctrine (RISKS-28.64)
Maybe I'm too much of a programmer, but the word "voluntary" should mean
something. Most of the information we turn over today is NOT voluntary.
You can't get a prescription without revealing it to the pharmacist; the
pharmacist can't give it to you without revealing it to the state and
insurance databases; and all of this is required by law. The change in
accessibility over the years is a clear example of a difference of degree
becoming a difference of kind.
------------------------------
Date: Sun, 17 May 2015 22:45:38 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: All cars must have tracking devices (RISKS-28.63,64)
If level-crossing gates block the full width of the road then there's the
risk of vehicles being trapped as they close; if they only take half of the
road then they provide a better warning than just flashing lights, but
impatient drivers can zig-zag round them.
The *REAL* fundamental problem is that trains traveling at 120mph
(~200km/hr) or more can take several minutes/miles to stop -- which vehicle
drivers don't always seem to appreciate -- and ensuring that a train has
time to stop if the crossing is not clear would mean halting the traffic for
quite a while, thus increasing the risk of impatient drivers attempting to
cross anyway.
As I understand it, crashes or near-misses often happen on busy roads when a
line of slow-moving or stopped vehicles backs up across a level-crossing.
So the moral is -- always be sure that there's enough empty road on the
other side of the crossing for your vehicle before you drive onto it.
------------------------------
Date: Fri, 22 May 2015 21:14:56 +0200
From: Erling Kristiansen <erling.kr...@xs4all.nl>
Subject: Re: Banned Researcher Commandeered a Plane
Most publicity on this subject seems to focus on the specific hack and its
perpetrator, condemning his action. This diverts attention away from the
much more serious underlying problem: A hacker, using simple tools and a
trivial intrusion into a network box, succeeded in breaching the isolation
between the passenger network and a highly safety critical technical network
of the aircraft. This raises serious concerns about the overall network
design of the aircraft.
And more problems may be coming: Today, passenger and safety air/ground
communications are pretty well isolated from each other because they use
separate radio links and different technologies that do not readily mix.<br>
But one plausible future development option is a move towards integrating
everything into a single air/ground link, all using IP technology. So,
effectively, the closed aeronautical safety critical networks will come
together physically with the Internet in this link, being separated only
logically by routers, firewalls and the like. Just one compromised router
somewhere in the world could make the safety critical networks, on-board as
well as on the ground, reachable from the Internet. Physical isolation would
no longer be possible.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or
equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for
guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an
alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the
subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume,
ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.65
************************
0 new messages