Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Risks Digest 28.76

73 views
Skip to first unread message

RISKS List Owner

unread,
Jul 9, 2015, 1:22:55 AM7/9/15
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Wednesday 8 July 2015 Volume 28 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.76.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Modal design leads to death of Marine (Steve Golson)
Man killed by a factory robot in Germany; human error blamed (Ars via
Richard I Cook)
TransAsia flight: Shutdown Wrong Engine! (PGN)
NYSE troubles predicted (Alister Wm Macintyre)
"Technical issues" @ NYSE, UA, other places (Alister Wm Macintyre)
United grounded (PGN)
Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes
(WiReD)
Why back doors are a bad idea (PGN)
More on Keys Under Doormats (PGN)
Senate Judiciary "Going Dark" site is untrusted! (Henry Baker)
FBI, Justice Dept. Take Encryption Concerns to Congress (Privacy)
Hackers take over German missile battery in Turkey (Mark Thorson )
Screen Addiction Is Taking a Toll on Children (NYTimes)
Senior Tech: A Tablet for Aging Hands Falls Short (NYTimes)
Facing a Selfie Election, Presidential Hopefuls Grin and Bear It (NYTimes)
Days of Our Digital Lives (NYTimes)
Chicago's 'cloud tax' makes Netflix and other streaming services more
expensive (The Verge)
Cyber "Deterrence" considered harmful & mad (Henry Baker)
NZ Harmful Digital Communications Bill (Richard A. O'Keefe)
Some heads-up to consider for RISKS (found at Slashdot)
Early adopters of Apple Music find playlists, album art, and
metadata corrupted (mike)
"OpenSSL tells users to prepare for a high severity flaw"
(Lucian Constantin)
Senate advances secret plan forcing Internet services to report
terror activity (Ars)
Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting
(Kyle Newport)
Re: Windows 10 will share your Wi-Fi key with your friends' friends
(Bob Frankston)
Leap Second Causes Sporadic Outages Across the Internet (Cade Metz)
Re: "Leap Second Problem" and "Growing opposition to the Leap Second"
(David E. Ross)
Re: DVD drive in PC fire hazard (Henry Baker)
Re: Overcoming Information Overload (Mark E. Smith)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 02 Jul 2015 10:56:39 -0400
From: Steve Golson <sgo...@trilobyte.com>
Subject: Modal design leads to death of Marine

Marine Corps MV-22 Osprey tilt-rotor attempted to take off while in
maintenance mode, which reduces power by 20%. One crew member was lost at
sea.
http://www.sandiegouniontribune.com/news/2015/jun/30/osprey-crash-at-sea-command-investigation/

The aircraft controls didn't warn them they were about to take off in
maintenance mode, nor did their flight manuals explain the dangers.

After starting the engines, the pilots thought it odd that both hung up
for about 15 seconds before spooling normally. They also discussed the
fact that the exhaust deflector was set to ON instead of AUTO as
usual. But the aircraft seemed fine otherwise, so they assumed a harmless
software update was to blame.

RISK 1: not knowing what mode your system is in

RISK 2: assuming something unusual is due to "a harmless software update"

------------------------------

Date: Thu, 2 Jul 2015 08:45:49 +0200
From: Richard I Cook MD <rico...@gmail.com>
Subject: Man killed by a factory robot in Germany; human error blamed

http://arstechnica.com/business/2015/07/man-killed-by-a-factory-robot-in-germany/

On Wednesday, Volkswagen said that a 22-year-old external contractor for the
company had been killed by a robot at a production factory in Baunatal,
Germany. Heiko Hillwig, a VW spokesperson speaking to the AP about the
incident, said that the robot grabbed the worker and crushed him against a
metal plate. The worker died later at a nearby hospital due to complications
from his injuries.
<http://hosted.ap.org/dynamic/stories/E/EU_GERMANY_ROBOT_KILLING?SITE=TXWIC&SECTION=HOME&TEMPLATE=DEFAULT>

Hillwig told the AP, ``initial conclusions indicate that human error was to
blame.'' He added that the contractor was helping set up the robot and was
inside the metal safety cage that usually separates personnel from the
metal-manipulating robots. Another worker was present when the incident
occurred, but because he was behind the barrier, he was unharmed. Ars has
reached out to Volkswagen but has not yet received a response.

According to the Financial Times ``A Volkswagen spokesman stressed that the
robot was not one of the new generation of lightweight collaborative robots
that work side-by-side with workers on the production line and forgo safety
cages.''
http://www.ft.com/intl/fastft/353721/worker-killed-volkswagen-robot-accident

German newspaper HNA reported that the robot in question is used to build
electric engines for Volkswagen, and the FT noted rather bleakly that the
robot suffered no damage in the accident.

No further details were given by Volkswagen because prosecutors have
launched an investigation into the incident.

The story gained some morbid attention earlier today when a Financial Times
employment reporter named Sarah O'Connor tweeted the story, not realizing
the connection between her name and character who has a similar name (Sarah
Connor) in the Terminator series. Her tweet was retweeted more than 3,500
times <https://twitter.com/sarahoconnor_/status/616282747200479232> and she
received an influx of messages making jokes about the news. ``Feeling really
uncomfortable about this inadvertent Twitter thing I seem to have kicked
off,'' she tweeted later today. "Somebody died. Let's not forget.''

------------------------------

Date: Thu, 2 Jul 2015 22:11:08 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: TransAsia flight: Shutdown Wrong Engine!

Interim report on the ATR Crash in Taipei in Feb 2015 finally published: On
4 Feb 2015, TransAsia Airways flight GE 235, an ATR72-600, registration
B-22816, took off from Taipei Songshan Airport for Kinmen, Taiwan.
http://www.asc.gov.tw/main_en/docaccident.aspx?uid=343&pid=296&acd_no=191

Evidently one of the two engines failed, the Captain accidentally shut down
the working one. He was heard to say on the CVR: ``Wow, pulled back the wrong
side throttle.''

That failure mode should be familiar to long-time RISKS readers!

------------------------------

Date: Wed, 8 Jul 2015 17:40:54 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
Subject: NYSE troubles predicted

NYSE suspended trading for approx 4 hours Wed July-8 starting 11.30 am due
to a "technical issue" not yet explained. DHS says there is no evidence of
cyber mischief, but then we remember when there was that in the past, it
took them 2 years to figure out what happened. Anonymous sent a note late
Tues nite about anticipating a problem at NYSE for Wednesday. How often are
there notes like this.? A coincidence?

http://www.msn.com/en-us/news/itinsider/anonymous-issued-cryptic-tweet-on-ev
e-of-nyse-suspension/ar-AAcIPjz?ocid=iehpo

------------------------------

Date: Wed, 8 Jul 2015 18:09:41 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
Subject: "Technical issues" @ NYSE, UA, other places

11.32 am Wed July-8 NYSE went down for "technical issues", officially not
believed related to cyber mischief.

WSJ went down at about same time, I not yet seen an explanation.

United Airlines got grounded a few hours earlier because of a "network
connectivity issue."

By 1.30 pm, WSJ was back in business.
3.10 pm NYSE was back in operation.

http://www.msn.com/en-us/news/us/nyse-resumes-trading/ar-AAcIGgj?ocid=iehp

Before the facts come out about any incident, "Technical Issues" is what the
general public is usually told.

When the SONY Breach chaos began, Nov-24, the official line was an "IT
problem."

Top executives at SONY had been told on Nov-21 by the perpetrators that this
was coming, if they did not comply with the perpetrator demands, so Nov-24
may have been a shock to SONY management, but not really a surprise.
Several people has warned the CEO, months in advance, that The Interview
would lead to North Korea hacking them, but their reaction to this news was
merely to edit the trailer to be less offensive to NK, until the movie
actually came out.

For lots of gory details on SONY behind the scenes, see the cover story of
July-1 Fortune magazine.

------------------------------

Date: Wed, 8 Jul 2015 11:45:29 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: United grounded

http://www.komonews.com/news/national/FAA-All-US-United-Continental-flights-grounded-312486921.html

http://www.washingtonpost.com/business/economy/nyse-trading-has-been-halted/2015/07/08/46b51974-2588-11e5-b72c-2b7d516e1e0e_story.html

CNN has officially called it a set of unrelated `whacky technical problems'.

http://www.theguardian.com/business/live/2015/jul/08/new-york-stock-exchange-wall-street

------------------------------

Date: Thu, 9 Jul 2015 11:03:59 +1200
From: "Dave Farber" <da...@farber.net>
Subject: Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes
(WiReD)

http://www.wired.com/2015/07/cyberarmageddon-upon-us-3-glitches-today-saying-yes/?mbid=nl_7815

------------------------------

Date: Tue, 7 Jul 2015 22:26:07 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Why back doors are a bad idea

http://takingnote.blogs.nytimes.com/2015/07/07/why-a-back-door-to-the-internet-is-a-bad-idea/

------------------------------

Date: Tue, 7 Jul 2015 22:31:43 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: More on Keys Under Doormats

[There were a few errors in the MIT archival URL. A Corrected copy is at
www.crypto.com/papers/Keys_Under_Doormats_FINAL.pdf
thanks to Matt Blaze. PGN]

http://www.theguardian.com/world/2015/jul/07/uk-and-us-demands-to-access-encrypted-data-are-unprincipled-and-unworkable

Nicole Perlroth in the Wednesday print edition:
http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html

http://www.wsj.com/articles/technology-experts-hit-back-at-fbi-on-encryption-1436316464

------------------------------

Date: Wed, 08 Jul 2015 08:15:46 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Senate Judiciary "Going Dark" site is untrusted!

The Senate Judiciary Committee is holding "Going Dark" hearings today, but
their own HTTPS web site is "Untrusted" by Firefox!

Isn't this the very definition of "delicious irony"?

"This Connection is Untrusted"

"You have asked Firefox to connect securely to www.judiciary.senate.gov, but
we can't confirm that your connection is secure."

"Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place. However,
this site's identity can't be verified."

"What Should I Do?"
"If you usually connect to this site without problems, this error could mean
that someone is trying to impersonate the site, and you shouldn't continue."

Cody M. Poplin, 8 Jul 2015
http://www.lawfareblog.com/live-senate-hearings-going-dark
Live: Senate Hearings on "Going Dark"

------------------------------

Date: Wed, 8 Jul 2015 09:35:15 -0700
From: PRIVACY Forum mailing list <pri...@vortex.com>
Subject: FBI, Justice Dept. Take Encryption Concerns to Congress

http://www.nytimes.com/aponline/2015/07/08/us/politics/ap-us-fbi-encryption.html

Vermont Sen. Patrick Leahy, the panel's senior Democrat, expressed
wariness about facilitating law enforcement's access to encrypted
material, saying he wasn't sure how much that would help. "Strong
encryption would still be available from foreign providers," Leahy said.
"Some say that any competent Internet user would be able to download
strong encryption technology, or install an app allowing encrypted
communications -- regardless of restrictions on American businesses."

------------------------------

Date: Wed, 8 Jul 2015 12:49:36 -0700
From: Mark Thorson <e...@sonic.net>
Subject: Hackers take over German missile battery in Turkey

Ridiculous that this should even be possible.
The missile battery is not on the Internet, is it?

http://www.thelocal.de/20150707/german-missiles-taken-over-by-hackers

------------------------------

From: Monty Solomon <mo...@roscom.com>
Date: Tue, 7 Jul 2015 08:38:56 -0400
Subject: Screen Addiction Is Taking a Toll on Children (NYTimes)

American youths are plugged in and tuned out of the real world for many more
hours of the day than experts consider healthy for normal development.
http://well.blogs.nytimes.com/2015/07/06/screen-addiction-is-taking-a-toll-on-children/

------------------------------

Date: Sun, 5 Jul 2015 10:44:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Senior Tech: A Tablet for Aging Hands Falls Short

http://well.blogs.nytimes.com/2015/06/30/senior-tech-a-tablet-for-aging-hands-fall-short/

The AARP RealPad promises ``no confusion and no frustration'' for older
adults. Starting with the on button, it delivers the opposite.

------------------------------

Date: Sat, 4 Jul 2015 19:44:04 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Facing a Selfie Election, Presidential Hopefuls Grin and Bear It

http://www.nytimes.com/2015/07/05/us/politics/facing-a-selfie-election-presidential-hopefuls-grin-and-bear-it.html

The Selfie Election
http://nyti.ms/1NE67AX

------------------------------

Date: Sat, 4 Jul 2015 22:34:46 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Days of Our Digital Lives (NYTimes)

http://www.nytimes.com/2015/07/05/opinion/sunday/seth-stephens-davidowitz-days-of-our-digital-lives.html

Minute by minute, just what are we searching for?

------------------------------

Date: Wed, 1 Jul 2015 23:01:29 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Chicago's 'cloud tax' makes Netflix and other streaming services
more expensive (The Verge)

*The Verge* via NNSquad
http://www.theverge.com/2015/7/1/8876817/chicago-cloud-tax-online-streaming-sales-netflix-spotify

Today, a new "cloud tax" takes effect in the city of Chicago, targeting
online databases and streaming entertainment services. It's a puzzling
tax, cutting against many of the basic assumptions of the web, but the
broader implications could be even more unsettling. Cloud services are
built to be universal: Netflix works the same anywhere in the US, and
except for rights constraints, you could extend that to the entire
world. But many taxes are local -- and as streaming services swallow up
more and more of the world's entertainment, that could be a serious
problem.

------------------------------

Date: Tue, 07 Jul 2015 09:14:01 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Cyber "Deterrence" considered harmful & mad

The U.S. seems intent on doubling down on the inappropriate application of
nuclear deterrence theory to "cyber deterrence".

The concept of nuclear deterrence depends upon the concept of "mutually
assured destruction" (MAD). No destruction, no assured, no mutual, no
deterrence. *Cyber deterrence is a contradiction in terms; there is no
deterrence in cyberspace.*

The U.S. has done its part in guaranteeing the "mutual" part; the U.S. has
left itself wide open to "cyber" attack, because it has no defenses. As
Adm. Winnefeld admits, the U.S.--with the largest collection of
sophisticated networks--has far more to lose than anyone else.

Deterrence is a feedback system; the signaling has to go both ways. But if
the signaling is ignored, the feedback is useless. It is the equivalent of
adjusting a thermostat that isn't connected to the air conditioning system.

As has been stated many times before, appropriate destruction requires
proper attribution, but in the "cyber" case, attribution remains highly
dubious. Hitting back at the wrong target will simply create more enemies.

The time has come for computer scientists to speak up against the whole
concept of "cyber deterrence", because it is ineffective and dangerous.
Because it is ineffective, no one is going to be deterred, and therefore any
reliance on "deterrence" instead of defense will encourage rather than
discourage such an attack.

WWI started as a result of inappropriate signaling among the Great Powers
in 1914. Let's not repeat this mistake in the 21st Century.

https://en.wikipedia.org/wiki/Deterrence_theory
https://en.wikipedia.org/wiki/World_War_I

37-minute talk by Adm. James Winnefeld regarding, among other things, "cyber
deterrence".

https://www.youtube.com/watch?v=j9cFHYHMQcY

ADM James A. Winnefeld, Vice Chairman of the Joint Chiefs of Staff at the
Army Cyber Institute May 14, 2015.

------------------------------

Date: Thu, 2 Jul 2015 18:41:25 +1200
From: "Richard A. O'Keefe" <o...@cs.otago.ac.nz>
Subject: NZ Harmful Digital Communications Bill

We've all experienced or heard stories about cyberbullying
and the like. My own daughter has had nastygrams and death
threats through electronic media. There are risks of doing
nothing, and risks of over-reacting. I heard today that
New Zealand's "Harmful Digital Communications Bill" passed
at the end of last month.

http://parliamenttoday.co.nz/2015/06/harmful-digital-communications-bill-passes/

Metadata:

http://www.parliament.nz/en-nz/pb/legislation/bills/00DBHOH_BILL12843_1/harmful-digital-communications-bill
Text:
http://legislation.govt.nz/bill/government/2013/0168/latest/whole.html

This has been in the works for several years.
It has been officially reviewed for consistency with our Bill
of Rights Act (BORA), and found acceptable.

(http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/bill-of-rights/harmful-digital-communications-bill)

However, it's still controversial, although the hooraw about
changing the flag has distracted attention from it.
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11473451

There must be some people reading comp.risks who could comment on this
more competently than I, but here are some things I notice.

"digital communication
(a) means any form of electronic communication; and
(b) includes any text message, writing, photograph, picture, recording,
or other matter that is communicated electronically."

So anything said over a landline phone, CB radio, amateur, or
marine radio counts as "digital communication" even if it is all
analogue. Wouldn't "electronic communication" have done?

"The purpose of this Act is to
(a) deter, prevent, and mitigate harm caused to individuals by digital
communications; and
(b) provide victims of harmful digital communications with a quick and
efficient means of redress."

However, "harm means serious emotional distress" and
"posts a digital communication [means]
(a) means transfers, sends, posts, publishes, disseminates, or
otherwise communicates by means of a digital communication
(i) any information, whether truthful or untruthful, about the
victim; or
(ii) an intimate visual recording of another individual; and
(b) includes an attempt to do anything referred to in paragraph (a)
so it would seem that a mobile phone service that transfers a message
from one person to another might be covered by "transfer". Deciding
what to do about "hosts" and trying to get it right apparently caused
a lot of trouble in drafting. They clearly didn't *intend* ISPs or
phone companies to be affected, provided there's a straightforward
complaints process.

Truthfulness is not an issue? If Miss A says to Miss B, "stay away from Mr
C, he put his last girlfriend in the hospital", and Mr C says this hurt his
feelings, Miss A could be facing up to NZD 50,000 in fines or 2 years in
prison, *even it is true*.

Thinking from a computing perspective, we already have laws about
defamation, and we can't expect what seems like haphazard patching to
produce anything but buggy consequences. Several other acts are amended by
this one, and again, programming has me wondering about the ability of the
"Legislation IDE" to find *all* the legislation that needs patching.

There are 10 principles.

1. A digital communication should not disclose sensitive
personal facts about an individual.
2. A digital communication should not be threatening,
intimidating, or menacing.
3. A digital communication should not be grossly offensive
to a reasonable person in the position of the affected
individual.
4. A digital communication should not be indecent or obscene.
5. A digital communication should not be used to harass an
individual.
6. A digital communication should not make a false allegation.
7. A digital communication should not contain a matter that is
published in breach of confidence.
8. A digital communication should not incite or encourage
anyone to send a message to an individual for the purpose
of causing harm to the individual.
9. A digital communication should not incite or encourage
an individual to commit suicide.
10. A digital communication should not denigrate an
individual by reason of his or her colour, race, ethnic
or national origin, religion, gender, sexual orientation,
or disability.

So *if* I were to tell you that my dog is so smart she has a degree from
MIT, principle 6 would get me.

It just occurred to me that I'm on the SUmOfUs.org mailing list, and have
signed a lot of their petitions. If a board member of [name your favourite
predatory company] should claim to have suffered "serious emotional
distress" as a result of receiving one of these petitions, principle 5 might
or might not get me, but principle 8 would certainly get SumOfUs.org, should
they ever be subject to NZ law.

There are oddball features, like someone is to be appointed to be or run an
Approved Agency for dealing with complaints under the Act, but "is not to be
regarded as being employed in the service of the Crown..."

Much of the Act is administrative, but a District Court (which typically
deals with things like minor assault, unpaid fines, &c) may be orders
(paraphrased):
- to take down or disable material
- to tell people to stop doing whatever they've been doing
- to order a correction to be published
- to give a right of reply to the affected individual
- to demand an apology.

It also creates an offence basically, deliberately posting material that
does harm someone and could have been expected to.

An order to take material down because it upsets someone comes, or could
come, quite close to the right to be forgotten.

------------------------------

Date: Sat, 4 Jul 2015 00:04:09 +0200
From: Werner U <wer...@gmail.com>
Subject: Some heads-up to consider for RISKS (found at Slashdot)

*Windows 10 Shares Your Wi-Fi Password With Contacts*
tech.slashdot.org/story/15/07/01/2121252/windows-10-shares-your-wi-fi-password-with-contacts?sbsrc=md

(July 1, Slashdot) *The Register reports that Windows 10 will include,
defaulted on, "Wi-Fi Sense
<http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/>" which
shares wifi passwords with Outlook.com contacts, Skype contacts and, with
an opt-in, Facebook friends. This involves Microsoft storing the wifi
passwords entered into your laptop which can then be used by any other
person suitably connected to you. If you don't want someone's Windows 10
passing on your password, Microsoft has two solutions; only share passwords
using their Wi-Fi Sense service, or by adding "_optout" to your SSID.*

*Senator Demands Answers on FBI's Use of Zero Days, Phishing*
threatpost.com/senator-demands-answers-on-fbis-use-of-zero-days-phishing/113593

(July 2,Threatpost) Sen. Charles Grassley (R-Iowa) , chairman of the
powerful Senate Judiciary Committee, has sent a letter to FBI Director James
Comey asking some pointed questions about the bureau's use of zero-day
vulnerabilities, phishing attacks, spyware, and other controversial tools (a
list of highly specific questions about the way the FBI uses remote
exploitation capabilities and spyware tools). The letter
<https://www.grassley.senate.gov/sites/default/files/judiciary/upload/FBI%2C%2006-12-15%2C%20use%20of%20spyware%20letter.pdf>
is related to a current effort by the Department of Justice to get more
leeway in the way that its agencies use spyware tools in criminal
investigations.

*Government Illegally Spied On Amnesty International*
yro.slashdot.org/story/15/07/02/2053222/uk-government-illegally-spied-on-amnesty-international

(July 2, Slashdot)
*A court has revealed that the UK intelligence agency, GCHQ, illegally
spied on human rights organization Amnesty International
<http://amnesty.org.uk/press-releases/surveillance-uk-government-spied-on-amnesty-international#.VZRD7VrIjak.twitter>.
It is an allegation that the agency had previously denied, but an email
from the Investigatory Powers Tribunal backtracked on a judgment made in
June which said no such spying had taken place. The email was sent to
Amnesty International yesterday, and while it conceded that the
organization was indeed the subject of surveillance
<http://betanews.com/2015/07/02/uk-government-illegally-spied-on-amnesty-international/>,
no explanation has been offered. It is now clear that, for some reason,
communications by Amnesty International were illegally intercepted, stored,
and examined. What is not clear is when the spying happened, what data was
collected and, more importantly, why it happened.*

*Samsung Faces Lawsuit In China Over Smartphone Bloatware*
tech.slashdot.org/story/15/07/03/1424207/samsung-faces-lawsuit-in-china-over-smartphone-bloatware

*(July 3, Slashdot) Samsung is being sued in China for installing too many
apps onto its smartphones
<http://www.shanghaidaily.com/metro/society/Samsung-Oppo-facing-landmark-lawsuits-over-preinstalled-apps/shdaily.shtml>.
The Shanghai Consumer Rights Protection Commission is also suing Chinese
vendor Oppo, demanding that the industry do more to rein in bloatware
<http://thestack.com/samsung-oppo-lawsuit-smartphone-bloatware-030715>. The
group said complaints are on the rise from smartphone users who are
frustrated that these apps take up too much storage and download data
without the user being aware. Out of a study of 20 smartphones, Samsung and
Oppo were found to be the worst culprits. A model of Samsung's Galaxy Note
3 contained 44 pre-installed apps that could not be removed from the
device, while Oppo's X9007 phone had 71. Firefox 39 Released, Bringing
Security Improvements and Social Sharing* (
news.slashdot.org/story/15/07/03/1426226/firefox-39-released-bringing-security-improvements-and-social-sharing
)
*(July 3, Slashdot) **Today Mozilla announced the release of Firefox 39.0
<https://blog.mozilla.org/blog/2015/07/02/new-sharing-features-in-firefox/>
,
which brings an number of minor improvements to the open source browser.
(Full release notes
<https://www.mozilla.org/en-US/firefox/39.0/releasenotes/>.) They've
integrated Firefox Share with Firefox Hello, which means that users will be
able to open video calls through links sent over social media. Internally,
the browser dropped support for the insecure SSLv3
<http://it.slashdot.org/story/14/10/15/000239/google-finds-vulnerability-in-ssl-30-web-encryption>
and disabled use of RC4
<http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher>
except where explicitly whitelisted. The SafeBrowsing malware detection now
works for downloads on OS X and Linux. (Full list of security changes,)
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39
The Mac OS X version of Firefox is now running Project Silk
<https://hacks.mozilla.org/2015/01/project-silk/>, which makes animations
and scrolling noticeably smoother. Developers now have access to the
powerful Fetch API
<https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which should
provide a better interface for grabbing things over a network.*

------------------------------

Date: Tue, 7 Jul 2015 10:47:18 -0600
From: mike <mike...@hotmail.com>
Subject: Early adopters of Apple Music find playlists, album art, and
metadata corrupted

One risk of jumping onto a new product release is the possibility of side
effects that damage or destroy your data -- as some Apple Music enrollees
are discovering. On the Apple discussion forum and elsewhere users are
complaining that thru some unexplained mechanism their existing playlists
and album art are being corrupted by Apple Music. Playlists that have taken
hours to compile become useless. Also there are reports that user meta-data
describing the song (genre, artist, notes, etc.) is replaced by meta-data
from Apple music. See https://discussions.apple.com/thread/7104745

------------------------------

Date: Tue, 07 Jul 2015 12:56:36 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "OpenSSL tells users to prepare for a high severity flaw"
(Lucian Constantin)

Lucian Constantin. InfoWorld, 7 Jul 2015
Patches will be released on July 9 for a high severity vulnerability
in OpenSSL's widely used cryptographic library
http://www.infoworld.com/article/2944802/security/openssl-tells-users-to-prepare-for-a-high-severity-flaw.html

------------------------------

Date: Tue, 7 Jul 2015 16:35:28 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Senate advances secret plan forcing Internet services to report
terror activity (Ars)

Ars Technica via NNSquad
http://arstechnica.com/tech-policy/2015/07/senate-advances-secret-plan-forcing-internet-services-to-report-terror-activity/

Senator Dianne Feinstein (D-CA), who sponsored the Internet services
provision, did not return a call seeking comment. The legislation is
modeled after a 2008 law, the Protect Our Children Act. That measure
requires Internet companies to report images of child porn, and
information identifying who trades it, to the National Center for Missing
and Exploited Children. That quasi-government agency then alerts either
the FBI or local law enforcement about the identities of online child
pornographers. The bill, which does not demand that online companies
remove content, requires Internet firms that obtain actual knowledge of
any terrorist activity to "provide to the appropriate authorities the
facts or circumstances of the alleged terrorist activity," wrote The
Washington Post, which was able to obtain a few lines of the bill
text. The terrorist activity could be a tweet, a YouTube video, an
account, or a communication.

Actual child porn is fairly obvious. Terror activity is a much more nebulous
concept, and I suspect a significant percentage of the blowhard statements
from idiot trolls in posting comments could be theoretically swept into this
category. I suspect what's actually going on here is that this is a
preliminary to trying to push through legislation banning strong encryption
by these services, trying to turn Internet services into monitoring agents
for the government.

------------------------------

Date: Wed, 8 Jul 2015 13:48:35 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting

Bleacher Report -- Kyle Newport -- Jul 6, 2015
http://bleacherreport.com/articles/2516427-matt-bonner-blames-new-iphone-6-for-injury-poor-shooting

Matt is quoted in the article:

``I hate to make excuses, I was raised to never make excuses, but I went
through a two-and-a-half month stretch where I had really bad tennis elbow,
and during that stretch it made it so painful for me to shoot I'd almost be
cringing before I even caught the ball like, this is going to kill.'' [...]

Everybody is going to find this hilarious, but here's my theory on how I got
it. When the new iPhone came out it was way bigger than the last one, and I
think because I got that new phone it was a strain to use it, you have to
stretch further to hit the buttons, and I honestly think that's how I ended
up developing it."

------------------------------

Date: 8 Jul 2015 17:11:51 -0400
From: "Bob Frankston" <bob...@bob.ma>
Subject: Re: Windows 10 will share your Wi-Fi key with your friends' friends
(RISKS-28.75)

万能钥匙 (http://www.lianwifi.com/) provides app
used by hundreds of millions of Chinese to share Wi-Fi keys. I haven't used
it because it's an APK not vetted in the Android store but I understand the
value and the need for a tool to avoid wasting time negotiating past all
those Wi-Fi agree screens other annoyances present even if there is no
charge.

At some point we need to face up to the fact that this whole idea of Wi-Fi
security is a debacle as well as a security risk. Microsoft's approach may
be problematic because it seems to had more complexity but it does address a
real need for "just works" connectivity.

------------------------------

Date: Wed, 1 Jul 2015 23:24:42 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Leap Second Causes Sporadic Outages Across the Internet (Cade Metz)

Cade Metz -- WiReD -- 07.01.15 -- 1:08 pm

Yesterday's leap second caused sporadic outages in more than 2,000 networks
that link machines across the Internet, according to a company that tracks
the performance of online services.

Doug Madory, the director of Internet analysis at the New Hampshire-based
Dyn Inc., says the outages occurred just after midnight Coordinated
Universal Time, when the leap second was added. Because no single Internet
service provider was responsible for the outage, Madory says, the leap
second was almost certainly the culprit.

http://www.wired.com/2015/07/leap-second-causes-sporadic-outages-across-internet/

------------------------------

Date: Wed, 1 Jul 2015 09:42:18 -0700
From: "David E. Ross" <da...@rossde.com>
Subject: Re: "Leap Second Problem" and "Growing opposition to the Leap Second"
(RISKS-28.74)

Back in 1969, I was a software tester for a system that handled leap-seconds
seamlessly, a system that remained in use until the early 1990s (more than
20 years). We had no problems with leap-seconds. Internally, all time-tags
were in TAI (atomic time), which does not have leap-seconds. This, of
course, simplified the accurate computation of intervals between two events.
All inputs and displays used a small software routine that converted UTC to
TAI and vice-versa with the insertion or removal of appropriate
leap-seconds.

The problem today is that a seven years went by (1999-2006) with no
leap-seconds. Then, only one leap second occurred between 2006 and 2012, on
1 January 2009 (one in a six-year interval). That is, there were only two
leap-seconds in a 13-year period. Programmers, testers, and others involved
in computer systems became complacent, lazy, and possibly ignorant of
fundamental physical processes that are causing the earth's rotation to
slow.

No, the leap-second is not a problem. The problem lies in systems that were
designed without regard for a phenomenon that occurred 22 times from 1972 to
1999, 27 years during which no serious opposition was expressed against
leap-seconds.

------------------------------

Date: Tue, 07 Jul 2015 07:17:36 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Re: DVD drive in PC fire hazard (mctaylor, RISKS-28.75)

My 17" HP Windows laptop fries its own hard drive, because it's located
right next to a very hot GPU. However, it has a completely empty bay on the
other side that is about 20-25 degrees C cooler. I got a short SATA
extender cable & relocated the hard drive to this cooler bay. I then
started running Ubuntu, because it runs 10-15 degrees C cooler than Windows.

As best I can tell, once-mighty HP has lost all of its lustre, and all
of its excellent engineers have left for greener pastures.

------------------------------

Date: Wed, 8 Jul 2015 02:53:28 +0800
From: "Mark E. Smith" <mym...@gmail.com>
Subject: Re: Overcoming Information Overload

Over time I've developed my own methods of overcoming information overload.

1. I have no interface with mainstream or commercial media. I don't own a
TV, don't listen to my hand-cranked radio except for a single jazz station,
and don't read newspapers or magazines. I have no cell phone, my landline is
used only for my dial-up Internet connection, and I'm no longer a registered
voter. Therefore my only contact with stories planted by the CIA,
corporations, or political operatives, is if they are exposed and/or
commented on by somebody in my personal network.

2. For topics that interest me I keep abreast by subscribing to list-serves
dedicated to those specific topics and following people who have
demonstrated an ability to keep themselves informed and to inform others
about these topics on Twitter. For example, I subscribe to two list-serves
about Fukushima and follow several people on Twitter who are knowledgeable
about and only or primarily Tweet about Fukushima.

3. I subscribe through RSS feeds or by email notification to websites that
specialize in topics of interest to me, such as natural health cures,
pollution, technology risks, countries under attack by NATO, indigenous
struggles, sexism, racism, etc., and follow people with similar interests,
experience, and expertise on Twitter. So I get daily or frequent updates
from or about Iraq, Syria, Afghanistan, Pakistan, Libya, Somalia, Yemen,
Palestine, Sudan, Venezuela, Mexico, Ecuador, Russia, etc., and news about
government or paramilitary attacks on indigenous peoples, people of color,
and on women and children everywhere, plus news of the latest pharmaceutical
and health industry scandals and natural health breakthroughs.

4. To save time, I filter emails that don't interest me, and I block more
than 90% of the people who try to follow me on Twitter, after checking their
profiles to make sure they have nothing to say that I consider of
informational value.

5. I don't use social media other than Twitter, which ensures that
everything I read is concise and succinct, due to the character limit on
Tweets.

While Dan Gillmor's notice of the MediaLit MOOC is certain to be of value to
many who have not already worked out a system of their own, as soon as I saw
that it included voices from the mainstream media, I knew it would not be of
sufficient value to me to give it any more time than this response, which I
hope might save others some time.

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.

Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.76
************************

0 new messages