info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 31.93
33 views
Skip to first unread message
RISKS List Owner
Jun 1, 2020, 8:42:24 PM6/1/20
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Monday 1 May 2020 Volume 31 : Issue 93
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.93>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Dealing with the Internet's split personality (WashPost)
In virus-hit South Korea, AI monitors lonely elders (WashPost)
How to Protest Safely in the Age of Surveillance (WiReD)
Resuscitate The Internet Fairness Doctrine (The Hill)
An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)
Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
(Lauren Weinstein)
Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's
Account (The Hacker News)
Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups (NYTimes)
Anonymous is back (PGN)
How To Create A Culture of Kick-Ass #DevSecOps Engineers That Advocates
Security Automation & Monitoring Throughout the #Software Development
Life-cycle (The Hacker News)
Live EPIC online policy panel: Privacy and the Pandemic (Diego Latella)
Risks to Elections in the COVID-19 Era (Diana Neuman)
Death or Utopia in the Next Three Decades (Brian Berg)
New Research Paper: "Privacy Threats in Intimate Relationships
(Bruce Schneier)
Re: Tesla owner locked thief in car with his iPhone app (Carlos Villalpando)
Re: The GitHub Arctic Code Vault (Amos Shapir)
Re: Choosing 2FA authenticator apps can be hard. Ars did it so you don't
have to (John Levine)
Re: Vitamin C (R. G. Newbury)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 1 Jun 2020 13:17:03 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Dealing with the Internet's split personality (WashPost)
https://www.washingtonpost.com/opinions/there-must-be-a-price-to-pay-for-misusing-the-internet/2020/05/29/fc82b08e-a1b8-11ea-81bb-c2f70f01034b_story.html
"There must be a price to pay for misusing the Internet. New 'norms' of
behavior must be nourished. Bad behavior must be punished. Up to a point,
that's fine. But the commission never really explains how this is to
work. One practical problem is the difficulty in identifying the source of a
cyberattack."
Environment drives evolution. Genomes react to environmental stimulus over
generations; they adapt enable survival. The Internet's predominate genome
suggests business governance is an ideal adaptation candidate.
Each data breach, computer malfunction, viral infection, botnet, bent or
malicious insider, and DDoS incurs at least inconvenience, threatens
business mortality, and routinely compromises personal privacy. Weak digital
hygiene, inadequate training, ineffective content controls, and professional
shirking contribute to these chronic conditions. Elevating and enforcing
business conduct standards has never been more urgent.
Classified data loss is vigorously prosecuted under Federal law
https://www.nytimes.com/2020/02/04/nyregion/cia-leak-wikileaks-trial-Joshua-Schulte.html,
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html)
Businesses entrusted to manage customer data suffer public brand outrage
when bulk content is lost through negligence. However, business governance
teams and employees are inconstantly found liable in civil courts.
Cyber-liability insurance compensates organizations and customers when
justice determines necessity; usually, a settlement is reached before trial
commences. Repeat incidents elevate premiums, and insurers mandate enhanced
internal remediation to suppress recurrence. Despite repairs, comprehensive
efforts to harden infrastructure, train employees, and build resilient
processes appears ineffective given their industrial frequency.
Governance "skin in the game" can compel organizational behavior to
prioritize customer interests that include data protection and privacy
maintenance practices.
Privileges accompany corporate rank. Why not balance them with legally
enforceable penalties? Would legislation that establishes financial
penalties for business governance teams, including possible imprisonment,
accelerate effective digital hygiene hardening and operational deployment?
Enforcement practices can compel business compliance rigor. The Financial
crisis of 2007-2008 (see
https://en.wikipedia.org/wiki/Financial_crisis_of_2007-2008) forced
revisions to the Investment Advisors Act of 1940. Regulations were
introduced that required financial advisors to put customer interests
first. Rule violators were disciplined. However, regulations have been
recently softened to favor business interests. (See
https://www.sec.gov/news/press-release/2019-89 and
https://www.consumerreports.org/financial-planning/how-to-find-reliable-financial-advice/).
The Cyberspace Solarium Commission (https://www.solarium.gov/report) "urges
Congress to give the Cybersecurity and Infrastructure Security Agency (CISA)
significantly more resources and additional authorities as the agency works
to ensure critical networks can recover quickly from cyberattacks and serves
as the 'central coordinating element to support and integrate federal, state
and local, and private-sector cybersecurity efforts.'" This recovery
mechanism can facilitate post-attack remediation, but does not expedite
proactive and effective deterrence by Internet-based businesses.
Establishing a fair, reliable, and vigilant Internet "cop on the beat,"
funded in part from commercial and government data breach/malware fines,
could motivate a fundamental change in how Internet-dependent businesses
operate custodial data management practices. It is difficult to estimate
business enforcement expenses. Operational expenses are usually factored
into product prices. Consumers may experience certain pocketbook impact.
For Internet business models that advertise application access as a quid pro
quo for consumer data, there's likely very small revenue impact. Other
industrial sectors: power distribution, healthcare, chemical, transportation
etc. may need to proactively pool revenue (or self-insure).
Government agency executives and employees should be subject to these
regulations. They are in business to safeguard public interests, which
includes oversight of significant personal identifying information and
commercial data.
Mandatory penalties derived from data loss or malware incidents would
effectively serve as an "Internet Tax" chartered by government to offset
materialized business risks that burden public confidence. A
politically-independent, enforceable regulatory structure is necessary to
restore the Internet's balance toward public interest.
------------------------------
Date: Mon, 1 Jun 2020 14:15:52 +0800
From: Richard Stein <rms...@ieee.org>
Subject: In virus-hit South Korea, AI monitors lonely elders (WashPost)
https://www.washingtonpost.com/business/technology/in-virus-hit-south-korea-ai-monitors-lonely-elders/2020/05/30/45c38370-a2ec-11ea-be06-af5514ee038story.html
South Korea's elderly population volunteers for home digital assistant
monitoring of searches and voice commands. Suicide, and unattended death
generally, is a grave concern for this aging cohort.
SK Telecom is a state-sanctioned surveillance economy titan. Weak consumer
privacy protections fuel business thirst for data. Significant government
and business embarrassments from largely unrestricted public data
exploitation.
------------------------------
Date: Mon, 1 Jun 2020 06:31:47 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How to Protest Safely in the Age of Surveillance (WiReD)
Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.
https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/
------------------------------
Date: Mon, 1 Jun 2020 21:56:47 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Resuscitate The Internet Fairness Doctrine (The Hill)
https://thehill.com/policy/technology/500196-khanna-calls-for-internet-fairness-doctrine-in-response-controversial-trump
"Let's say the President is tweeting out conspiracy theories about Joe
Scarborough," Khanna said, referring to Trump's tweets earlier this week
about an unsubstantiated conspiracy theory regarding the death of an aide
that worked for the former Florida congressman.
"Well why not allow the widower who doesn't want the president tweeting
about his deceased wife, why not give him the opportunity to send a response
and that response Twitter could send to every person who clicks on the
President's tweets?" Khanna suggested.
"Or why not allow someone to respond to the President's claims about ballot
fraud?"
"What I would say is, you defeat speech with speech. But you didn't give one
person a huge megaphone and not allow a fair response," he added.
In 1987, under President Reagan, the Fairness Act was abolished. An updated
Fairness Act, tabled for legislative debate, appears overdue.
If Khanna's solution is adopted, tag-tweeted publication latency accrues
until rebuttal content materializes. A timer might be established to
incentivize response. The tag-tweet process appears to be viable when
applied to a single political office.
The labor expense to oversee political content might become significant if
the resuscitated Act applied to all levels of government (federal, state,
local).
Should a media company be required to sponsor this activity as a public
service? Who pays for the speech/rebuttal oversight process? Who defines the
rules governing the speech/rebuttal process? Who arbitrates disputes over
what is/is-not political speech?
------------------------------
Date: Mon, 1 Jun 2020 09:58:29 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Steganography? Check. Living off the land? Yep. Triple-encoded payloads?
Uh-huh.
https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/
------------------------------
Date: Sun, 31 May 2020 14:39:10 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)o
https://bgr.com/2020/05/30/minnesota-protest-contact-tracing-used-to-track-demonstrators/
In some cities like Minneapolis, though, officials are starting to turn to a
familiar tool to investigate networks of protestors. The tool is
contact-tracing, and it's a familiar tool in that people have been hearing
about it frequently in recent weeks as an important component of a
comprehensive coronavirus pandemic response. According to Minnesota Public
Safety Commissioner John Harringon, officials there have been using what
they describe, without going into much detail, as contact-tracing in order
to build out a picture of protestor affiliations — a process that
officials in the state say has led them to conclude that much of the protest
activity there is being fueled by people from outside coming in.
------------------------------
Date: Sun, 31 May 2020 12:05:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
https://lauren.vortex.com/2020/04/27/recommendation-do-not-install-or-use-centralized-server-coronavirus-covid-19-contact-tracing-apps
------------------------------
Date: Sun, 31 May 2020 22:43:25 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Critical 'Sign in with Apple' Bug Could Have Let Attackers
Hijack Anyone's Account (The Hacker News)
The now-patched vulnerability could have allowed remote attackers to bypass
authentication and take over targeted users' accounts on third-party
services and apps that have been registered using 'Sign in with Apple'
option.
https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html
------------------------------
Date: Mon, 1 Jun 2020 11:16:20 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups
https://www.nytimes.com/2020/03/07/us/politics/erik-prince-project-veritas.html
[Old news, but still timely. PGN]
------------------------------
Date: Mon, 1 Jun 2020 11:56:46 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Anonymous is back
George Floyd: Anonymous hackers re-emerge amid US unrest (BBC News)
https://www.bbc.com/news/technology-52879000
------------------------------
Date: Mon, 1 Jun 2020 09:10:31 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: How To Create A Culture of Kick-Ass #DevSecOps Engineers
That Advocates Security Automation & Monitoring Throughout the
#Software Development Life-cycle.
https://thehackernews.com/2020/06/devsecops-engineers.html
------------------------------
Date: Mon, 01 Jun 2020 22:24:28 +0200
From: "Diego.Latella" <diego....@isti.cnr.it>
Subject: Live EPIC online policy panel: Privacy and the Pandemic
PRIVACY AND THE PANDEMIC (https://epic.org/events/June3/)
3 JUNE 2020, 1 PM - 2 PM EDT
The COVID-19 pandemic is a global health emergency of unprecedented scale,
and countries are deploying a wide range of techniques to respond. EPIC is
advocating for greater privacy protection to ensure that the public health
response protects individuals. These systems should be lawful and
voluntary. There should be minimal collection of personally identifiable
information. The techniques should be robust, scalable, and provable. And
they should only be used during the pandemic emergency.
Our panelists will discuss ways in which governments can protect both public
health and privacy, the technology behind digital contact tracing apps, and
the Congressional response to privacy and the pandemic.
PANELISTS:
Jane Bambauer, Professor of Law at the University of Arizona
Alan Butler, Interim Executive Director and General Counsel, EPIC
Asad Ramzanali, Legislative Director, Representative Anna Eshoo [D-CA-18]
Bruce Schneier, Internationally renowned security technologist
MODERATOR:
Anita Allen, Professor of Law and Professor of Philosophy, University of
Pennsylvania Law School; Chair, EPIC Board of Directors
ABOUT EPIC:
https://epic.org/epic/about.html
------------------------------
Date: Wed, 27 May 2020 08:08:29 -0700
From: Diana Neuman <diana....@bacesecurity.org>
Subject: Risks to Elections in the COVID-19 Era
A Fireside Chat with Peter G. Neumann and Rebecca T. Mercuri
Wednesday 3 June 2020 11am PDT
Hosted by the (Becky) Bace Cybersecurity Institute
Flyer and Website
https://www.bacesecurity.org/page/2686
Diana Neuman, Executive Director, Bace Cybersecurity Institute
diana....@bacesecurity.org
------------------------------
Date: Mon, 1 Jun 2020 12:09:56 PDT
From: Brian Berg via AMW <a...@berglist.com>
Subject: Death or Utopia in the Next Three Decades
Special EE380/Asilomar Joint Event (Thu, June 4, 11am-1pm PDT)
Register at http://ee380.stanford.edu/register.html to receive a URL to
access the live virtual presentation
*Presentation will be published to YouTube shortly after the live event.*
Today the data suggests that we are near the beginning of a chaotic mess of
global proportions. Things are fairly simple: a global pandemic with no
tools to fight the virus, a global economy in disarray, climate change and
other existential risks beginning to intrude into our daily lives, and a
total lack of a plan as to what to do.
On the other hand, we are at the pinnacle of human capabilities and have, if
we so choose, the capability to create a Utopian egalitarian world without
conflict or want.
In this 2-hour program, a group of experts will explore the future, focusing
on 2030 and 2050.
Where are we now? What is trending? What if anything can be done about it?
You are invited to participate in a virtual conference live using Zoom
(version 5.0 or greater), or watch the recorded version when it is
published on YouTube. You must REGISTER (
http://ee380.stanford.edu/register.html) to receive a URL to access the
live virtual presentation and find the YouTube video of the presentation
*The Panel*
John Markoff* Stanford Institute for Human Centered AI, ex-NY
Times (Moderator)
Garrett Banning* Washington-based strategic thinker and analyst
Joy Buolamwini Algorithmic Justice League | Poet of Code ; Harvard
Carole Dumaine Consultant, NIC, CIA; Co-founder of Futures.org.
John Hennessy Stanford University professor, past President; Alphabet
BoD Chair
Michael Mann Earth System Science Center and Professor, Penn State
Carmine Medina Former CIA Deputy Director, Author of Rebels At Work
Paul Saffo Forecaster of technology change, Stanford Engineering Adjunct
Megan Smith CEO shift7, MIT Board, ex-CIO of the US under Obama
*Sponsors*
The Asilomar Microcomputer Workshop is one of the iconic gatherings which
supported the growth of computing. This is the first mini-conference which
replaces the 46th Asilomar Microcomputer Workshop, which was canceled due to
the COVID-19 pandemic. http://www.amw.org.
The Stanford EE Colloquium on Computer Systems, EE380, will present the
mini-conference as one of its offerings for Spring Quarter 2020.
http://ee380.stanford.edu
*Organizers*
Dennis Allison Program conception and organization
Robert Kennedy III Asilomar Microcomputer Workshop General Chair
------------------------------
Date: Mon, 01 Jun 2020 14:32:54 -0500
From: "Bruce Schneier <schn...@schneier.com>
Subject: New Research Paper: "Privacy Threats in Intimate Relationships
Just published:
"Privacy Threats in Intimate Relationships"
Karen Levy and Bruce Schneier
Journal of Cybersecurity, Volume 6, Issue 1, 2020,.
Abstract: This article provides an overview of intimate threats: a class of
privacy threats that can arise within our families, romantic partnerships,
close friendships, and caregiving relationships. Many common assumptions
about privacy are upended in the context of these relationships, and many
otherwise effective protective measures fail when applied to intimate
threats. Those closest to us know the answers to our secret questions, have
access to our devices, and can exercise coercive power over us. We survey a
range of intimate relationships and describe their common features. Based
on these features, we explore implications for both technical privacy design
and policy, and offer design recommendations for ameliorating intimate
privacy risks.
https://academic.oup.com/cybersecurity/article/6/1/tyaa006/5849222
------------------------------
Date: Sat, 30 May 2020 18:11:52 -0700
From: Carlos Villalpando <unbe...@gmail.com>
Subject: Re: Tesla owner locked thief in car with his iPhone app (R 31 87)
> How long will it be before we see: "iPhone app bug allows anyone to lock
> Tesla owners into their cars"?
Never, I suspect. When I saw the original report in 31.87 I was suspect in
that Teslas don't have a "remote off" and there is no physical locking
mechanism. All "locking" the car does is tell the car to ignore the
exterior door handle microswitches. Attempting to duplicate this on my own
Tesla Model 3, the interior driver door button always obeyed, but even if I
locked it with my phone, and on top of that, there's the mechanical door
release which bypasses the electronic lock. And the mechanical release is
most like all other vehicle door releases, and is used often by passengers
unfamiliar with the vehicle.
I suspect this was a case of someone not knowing how to deal with the
differences of how to operate the vehicle. The car has a non-standard way
of shifting into drive modes, and will not shift into drive mode without
without detecting the phone key/keyfob inside the vehicle. I suspect the
carjacker was confused enough for the owner to get out of phone Bluetooth
range, and was too impaired to deal with what to do next.
[Thanks for that. I had problems with the original story, because it
did not make sense. PGN]
------------------------------
Date: Sun, 31 May 2020 12:43:37 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The GitHub Arctic Code Vault (RISKS-31.92)
> "Think about all of the servers that are stored around the world that
hold repositories of this code. The only way the Arctic vault would be
useful is if the entire human civilization was essentially wiped out"
That's what Mersk had thought, before all their servers were hit by NotPetya
at once; they were saved only by a server in Ghana which happened to be
offline at the time.
The point is, it's not unthinkable that all repositories which belong to the
same owner, or relate to the same subject, or contain some specific
information, are hit at the same time by a carefully directed attack.
------------------------------
Date: 31 May 2020 16:17:08 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Choosing 2FA authenticator apps can be hard. Ars did it so you
don't have to (Ars Technica)
>Losing your 2FA codes can be bad. Having backups stolen can be worse. What
to do?
My, what a gratuitous mess. The TOTP codes used by 2FA apps are in fact
base32 character strings to be hashed with a timestamp to produce the
six-digit codes used for authentication. The QR codes also contain the name
of the service and sometimes an image of its logo, but the base32 string is
all that matters. Whenever something shows you the QR code, there is
invariably a way to get it to show you the string, in case you can't scan
the QR code, and the apps have a way to enter the string manually.
Keeping this in mind I can suggest a variety of lowish-tech ways to avoid
losing your TOTP strings:
Scan them into more than one app when you get them.
Scan them into apps on more than one device. I use my phone, my tablet, and
a python script on my laptop.
Put the strings in a file on a device you leave at home, perhaps a USB stick
in a drawer. Print the strings out on a piece of paper and put it in your
wallet, with hints that make sense to you about which string goes with which
service. (The hints and the strings need not be in the same order so long as
you remember the mapping.)
It would take an extremely unusual bad guy to first steal your wallet and
then figure out what the scribbles on the paper mean. On the other hand if
you lose your phone, you can enter the strings into an app on your new phone
by hand and you're ready to go.
------------------------------
Date: Mon, 1 Jun 2020 00:52:59 -0400
From: "R. G. Newbury" <new...@mandamus.org>
Subject: Re: Vitamin C (RISKS-31.91)
This awesome news about Vitamin C is breaking as we .... oh, wait! 71 years
old, next month. Clearly it was ignored if not anathematized as impossible
by the medical establishment. (I am reminded of heliobacter pylori being
'unpossible'.)
Dr. Klenner got amazing results against all sorts of viral diseases. The
results point to the importance of a healthy immune system as the first line
of defence.
Interesting to see that the bureaucracy was already in full force and power
back in 1949:
(3) Routine lumbar puncture would have made it obligatory to report each
case as diagnosed to the health authorities. This would have deprived myself
of valuable clinical material and the patients of most valuable therapy,
since they would have been removed to a receiving center in a nearby town.
I had to use some web-fu: 1000 mg of Vitamin C is 20,000 IU. So these
were not small doses and delivery seemed to require injection to be useful.
Interesting that it works on shingles.
Thanks to Andre Carezia for finding this and passing it on.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.93
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.93>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Dealing with the Internet's split personality (WashPost)
In virus-hit South Korea, AI monitors lonely elders (WashPost)
How to Protest Safely in the Age of Surveillance (WiReD)
Resuscitate The Internet Fairness Doctrine (The Hill)
An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)
Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
(Lauren Weinstein)
Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's
Account (The Hacker News)
Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups (NYTimes)
Anonymous is back (PGN)
How To Create A Culture of Kick-Ass #DevSecOps Engineers That Advocates
Security Automation & Monitoring Throughout the #Software Development
Life-cycle (The Hacker News)
Live EPIC online policy panel: Privacy and the Pandemic (Diego Latella)
Risks to Elections in the COVID-19 Era (Diana Neuman)
Death or Utopia in the Next Three Decades (Brian Berg)
New Research Paper: "Privacy Threats in Intimate Relationships
(Bruce Schneier)
Re: Tesla owner locked thief in car with his iPhone app (Carlos Villalpando)
Re: The GitHub Arctic Code Vault (Amos Shapir)
Re: Choosing 2FA authenticator apps can be hard. Ars did it so you don't
have to (John Levine)
Re: Vitamin C (R. G. Newbury)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 1 Jun 2020 13:17:03 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Dealing with the Internet's split personality (WashPost)
https://www.washingtonpost.com/opinions/there-must-be-a-price-to-pay-for-misusing-the-internet/2020/05/29/fc82b08e-a1b8-11ea-81bb-c2f70f01034b_story.html
"There must be a price to pay for misusing the Internet. New 'norms' of
behavior must be nourished. Bad behavior must be punished. Up to a point,
that's fine. But the commission never really explains how this is to
work. One practical problem is the difficulty in identifying the source of a
cyberattack."
Environment drives evolution. Genomes react to environmental stimulus over
generations; they adapt enable survival. The Internet's predominate genome
suggests business governance is an ideal adaptation candidate.
Each data breach, computer malfunction, viral infection, botnet, bent or
malicious insider, and DDoS incurs at least inconvenience, threatens
business mortality, and routinely compromises personal privacy. Weak digital
hygiene, inadequate training, ineffective content controls, and professional
shirking contribute to these chronic conditions. Elevating and enforcing
business conduct standards has never been more urgent.
Classified data loss is vigorously prosecuted under Federal law
https://www.nytimes.com/2020/02/04/nyregion/cia-leak-wikileaks-trial-Joshua-Schulte.html,
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html)
Businesses entrusted to manage customer data suffer public brand outrage
when bulk content is lost through negligence. However, business governance
teams and employees are inconstantly found liable in civil courts.
Cyber-liability insurance compensates organizations and customers when
justice determines necessity; usually, a settlement is reached before trial
commences. Repeat incidents elevate premiums, and insurers mandate enhanced
internal remediation to suppress recurrence. Despite repairs, comprehensive
efforts to harden infrastructure, train employees, and build resilient
processes appears ineffective given their industrial frequency.
Governance "skin in the game" can compel organizational behavior to
prioritize customer interests that include data protection and privacy
maintenance practices.
Privileges accompany corporate rank. Why not balance them with legally
enforceable penalties? Would legislation that establishes financial
penalties for business governance teams, including possible imprisonment,
accelerate effective digital hygiene hardening and operational deployment?
Enforcement practices can compel business compliance rigor. The Financial
crisis of 2007-2008 (see
https://en.wikipedia.org/wiki/Financial_crisis_of_2007-2008) forced
revisions to the Investment Advisors Act of 1940. Regulations were
introduced that required financial advisors to put customer interests
first. Rule violators were disciplined. However, regulations have been
recently softened to favor business interests. (See
https://www.sec.gov/news/press-release/2019-89 and
https://www.consumerreports.org/financial-planning/how-to-find-reliable-financial-advice/).
The Cyberspace Solarium Commission (https://www.solarium.gov/report) "urges
Congress to give the Cybersecurity and Infrastructure Security Agency (CISA)
significantly more resources and additional authorities as the agency works
to ensure critical networks can recover quickly from cyberattacks and serves
as the 'central coordinating element to support and integrate federal, state
and local, and private-sector cybersecurity efforts.'" This recovery
mechanism can facilitate post-attack remediation, but does not expedite
proactive and effective deterrence by Internet-based businesses.
Establishing a fair, reliable, and vigilant Internet "cop on the beat,"
funded in part from commercial and government data breach/malware fines,
could motivate a fundamental change in how Internet-dependent businesses
operate custodial data management practices. It is difficult to estimate
business enforcement expenses. Operational expenses are usually factored
into product prices. Consumers may experience certain pocketbook impact.
For Internet business models that advertise application access as a quid pro
quo for consumer data, there's likely very small revenue impact. Other
industrial sectors: power distribution, healthcare, chemical, transportation
etc. may need to proactively pool revenue (or self-insure).
Government agency executives and employees should be subject to these
regulations. They are in business to safeguard public interests, which
includes oversight of significant personal identifying information and
commercial data.
Mandatory penalties derived from data loss or malware incidents would
effectively serve as an "Internet Tax" chartered by government to offset
materialized business risks that burden public confidence. A
politically-independent, enforceable regulatory structure is necessary to
restore the Internet's balance toward public interest.
------------------------------
Date: Mon, 1 Jun 2020 14:15:52 +0800
From: Richard Stein <rms...@ieee.org>
Subject: In virus-hit South Korea, AI monitors lonely elders (WashPost)
https://www.washingtonpost.com/business/technology/in-virus-hit-south-korea-ai-monitors-lonely-elders/2020/05/30/45c38370-a2ec-11ea-be06-af5514ee038story.html
South Korea's elderly population volunteers for home digital assistant
monitoring of searches and voice commands. Suicide, and unattended death
generally, is a grave concern for this aging cohort.
SK Telecom is a state-sanctioned surveillance economy titan. Weak consumer
privacy protections fuel business thirst for data. Significant government
and business embarrassments from largely unrestricted public data
exploitation.
------------------------------
Date: Mon, 1 Jun 2020 06:31:47 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How to Protest Safely in the Age of Surveillance (WiReD)
Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.
https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/
------------------------------
Date: Mon, 1 Jun 2020 21:56:47 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Resuscitate The Internet Fairness Doctrine (The Hill)
https://thehill.com/policy/technology/500196-khanna-calls-for-internet-fairness-doctrine-in-response-controversial-trump
"Let's say the President is tweeting out conspiracy theories about Joe
Scarborough," Khanna said, referring to Trump's tweets earlier this week
about an unsubstantiated conspiracy theory regarding the death of an aide
that worked for the former Florida congressman.
"Well why not allow the widower who doesn't want the president tweeting
about his deceased wife, why not give him the opportunity to send a response
and that response Twitter could send to every person who clicks on the
President's tweets?" Khanna suggested.
"Or why not allow someone to respond to the President's claims about ballot
fraud?"
"What I would say is, you defeat speech with speech. But you didn't give one
person a huge megaphone and not allow a fair response," he added.
In 1987, under President Reagan, the Fairness Act was abolished. An updated
Fairness Act, tabled for legislative debate, appears overdue.
If Khanna's solution is adopted, tag-tweeted publication latency accrues
until rebuttal content materializes. A timer might be established to
incentivize response. The tag-tweet process appears to be viable when
applied to a single political office.
The labor expense to oversee political content might become significant if
the resuscitated Act applied to all levels of government (federal, state,
local).
Should a media company be required to sponsor this activity as a public
service? Who pays for the speech/rebuttal oversight process? Who defines the
rules governing the speech/rebuttal process? Who arbitrates disputes over
what is/is-not political speech?
------------------------------
Date: Mon, 1 Jun 2020 09:58:29 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Steganography? Check. Living off the land? Yep. Triple-encoded payloads?
Uh-huh.
https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/
------------------------------
Date: Sun, 31 May 2020 14:39:10 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)o
https://bgr.com/2020/05/30/minnesota-protest-contact-tracing-used-to-track-demonstrators/
In some cities like Minneapolis, though, officials are starting to turn to a
familiar tool to investigate networks of protestors. The tool is
contact-tracing, and it's a familiar tool in that people have been hearing
about it frequently in recent weeks as an important component of a
comprehensive coronavirus pandemic response. According to Minnesota Public
Safety Commissioner John Harringon, officials there have been using what
they describe, without going into much detail, as contact-tracing in order
to build out a picture of protestor affiliations — a process that
officials in the state say has led them to conclude that much of the protest
activity there is being fueled by people from outside coming in.
------------------------------
Date: Sun, 31 May 2020 12:05:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
https://lauren.vortex.com/2020/04/27/recommendation-do-not-install-or-use-centralized-server-coronavirus-covid-19-contact-tracing-apps
------------------------------
Date: Sun, 31 May 2020 22:43:25 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Critical 'Sign in with Apple' Bug Could Have Let Attackers
Hijack Anyone's Account (The Hacker News)
The now-patched vulnerability could have allowed remote attackers to bypass
authentication and take over targeted users' accounts on third-party
services and apps that have been registered using 'Sign in with Apple'
option.
https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html
------------------------------
Date: Mon, 1 Jun 2020 11:16:20 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups
https://www.nytimes.com/2020/03/07/us/politics/erik-prince-project-veritas.html
[Old news, but still timely. PGN]
------------------------------
Date: Mon, 1 Jun 2020 11:56:46 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Anonymous is back
George Floyd: Anonymous hackers re-emerge amid US unrest (BBC News)
https://www.bbc.com/news/technology-52879000
------------------------------
Date: Mon, 1 Jun 2020 09:10:31 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: How To Create A Culture of Kick-Ass #DevSecOps Engineers
That Advocates Security Automation & Monitoring Throughout the
#Software Development Life-cycle.
https://thehackernews.com/2020/06/devsecops-engineers.html
------------------------------
Date: Mon, 01 Jun 2020 22:24:28 +0200
From: "Diego.Latella" <diego....@isti.cnr.it>
Subject: Live EPIC online policy panel: Privacy and the Pandemic
PRIVACY AND THE PANDEMIC (https://epic.org/events/June3/)
3 JUNE 2020, 1 PM - 2 PM EDT
The COVID-19 pandemic is a global health emergency of unprecedented scale,
and countries are deploying a wide range of techniques to respond. EPIC is
advocating for greater privacy protection to ensure that the public health
response protects individuals. These systems should be lawful and
voluntary. There should be minimal collection of personally identifiable
information. The techniques should be robust, scalable, and provable. And
they should only be used during the pandemic emergency.
Our panelists will discuss ways in which governments can protect both public
health and privacy, the technology behind digital contact tracing apps, and
the Congressional response to privacy and the pandemic.
PANELISTS:
Jane Bambauer, Professor of Law at the University of Arizona
Alan Butler, Interim Executive Director and General Counsel, EPIC
Asad Ramzanali, Legislative Director, Representative Anna Eshoo [D-CA-18]
Bruce Schneier, Internationally renowned security technologist
MODERATOR:
Anita Allen, Professor of Law and Professor of Philosophy, University of
Pennsylvania Law School; Chair, EPIC Board of Directors
ABOUT EPIC:
https://epic.org/epic/about.html
------------------------------
Date: Wed, 27 May 2020 08:08:29 -0700
From: Diana Neuman <diana....@bacesecurity.org>
Subject: Risks to Elections in the COVID-19 Era
A Fireside Chat with Peter G. Neumann and Rebecca T. Mercuri
Wednesday 3 June 2020 11am PDT
Hosted by the (Becky) Bace Cybersecurity Institute
Flyer and Website
https://www.bacesecurity.org/page/2686
Diana Neuman, Executive Director, Bace Cybersecurity Institute
diana....@bacesecurity.org
------------------------------
Date: Mon, 1 Jun 2020 12:09:56 PDT
From: Brian Berg via AMW <a...@berglist.com>
Subject: Death or Utopia in the Next Three Decades
Special EE380/Asilomar Joint Event (Thu, June 4, 11am-1pm PDT)
Register at http://ee380.stanford.edu/register.html to receive a URL to
access the live virtual presentation
*Presentation will be published to YouTube shortly after the live event.*
Today the data suggests that we are near the beginning of a chaotic mess of
global proportions. Things are fairly simple: a global pandemic with no
tools to fight the virus, a global economy in disarray, climate change and
other existential risks beginning to intrude into our daily lives, and a
total lack of a plan as to what to do.
On the other hand, we are at the pinnacle of human capabilities and have, if
we so choose, the capability to create a Utopian egalitarian world without
conflict or want.
In this 2-hour program, a group of experts will explore the future, focusing
on 2030 and 2050.
Where are we now? What is trending? What if anything can be done about it?
You are invited to participate in a virtual conference live using Zoom
(version 5.0 or greater), or watch the recorded version when it is
published on YouTube. You must REGISTER (
http://ee380.stanford.edu/register.html) to receive a URL to access the
live virtual presentation and find the YouTube video of the presentation
*The Panel*
John Markoff* Stanford Institute for Human Centered AI, ex-NY
Times (Moderator)
Garrett Banning* Washington-based strategic thinker and analyst
Joy Buolamwini Algorithmic Justice League | Poet of Code ; Harvard
Carole Dumaine Consultant, NIC, CIA; Co-founder of Futures.org.
John Hennessy Stanford University professor, past President; Alphabet
BoD Chair
Michael Mann Earth System Science Center and Professor, Penn State
Carmine Medina Former CIA Deputy Director, Author of Rebels At Work
Paul Saffo Forecaster of technology change, Stanford Engineering Adjunct
Megan Smith CEO shift7, MIT Board, ex-CIO of the US under Obama
*Sponsors*
The Asilomar Microcomputer Workshop is one of the iconic gatherings which
supported the growth of computing. This is the first mini-conference which
replaces the 46th Asilomar Microcomputer Workshop, which was canceled due to
the COVID-19 pandemic. http://www.amw.org.
The Stanford EE Colloquium on Computer Systems, EE380, will present the
mini-conference as one of its offerings for Spring Quarter 2020.
http://ee380.stanford.edu
*Organizers*
Dennis Allison Program conception and organization
Robert Kennedy III Asilomar Microcomputer Workshop General Chair
------------------------------
Date: Mon, 01 Jun 2020 14:32:54 -0500
From: "Bruce Schneier <schn...@schneier.com>
Subject: New Research Paper: "Privacy Threats in Intimate Relationships
Just published:
"Privacy Threats in Intimate Relationships"
Karen Levy and Bruce Schneier
Journal of Cybersecurity, Volume 6, Issue 1, 2020,.
Abstract: This article provides an overview of intimate threats: a class of
privacy threats that can arise within our families, romantic partnerships,
close friendships, and caregiving relationships. Many common assumptions
about privacy are upended in the context of these relationships, and many
otherwise effective protective measures fail when applied to intimate
threats. Those closest to us know the answers to our secret questions, have
access to our devices, and can exercise coercive power over us. We survey a
range of intimate relationships and describe their common features. Based
on these features, we explore implications for both technical privacy design
and policy, and offer design recommendations for ameliorating intimate
privacy risks.
https://academic.oup.com/cybersecurity/article/6/1/tyaa006/5849222
------------------------------
Date: Sat, 30 May 2020 18:11:52 -0700
From: Carlos Villalpando <unbe...@gmail.com>
Subject: Re: Tesla owner locked thief in car with his iPhone app (R 31 87)
> How long will it be before we see: "iPhone app bug allows anyone to lock
> Tesla owners into their cars"?
Never, I suspect. When I saw the original report in 31.87 I was suspect in
that Teslas don't have a "remote off" and there is no physical locking
mechanism. All "locking" the car does is tell the car to ignore the
exterior door handle microswitches. Attempting to duplicate this on my own
Tesla Model 3, the interior driver door button always obeyed, but even if I
locked it with my phone, and on top of that, there's the mechanical door
release which bypasses the electronic lock. And the mechanical release is
most like all other vehicle door releases, and is used often by passengers
unfamiliar with the vehicle.
I suspect this was a case of someone not knowing how to deal with the
differences of how to operate the vehicle. The car has a non-standard way
of shifting into drive modes, and will not shift into drive mode without
without detecting the phone key/keyfob inside the vehicle. I suspect the
carjacker was confused enough for the owner to get out of phone Bluetooth
range, and was too impaired to deal with what to do next.
[Thanks for that. I had problems with the original story, because it
did not make sense. PGN]
------------------------------
Date: Sun, 31 May 2020 12:43:37 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The GitHub Arctic Code Vault (RISKS-31.92)
> "Think about all of the servers that are stored around the world that
hold repositories of this code. The only way the Arctic vault would be
useful is if the entire human civilization was essentially wiped out"
That's what Mersk had thought, before all their servers were hit by NotPetya
at once; they were saved only by a server in Ghana which happened to be
offline at the time.
The point is, it's not unthinkable that all repositories which belong to the
same owner, or relate to the same subject, or contain some specific
information, are hit at the same time by a carefully directed attack.
------------------------------
Date: 31 May 2020 16:17:08 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Choosing 2FA authenticator apps can be hard. Ars did it so you
don't have to (Ars Technica)
>Losing your 2FA codes can be bad. Having backups stolen can be worse. What
to do?
My, what a gratuitous mess. The TOTP codes used by 2FA apps are in fact
base32 character strings to be hashed with a timestamp to produce the
six-digit codes used for authentication. The QR codes also contain the name
of the service and sometimes an image of its logo, but the base32 string is
all that matters. Whenever something shows you the QR code, there is
invariably a way to get it to show you the string, in case you can't scan
the QR code, and the apps have a way to enter the string manually.
Keeping this in mind I can suggest a variety of lowish-tech ways to avoid
losing your TOTP strings:
Scan them into more than one app when you get them.
Scan them into apps on more than one device. I use my phone, my tablet, and
a python script on my laptop.
Put the strings in a file on a device you leave at home, perhaps a USB stick
in a drawer. Print the strings out on a piece of paper and put it in your
wallet, with hints that make sense to you about which string goes with which
service. (The hints and the strings need not be in the same order so long as
you remember the mapping.)
It would take an extremely unusual bad guy to first steal your wallet and
then figure out what the scribbles on the paper mean. On the other hand if
you lose your phone, you can enter the strings into an app on your new phone
by hand and you're ready to go.
------------------------------
Date: Mon, 1 Jun 2020 00:52:59 -0400
From: "R. G. Newbury" <new...@mandamus.org>
Subject: Re: Vitamin C (RISKS-31.91)
This awesome news about Vitamin C is breaking as we .... oh, wait! 71 years
old, next month. Clearly it was ignored if not anathematized as impossible
by the medical establishment. (I am reminded of heliobacter pylori being
'unpossible'.)
Dr. Klenner got amazing results against all sorts of viral diseases. The
results point to the importance of a healthy immune system as the first line
of defence.
Interesting to see that the bureaucracy was already in full force and power
back in 1949:
(3) Routine lumbar puncture would have made it obligatory to report each
case as diagnosed to the health authorities. This would have deprived myself
of valuable clinical material and the patients of most valuable therapy,
since they would have been removed to a receiving center in a nearby town.
I had to use some web-fu: 1000 mg of Vitamin C is 20,000 IU. So these
were not small doses and delivery seemed to require injection to be useful.
Interesting that it works on shingles.
Thanks to Andre Carezia for finding this and passing it on.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.93
************************
0 new messages