info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 30.71
66 views
Skip to first unread message
RISKS List Owner
Jun 5, 2018, 3:56:10 PM6/5/18
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Tuesday 5 May 2018 Volume 30 : Issue 71
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.71>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Microsoft to acquire GitHub for $7.5 billion (Lauren Weinstein)
Bitcoin backlash as 'miners' suck up electricity, stress power grids
in Central Washington (Seattle Times)
Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
(Joon Ian Wong)
Google to remove "secure" indicator from HTTPS pages on Chrome (Keith Medcalf,
(Gene Wirchenko, John Levine)
"How your web browser tells you when it's safe" (Gregg Keizer)
"Smart lock user? Z-wave pairing flaw lets attackers open your doors
from yards away" (Liam Tung)
FBI tells router users to reboot now to kill malware infecting 500k
devices (Dan Goodin)
Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
How One Company Scammed Silicon Valley. And How It Got Caught.
(John Carreyrou)
Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
YouTube stars' fury over algorithm tests (BBC.com)
Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later (Fortune)
Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
"Bank of Montreal, CIBC's Simplii Financial report customer data
breaches" (Asha McLean)
License Plate Risks (Jeremy Ardley)
"Jira bug exposed private server keys at major companies, researcher finds"
(Zack Whittaker)
Google Started a Political Sh*tstorm Because of Its Over-Reliance on
Wikipedia (Motherboard)
Signs of sophisticated cellphone spying found near White House, U.S.
officials say (WaPo)
Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
How can criminals manipulate cryptocurrency markets?
(The Conversation)
Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User
Email Addresses (Gizmodo)
Commentary: GDPR Misses the Point (Fortune)
GDPR, Privacy, and CISSPforum vs "Community" (Rob Slade)
German spy agency can keep tabs on Internet hubs: court (Phys)
Trendism and cognitive stagnation (John Ohno)
Re: Securing Elections (Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 4 Jun 2018 10:34:09 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Microsoft to acquire GitHub for $7.5 billion
via NNSquad
Microsoft Corp. on Monday announced it has reached an agreement to acquire
GitHub, the world's leading software development platform where more than
28 million developers learn, share and collaborate to create the
future. Together, the two companies will empower developers to achieve
more at every stage of the development lifecycle, accelerate enterprise
use of GitHub, and bring Microsoft's developer tools and services to new
audiences.
All GitHub users forthwith will be required to run Windows 10 or subsequent
Microsoft operating systems with all privacy options disabled, manage their
code only by voice via Cortana, and install the new Microsoft Clippy 2018!
Microsoft Office Assistant on all of their devices. Microsoft will now scan
all GitHub materials for patent infringement and turn violators over to
local authorities for arrest.
------------------------------
Date: Sun, 27 May 2018 14:40:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Bitcoin backlash as 'miners' suck up electricity, stress power grids
in Central Washington (Seattle Times)
NNSquad
http://www.seattletimes.com/business/bitcoin-backlash-as-miners-suck-up-electricity-stress-power-grids-in-central-washington/
But it's not simply the scale of requests that is perplexing utility
staff. Many would-be miners have no understanding of how large power
purchases work. In one case this winter, miners from China landed their
private jet at the local airport, drove a rental car to the visitor center
at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan
County PUD officials, politely asked to see the "dam master because we
want to buy some electricity." Bitcoin fever has created other,
smaller-scale problems for the utility. Three times a week, on average,
utility crews in Chelan County discover unpermitted home miners running
computer servers far too large for the electrical grids of residential
neighborhoods. In one instance last year, the transformer outside a
bootleg miner's home overheated and touched off a grass fire, Chelan
County PUD officials say.
Just cut these cryptocurrency mining parasites off. Knock them off the
grid. If they can generate their own power safely, fine. Otherwise, to hell
with them.
------------------------------
Date: May 26, 2018 at 8:10:52 AM EDT
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
(Joon Ian Wong)
Joon Ian Wong, QZ, 24 May 2018
http://qz.com/1287701/bitcoin-golds-51-attack-is-every-cryptocurrencys-nightmare-scenario/
Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency,
bitcoin. It shares much of the same code and works in a similar way to
bitcoin, with Bitcoin Gold miners contributing computational power to
process new transactions. That also means it faces the same vulnerabilities
as bitcoin, but without the protections that come from the large, dispersed
group of people and organizations whose computers are powering the bitcoin
blockchain.
In recent days the nightmare scenario for any cryptocurrency is playing out
for Bitcoin Gold, as an attacker has taken control of its blockchain and
proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in
circulation is valued at $786 million, according to data provider
Coinmarketcap. Blockchains are designed to be decentralized but when an
individual or group acting in concert controls the majority of a
blockchain's processing power, they can tamper with transactions and pave
the way for fraud. This is known as a 51% attack.
The possibility of a 51% attack has been one of the concerns institutions
such as banks and tech companies have had over the years about using the
blockchain for transactions; some have worried that the Chinese government
could at some point endeavor to do that, ordering all of the Chinese bitcoin
miners to act in concert. It's unlikely for bitcoin, but for smaller
cryptocurrencies, 51% attacks are a concern, one dramatized on a recent
episode of HBO's series Silicon Valley.
Cryptocurrency miners commit their computer processing power--or hash
power--to adding new transactions to a coin's blockchain. They are rewarded
in units of the coin in return. The idea is that these incentives create
competition among miners to add more hash power to the chain. The more hash
power is added, the better the chances of winning a reward.
So what's a 51% attack? It's when a single miner controls more than half of
the hash power on a particular blockchain. When this happens, that miner can
mess with transactions in a bunch of ways, including spending coins
twice. This is the *double-spending problem*, a puzzle surrounding digital
money that has vexed computer scientists for years -- and which was solved
by bitcoin. But the solution only holds if no single miner controls the
majority of the hash power on a chain.
Bitcoin Gold has been experiencing double-spending attacks for at least a
week, according to forum posts by Bitcoin Gold director of communications
Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's
hash rate and is double-spending coins. Since an attacker must spend coins
in his or her possession, and can't conjure up new coins, the attack is
somewhat limited.
What's happening now, according to Iskra, is that exchanges that
automatically accept large deposits are being targeted. The fraudster
deposits Bitcoin Gold into an account at an exchange, where coins are
traded. Once the exchange credits the Bitcoin Gold to the attacker's
account, the attacker trades those coins for another cryptocurrency and
withdraws it. The attacker can repeatedly make deposits of the same Bitcoin
Gold it deposited in the first exchange and profit in this way.
A bunch of other cryptocurrencies have been attacked in similar ways
recently. Something called Verge has been hit twice in the last two months,
leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and
Electroneum have also suffered from 51% attacks not too long ago.
------------------------------
Date: Sat, 26 May 2018 18:03:44 -0600
From: "Keith Medcalf" <kmed...@dessus.com>
Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
Google should be keelhauled for this (or at least the dolts who thought it
up should be keelhauled, and the sailors doing the hauling should be given
three toddy's of rum when the googlers' are half-way along the keel). HTTPS
does not mean that the Web Site is secure. It means that it is transport
encrypted. Similarly, that the web site is not using SSL/TLS does not mean
it is unsecure -- it simply means that the transport is not encrypted.
There is a *LOT* more to being *secure* that merely engaging transport
security. It should be noted that Google will not detect "forged" or MITM
certificates, and that as a result much of what they hold out as "secure"
actually does not even have meaningful transport security.
------------------------------
Date: Fri, 18 May 2018 09:13:42 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Google to remove `secure' indicator from HTTPS pages on Chrome
(ZDNet)
[In other news, your local second-level (province, state, prefecture,
etc.) government announced plans to remove those curve speed caution signs
to make the roads safer. Well, not actually. They have a bit more sense
than Google. GW]
http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/
Stephanie Condon, ZDNet, 17 May 2018
Google to remove "secure" indicator from HTTPS pages on Chrome
Users should expect the web to be safe by default, Google explained.
As part of its push to make the web safer, Google on Thursday said it will
stop marking HTTPS pages as "secure."
The logic behind the move, Google explained, is that "users should expect
that the web is safe by default." It will remove the green padlock and
"secure" wording from the address bar beginning with Chrome 69 in September.
------------------------------
Date: 28 May 2018 11:45:16 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
(ZDNet)
Google previously announced that it would mark HTTP pages as "not
secure" beginning with Chrome 68 in July.
By October with Chrome 70, Google will start showing a red "not
secure" warning when users enter data on HTTP pages. "Previously, HTTP
usage was too high to mark all HTTP pages with a strong red warning,"
Google said.
------------------------------
Date: Sun, 27 May 2018 08:54:17 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "How your web browser tells you when it's safe" (Gregg Keizer)
Gregg Keizer, Computerworld, 23 May 2018
https://www.computerworld.com/article/3275726/web-browsers/how-your-web-browser-tells-you-when-its-safe.html
As Google moves to change how its Chrome browser flags insecure websites,
rival browsers may be forced to follow suit. Here's how other browsers
currently handle website security and what changes they have coming.
selected text:
Google last week spelled out the schedule it will use to reverse years of
advice from security experts when browsing the Web - to "look for the
padlock." Starting in July, the search giant will mark insecure URLs in its
market-dominant Chrome, not those that already are secure. Google's goal?
Pressure all website owners to adopt digital certificates and encrypt the
traffic of all their pages.
Security pros praised Google's campaign, and the probable end-game. "I
won't have to tell my mom to look for the padlock," said Chester Wisniewski,
principal research scientist at security firm Sophos, of the
switcheroo. "She can just use her computer."
[Let us change stuff for the people who do not know much about computers.
That will make things simpler for them. These two sentences do not belong
together.]
But what are Chrome's rivals doing? Marching in step or sticking to
tradition? Computerworld fired up the Big Four -- Chrome, Mozilla's Firefox,
Apple's Safari and Microsoft's Edge -- to find out.
------------------------------
Date: Sun, 27 May 2018 09:07:11 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Smart lock user? Z-wave pairing flaw lets attackers open your doors
from yards away" (Liam Tung)
Liam Tung, ZDNet, 25 May 2018
https://www.zdnet.com/article/smart-lock-user-z-wave-pairing-flaw-lets-attackers-open-your-door-from-yards-away/
Up to 100 million Internet of Things devices could be at risk.
starting text:
Hackers may be able to remotely unlock your smart lock if it relies on the
Z-Wave wireless protocol.
According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable
to an attack that forces the current secure pairing mechanism, known as S2,
to an earlier version with known weaknesses, called S0.
The problem with S0 is that when two devices, like a controller and a smart
lock, are pairing, it encrypts the key exchange using a hardcoded key
'0000000000000000'. So, an attacker could capture traffic on the network and
easily decrypt it to discover the key.
S2 fixed this problem by employing the Diffie-Hellman algorithm for securely
sharing secret keys, but the downgrade removes that protection.
The researchers have posted a video demonstrating the downgrade attack --
dubbed Z-Shave -- on a Conexis L1 Smart Door Lock from lock manufacture
Yale. They note that an attacker within about 100 meters could, after the
downgrade attack, then steal the keys to the smart lock.
Z-Wave chips are in 100 million smart gadgets, from lights to heating
systems, but the risk is greater for things with security applications, such
as locks.
------------------------------
Date: May 27, 2018 at 9:56:50 AM EDT
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: FBI tells router users to reboot now to kill malware infecting 500k
devices (Dan Goodin)
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
Dan Goodin, Ars Technica, 25 May 2018
http://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/
The FBI is advising users of consumer-grade routers and network-attached
storage devices to reboot them as soon as possible to counter
Russian-engineered malware that has infected hundreds of thousands devices.
Researchers from Cisco's Talos security team first disclosed the
existence of the malware on Wednesday. The detailed report said the malware
infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP,
and TP-Link. Known as VPNFilter, the malware allowed attackers to collect
communications, launch attacks on others, and permanently destroy the
devices with a single command. The report said the malware was developed by
hackers working for an advanced nation, possibly Russia, and advised users
of affected router models to perform a factory reset, or at a minimum to
reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed
developed by a Russian hacking group, one known by a variety of names,
including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also
said the FBI had seized an Internet domain VPNFilter used as a backup means
to deliver later stages of the malware to devices that were already infected
with the initial stage 1. The seizure meant that the primary and secondary
means to deliver stages 2 and 3 had been dismantled, leaving only a third
fallback, which relied on attackers sending special packets to each infected
device.
Limited persistence
The redundant mechanisms for delivering the later stages address a
fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a
reboot, meaning they are wiped clean as soon as a device is
restarted. Instead, only stage 1 remains. Presumably, once an infected
device reboots, stage 1 will cause it to reach out to the recently seized
ToKnowAll.com address. The FBI's advice to reboot small office and home
office routers and NAS devices capitalizes on this limitation. In a
statement published Friday, FBI officials suggested that users of all
consumer-grade routers, not just those known to be vulnerable to VPNFilter,
protect themselves. The officials wrote:
The FBI recommends any owner of small office and home office routers rebo ot
the devices to temporarily disrupt the malware and aid the potential
identification of infected devices. Owners are advised to consider disabling
remote management settings on devices and secure with strong passwords and
encryption when enabled. Network devices should be upgraded to the latest
available versions of firmware.
In a statement also published Friday, Justice Department officials wrote:
Owners of SOHO and NAS devices that may be infected should reboot their
devices as soon as possible, temporarily eliminating the second stage
malware and causing the first stage malware on their device to call out
for instructions. Although devices will remain vulnerable to reinfection
with the second stage malware while connected to the Internet, these
efforts maximize opportunities to identify and remediate the infection
worldwide in the time available before Sofacy actors learn of the
vulnerability in their command-and-control infrastructure.
The US Department of Homeland Security has also issued a statement advising
that "all SOHO router owners power cycle (reboot) their devices to
temporarily disrupt the malware."
As noted in the statements, rebooting serves the objectives of (1)
temporarily preventing infected devices from running the stages that collect
data and other advanced attacks and (2) helping FBI officials to track who
was infected. Friday's statement said the FBI is working with the non-profit
Shadow Foundation to disseminate the IP addresses of infected devices to
ISPs and foreign authorities to notify end users.
Authorities and researchers still don't know for certain how compromised
devices are initially infected. They suspect the attackers exploited known
vulnerabilities and default passwords that end users had yet to patch or
change. That uncertainty is likely driving the advice in the FBI statement
that all router and NAS users reboot, rather than only users of the 14
models known to be affected by VPNFilter [...]
------------------------------
Date: Sun, 27 May 2018 13:25:03 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
*The New York Times*
``Those are the decisions you don't want to be making for the first time
during a real attack,'' said Bob Stasio, IBM's cyber range operations
manager and a former operations chief for the National Security Agency's
cyber center. One financial company's executive team did such a poor job of
talking to its technical team during a past IBM training drill, Mr. Stasio
said, that he went home and canceled his credit card with them.
Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
touches. Whiteboards and giant monitors fill nearly every wall, with
graphics that can be manipulated by touch.
``You can't have a fusion center unless you have really cool TVs,'' quipped
Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
global cybersecurity head, at a recent cybercrime conference. ``It's even
better if they do something when you touch them. It doesn't matter what
they do. Just something.''
Security pros mockingly refer to such eye candy as `pew pew' maps, an
onomatopoeia for the noise of laser guns in 1980s movies and video
arcades. They are especially useful, executives concede, to put on display
when V.I.P.s or board members stop by for a tour. Two popular pew maps are
from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the
defunct security vendor Norse http://www.norsecorp.com/ whose video
game-like maps show laser beams zapping across the globe. Norse went out of
business two years ago, and no one is sure what data
<https://na01.safelinks.protection.outlook.com/ the map is based on, but
everyone agrees that it looks cool.
http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html
------------------------------
Date: Sun, 27 May 2018 16:26:44 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: How One Company Scammed Silicon Valley. And How It Got Caught.
(John Carreyrou)
BAD BLOOD
John Carreyrou
Secrets and Lies in a Silicon Valley Startup
352 pp. Alfred A. Knopf. $27.95.
*The New York Times* Book Review
http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro
"Despite warnings from employees that Theranos wasn't ready to go live on
human subjects -- its devices were likened to an eighth-grade science
project -- Holmes was unwilling to disappoint investors or her commercial
partners. The result was a fiasco. Samples were stored at incorrect
temperatures. Patients got faulty results and were rushed to emergency
rooms. People who called Theranos to complain were ignored; employees who
questioned its technology, its quality control or its ethics were
fired. Ultimately, nearly a million tests conducted in California and
Arizona had to be voided or corrected."
Investors and personalities enamored by technological wizardry, though based
on fundamentally fraudulent solutions, were suckered in by Theranos' promise
to revolutionize routine blood tests with a few tiny blood droplets from a
pinprick. ~US$ 1B dropped on a real "unicorn" sighting.
The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues
who possessed 110-ohm noses (striped brown-brown-brown per the Resistor
color code) that kissed her fanny. Findings and facts that disputed her
vision were concealed from investors. Knowing how to ask the right questions
remains a valuable skill to possess.
When an ethical, professional engineer confronts a situation of this nature,
there are few alternatives to pursue: (a) become a whistle-blower; (b)
continue to document findings that support legal discovery and a fraud
investigation while holding your nose and tongue; or, (c) jump ship at the
earliest opportunity.
If something appears too good to be true, it is likely the case.
P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a
sucker born every minute." An aphorism that remains prescient today for the
incurious or greedy.
------------------------------
Date: Sun, 27 May 2018 17:30:59 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
https://www.npr.org/templates/transcript/transcript.php%3FstoryId%3D6140792
Get out your checkbook or boost your PayPal account balance. All the free
services "enjoyed" today, that exploit volunteered information for a little
dopamine, will shift to a subscription or micropayment model.
The Internet as a true utility, like the water and power that comes out of
the wall, billed per bit. Internet disenfranchisement is likely to evolve if
meter ticks attributed to premium information become unaffordable.
Will governments introduce a subsidy -- a new entitlement -- to boost the
information "have-nots" into a realm approximating the "haves"? Or will there
be a multi-tier model -- surrender your data for 24x7 tracking and attention
whipsaw for free, versus pay for the right to volunteer data with an
explicit opt-in (EU ePrivacy) granting license and viewing preferences as
the product?
------------------------------
Date: Mon, 28 May 2018 08:05:13 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: YouTube stars' fury over algorithm tests (BBC.com)
http://www.bbc.com/news/technology-44279189
'Originally, the YouTube subscription feed was a chronological list of
videos from all the channels that a person had chosen to "subscribe"
to. The system let people curate a personalised feed full of content from
their favourite video-makers.
'However, many video-makers have previously complained that some of their
videos have not appeared in the subscription feed, and have questioned
whether YouTube manipulates the list to boost viewer retention and
advertising revenue.
'YouTube's latest experiment -- which it said appeared for a "small number"
of users -- changed the order of videos in the feed. Instead of showing the
most recent videos at the top, YouTube said the manipulated feed showed
people "the videos they want to watch".'
Algorithmic refactoring experiment adjusts video delivery order.
YouTube apparently 'wins' over content creator/copyright owners,
despite subscription historical preference and profile settings.
------------------------------
Date: Tue, 29 May 2018 16:10:52 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later
(Fortune)
http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/
The risk? Online/automated/robot cashiers. Same as my grocery store
self-checkout charged me for 22 avocados instead of 2. At least I could get
quick refund from on-scene humans.
------------------------------
Date: Tue, 29 May 2018 17:14:58 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
Evan Schuman, *Computerworld*, 26 May 2018
https://www.computerworld.com/article/3276347/mobile-wireless/amazons-echo-privacy-flub-has-big-implications-for-it.html
Amazon has confirmed that one of its Echo devices recorded a family's
conversation and then messaged it to a random person on the family's contact
list. The implications are terrifying.
------------------------------
Date: Tue, 29 May 2018 17:34:18 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Bank of Montreal, CIBC's Simplii Financial report customer data
breaches" (Asha McLean)
Asha McLean, ZDNet, 29 May 2018
http://www.zdnet.com/article/bank-of-montreal-cibcs-simplii-financial-confirm-customer-data-breaches/
Bank of Montreal, CIBC's Simplii Financial report customer data breaches The
Canadian banks have reported being contacted by external 'fraudsters'
claiming to have accessed information on an estimated 90,000 customers. The
trial appears to be limited to 24 plates.
The plates are digital displays that can be updated and modified remotely.
Therefore, they can be updated immediately once car registration is updated.
They can also be used to "broadcast" messages such as emergency and amber
alerts, and can be set to display personal messages when the car is not in
motion.
http://www.dailymail.co.uk/sciencetech/article-5781915/California-starts-trial-digital-license-plates-allow-police-track-move.html
or https://is.gd/NRJ4Ey
The plates also broadcast information to sensors in or beside roads, and can
communicate with each other.
I trust it is not too difficult to point out the huge numbers of ways these
plates could be attacked or misused.
Asha McLean, ZDNet, 1 Jun 2018
CBA sent over 650 emails holding data on 10k customers in error. The bank
has admitted discovering an issue with emails going to incorrect addresses.
https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/
opening text:
The Commonwealth Bank of Australia (CBA) has once again found itself in the
spotlight for the potential mishandling of customer information, admitting
it had sent over 650 incorrectly addressed internal emails.
The bank said on Friday it had completed an investigation that was initiated
after a concern was raised about internal CBA emails being inadvertently
sent to email addresses using the cba.com domain, prior to taking ownership
of that domain in April 2017.
Its usual email domain is cba.com.au.
------------------------------
Date: Thu, 31 May 2018 07:21:49 +0800
From: Jeremy Ardley <jer...@ardley.org>
Subject: License Plate Risks
Two different dynamically changeable number plates.
The traditional:
http://www.youtube.com/watch%3Fv%3DwSFXyIlq5xw
The $699 plus $7/month electronic paper version issued by the California
Department of Motor Vehicles:
https://youtu.be/XgyuIVePdEc
I leave it as an exercise for the reader as to what risks exist in
either. Asides that is from pointing out the stupidity of an electronic tag
in the age of high quality Automatic Number Plate Recognition systems linked
to a licensing computer.
However, there is a second risk in being able to detect unlicensed vehicles;
work overload. The Western Australian Police have had to turn off the
unlicensed vehicle feature in their ANPR system because there are too many
alerts!
"WA Police 'can't cope' with high number of auto-detect car registration
alerts"
http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160
------------------------------
Date: Wed, 30 May 2018 18:37:19 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Jira bug exposed private server keys at major companies,
researcher finds" (Zack Whittaker)
Zack Whittaker, ZDNet, 30 May 2018
https://www.zdnet.com/article/jira-bug-exposed-private-server-keys-at-major-companies-researcher-finds/
Jira bug exposed private server keys at major companies, researcher finds A
major TV network, a UK cell giant, and one US government agency are among
the companies affected.
------------------------------
Date: Thu, 31 May 2018 19:39:42 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: Google Started a Political Sh*tstorm Because of Its Over-Reliance
on Wikipedia (Motherboard)
https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation
As VICE News reported earlier Thursday, a Google search for `California
Republican Party' resulted in Google listing `Nazism' as the ideology of the
party. This happened because of Google's Featured Snippets tool, which pulls
basic information for search terms and puts it on the front page. These are
also sometimes called Google Cards and Knowledge Panels.
The information on these cards is often taken from Wikipedia entries, which
is what seems to have happened here. Six days ago, someone edited the
Wikipedia page for `California Republican Party' to include `Nazism',
something that wasn't changed until Wednesday, Wikipedia's edit logs show.
You take content from another site and put it into yours and pretend it's
"the truth", and all that is an automated process. Can't see what might go
wrong there.
------------------------------
Date: Fri, 01 Jun 2018 15:36:42 -0700
From: RICHARD M STEIN <rms...@ieee.org>
Subject: Signs of sophisticated cellphone spying found near White House,
U.S. officials say (WaPo)
https://www.washingtonpost.com/news/the-switch/wp/2018/06/01/signs-of-sophisticated-cell-phone-spying-found-near-white-house-say-u-s-officials/?utm_term=.3cff9618ae33
"A federal study found signs that surveillance devices for intercepting
cellphone calls and texts were operating near the White House and other
sensitive locations in the Washington area last year."
Only Rip Van Winkle would have been surprised by this headline. What
precautions are the SIGINT targets using to forestall intercept? Are
they effective, or have they been compromised too? Whatever happened to
good ol' "Blackbag" jobs?
------------------------------
Date: Fri, 1 Jun 2018 14:04:19 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
NNSquad
https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/
On Friday, VISA'S payment network suffered outages across Europe, limiting
transactions for both businesses and individuals. Banks and commerce
groups began advising customers to use cash or other payment cards if
possible, and reports indicated that online and contactless transactions
were having more success than chip cards. Though some Visa transactions
still went through, the failure appeared widespread. The Financial Times
even reported that some ATMs in the United Kingdom were already out of
cash within a couple of hours of the first outage reports. Some observers
saw in the outage a stark reminder of the fragility of payment networks,
and the weaknesses in global economic platforms.
------------------------------
Date: Sat, 2 Jun 2018 02:01:55 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How can criminals manipulate cryptocurrency markets?
(The Conversation)
https://theconversation.com/how-can-criminals-manipulate-cryptocurrency-markets-97294
------------------------------
Date: Fri, 25 May 2018 18:32:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds
of User Email Addresses (Gizmodo)
via NNSquad [Thanks, EU!]
http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313
Ad-blocking tool Ghostery suffered from a pretty impressive,
self-inflicted screwup Friday when the privacy-minded company accidentally
CCed hundreds of its users in an email, revealing their addresses to all
recipients. Fittingly, the inadvertent data exposure came in the form of
an email updating Ghostery users about the company's data collection
policies. The ad blocker was sending out the message to affirm its
commitment to user privacy as the European Union's digital privacy law,
known as the General Data Protection Regulation (GDPR), goes into effect.
The email arrived in inboxes with the subject line "Happy GDPR Day --
We've got you covered!" In the body of the email, the company informed
users, "We at Ghostery hold ourselves to a high standard when it comes to
users' privacy, and have implemented measures to reinforce security and
ensure compliance with all aspects of this new legislation."
------------------------------
Date: Sun, 27 May 2018 13:30:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Commentary: GDPR Misses the Point (Fortune)
http://fortune.com/2018/05/24/gdpr-data-privacy-cookies/
------------------------------
Date: Sun, 3 Jun 2018 12:08:40 -0700
From: Rob Slade" <rms...@shaw.ca>
Subject: GDPR, Privacy, and CISSPforum vs "Community"
The long running CISSPforum mailing list on Yahoo Groups is being closed by
ISC2, effective June 15, 2018. An alternate mailing list, run by volunteer
CISSPs, has been created on groups.io.
Yeah, I know. Those of you who don't have the CISSP cert don't care. (Even
those who, like Peter, have been given an honorary CISSP may not care.) But
the reason the CISSPforum is being closed is kind of interesting.
ISC2 itself isn't saying much about why. But most people discussing it seem
to think it has to do with GDPR. Yahoo has not had the greatest success
with security, so ISC2 may wish to limit it's exposure.
The thing is, if I want to give people instructions on getting to the new
CISSPforum, the easiest thing would be to send them to the page at
https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or
https://is.gd/lGXNgT if email mungs that and you want a shortened version).
Yes, you are correct. That Web page is one of the postings on the new,
supposedly private, "community" that ISC2 has created to replace the
CISSPforum mailing list as a communications venue for the membership.
And, if I want to send you to the existing discussion of the various privacy
issues to do with the new "community," I can point you to
https://community.isc2.org/t5/Welcome/Welcome-lets-talk-about-ISC2-no-censorship-Closing-of-CISSP/td-p/11021/page/2
or http://is.gd/GgHckH Or, you can search for it yourself, on Google:
http://lmgtfy.com/%3Fq%3Dsee%2Bthe%2Bamazing%2Bdancing%2BCISSPs%2Band%2Ball%2Btheir%2Bdiscussions
You will be able to see all kinds of discussion on the new forum. Do a
Google search with any term you want, and include site:community.isc2.org as
a term, and see what the amazing dancing CISSPs have said about it. (There
is one area of the "community" that is not searchable, but it's fairly
small.)
------------------------------
Date: Sun, 3 Jun 2018 19:24:04 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: German spy agency can keep tabs on Internet hubs: court (Phys)
http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html
De-Cix, the world's largest Internet hub, says Germany's spy agency is able
to get a complete and unfiltered copy of the all data passing through its
fibre optic cables
Germany's spy agency can monitor major Internet hubs if Berlin deems it
necessary for strategic security interests, a federal court has ruled.
In a ruling late on Wednesday, the Federal Administrative Court threw out a
challenge by the world's largest Internet hub, the De-Cix exchange, against
the tapping of its data flows by the BND foreign intelligence service.
The operator had argued the agency was breaking the law by capturing German
domestic communications along with international data.
http://rinzewind.org/blog-es
------------------------------
Date: Sat, 26 May 2018 13:02:30 -0400
From: John Ohno <john...@gmail.com>
Subject: Trendism and cognitive stagnation
Originally posted here:
http://medium.com/%40enkiv2/trendism-cognitive-stagnation-21c8e003df83
Trendism & cognitive stagnation
(This is a follow-up to Against Trendism
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956)
Basing visibility on popularity is a uniquely awful version of *tyrrany of
the majority* because uncommon views become invisible, even if, were they to
start on an even playing field, they would become popular.
In this way, it encourages mental stasis: since ranking is based on an
immediate appraisal of how popular something already is, and visibility is
based therefore on past shallow popularity, there's no room for
rumination.
This is NOT an attribute of `technology' or `social media', but an attribute
of visibility systems based on immediate ranking. Visibility systems based
on ranking delayed by, say, three days, or with the top 25% most popular
posts elided, would be fine.
Our capacity to imagine new possibilities is based largely on our
familiarity with the bounds of possibility space -- we can only
imagine views that are in the neighborhood of views we've heard
expressed in the past. So, making the already-unpopular invisible limits
imagination.
(There are hacks we can use to make it possible to imagine views nobody has
ever held. We can make random juxtapositions, impose meaning on them, and
then figure out a justification for them -- like tarot reading. Or,
we can merely iterate from some basic idea, getting more and more extreme,
while internalizing the perspective of each iteration as something someone
could possibly believe in good faith. The former -- the bibliomancy
approach -- is common in experimental art, while the latter is
typical of dystopian science fiction.
But, these hacks are pretty limited. We need a starting place. If
we've only heard mainstream ideas, we're going to have a
hard time going off the beaten path with the dystopia approach, while we
will struggle with the bibliomancy approach because most ideas can only be
made to seem reasonable with the help of other ideas. Getting into uncharted
territories with either of these approaches is difficult unless
you've already filled out the middle of your possibility space with
other ideas, because in their absence you would need to independently
reinvent them.)
This is not a justification, in of itself, for banning metrics entirely.
After all, this kind of exponential distribution happens with ideas even
without the use of popularity signifiers: ideas spread, and popular ideas
have more opportunities to spread. Trendism merely accelerates the process
and widens the gap between the most popular ideas and everything else.
Sites like reddit use segmentation to prevent total ordering of popularity
from dominating, although this ultimately means that popular subreddits have
a disproportionate impact on this total ordering when it is seen.
http://redditp.com/r/all
Similarly, we have seen piecemeal attempts to limit the effects of trendism
for particular topics -- the curation of trending topics at twitter and
facebook, for instance, or ad-hoc ranking demerits for particular tags on
lobste.rs.
However, we could be applying the measurements we already take to counteract
trendism rather than accelerating it: making popularity count less the
higher it gets, removing overly-popular content entirely, boosting the
visibility of mostly-unseen content, using information about organic reach
in sites like twitter to boost the synthetic reach of people who
don't have many followers (instead of boosting the synthetic reach
of the rich), systematically demoting posts that comment on trending topics,
spotlighting spotify tracks and youtube videos with zero views, and so on.
Where trendism devalues the function of recommendation systems as novelty
aggregators, these tools could be modified to be anti-trendist, pro-novelty,
and promote a cosmopolitanism that broadens our horizons in ways traditional
word-of-mouth never could. This is a unique capacity of recommendation
systems over curators: recommendation systems can recommend things nobody
has ever seen, and can recommend them on the grounds that nobody has seen
them.
------------------------------
Date: Mon, 28 May 2018 09:38:16 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Securing Elections
I don't wish to start a political argument, but from a practical POV, there
is merit to the US method of "the winner takes it all" -- eventually, one
candidate wins, and incumbents should be let to do their job to the best of
their ability. Compare that to relational methods in some European
countries, which have brought about unstable governments which are
reshuffled often (like in France before the 1968, or current Italy).
History has proven -- from the resign of Nixon to the recent upheaval in
Armenia -- that as long as freedom of expression and assembly are kept, the
public would eventually be able to express enough dissent to get rid of
corrupt politicians, no matter which system was used to elect them in the
first place.
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.71
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.71>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Microsoft to acquire GitHub for $7.5 billion (Lauren Weinstein)
Bitcoin backlash as 'miners' suck up electricity, stress power grids
in Central Washington (Seattle Times)
Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
(Joon Ian Wong)
Google to remove "secure" indicator from HTTPS pages on Chrome (Keith Medcalf,
(Gene Wirchenko, John Levine)
"How your web browser tells you when it's safe" (Gregg Keizer)
"Smart lock user? Z-wave pairing flaw lets attackers open your doors
from yards away" (Liam Tung)
FBI tells router users to reboot now to kill malware infecting 500k
devices (Dan Goodin)
Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
How One Company Scammed Silicon Valley. And How It Got Caught.
(John Carreyrou)
Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
YouTube stars' fury over algorithm tests (BBC.com)
Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later (Fortune)
Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
"Bank of Montreal, CIBC's Simplii Financial report customer data
breaches" (Asha McLean)
License Plate Risks (Jeremy Ardley)
"Jira bug exposed private server keys at major companies, researcher finds"
(Zack Whittaker)
Google Started a Political Sh*tstorm Because of Its Over-Reliance on
Wikipedia (Motherboard)
Signs of sophisticated cellphone spying found near White House, U.S.
officials say (WaPo)
Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
How can criminals manipulate cryptocurrency markets?
(The Conversation)
Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User
Email Addresses (Gizmodo)
Commentary: GDPR Misses the Point (Fortune)
GDPR, Privacy, and CISSPforum vs "Community" (Rob Slade)
German spy agency can keep tabs on Internet hubs: court (Phys)
Trendism and cognitive stagnation (John Ohno)
Re: Securing Elections (Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 4 Jun 2018 10:34:09 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Microsoft to acquire GitHub for $7.5 billion
via NNSquad
Microsoft Corp. on Monday announced it has reached an agreement to acquire
GitHub, the world's leading software development platform where more than
28 million developers learn, share and collaborate to create the
future. Together, the two companies will empower developers to achieve
more at every stage of the development lifecycle, accelerate enterprise
use of GitHub, and bring Microsoft's developer tools and services to new
audiences.
All GitHub users forthwith will be required to run Windows 10 or subsequent
Microsoft operating systems with all privacy options disabled, manage their
code only by voice via Cortana, and install the new Microsoft Clippy 2018!
Microsoft Office Assistant on all of their devices. Microsoft will now scan
all GitHub materials for patent infringement and turn violators over to
local authorities for arrest.
------------------------------
Date: Sun, 27 May 2018 14:40:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Bitcoin backlash as 'miners' suck up electricity, stress power grids
in Central Washington (Seattle Times)
NNSquad
http://www.seattletimes.com/business/bitcoin-backlash-as-miners-suck-up-electricity-stress-power-grids-in-central-washington/
But it's not simply the scale of requests that is perplexing utility
staff. Many would-be miners have no understanding of how large power
purchases work. In one case this winter, miners from China landed their
private jet at the local airport, drove a rental car to the visitor center
at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan
County PUD officials, politely asked to see the "dam master because we
want to buy some electricity." Bitcoin fever has created other,
smaller-scale problems for the utility. Three times a week, on average,
utility crews in Chelan County discover unpermitted home miners running
computer servers far too large for the electrical grids of residential
neighborhoods. In one instance last year, the transformer outside a
bootleg miner's home overheated and touched off a grass fire, Chelan
County PUD officials say.
Just cut these cryptocurrency mining parasites off. Knock them off the
grid. If they can generate their own power safely, fine. Otherwise, to hell
with them.
------------------------------
Date: May 26, 2018 at 8:10:52 AM EDT
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
(Joon Ian Wong)
Joon Ian Wong, QZ, 24 May 2018
http://qz.com/1287701/bitcoin-golds-51-attack-is-every-cryptocurrencys-nightmare-scenario/
Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency,
bitcoin. It shares much of the same code and works in a similar way to
bitcoin, with Bitcoin Gold miners contributing computational power to
process new transactions. That also means it faces the same vulnerabilities
as bitcoin, but without the protections that come from the large, dispersed
group of people and organizations whose computers are powering the bitcoin
blockchain.
In recent days the nightmare scenario for any cryptocurrency is playing out
for Bitcoin Gold, as an attacker has taken control of its blockchain and
proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in
circulation is valued at $786 million, according to data provider
Coinmarketcap. Blockchains are designed to be decentralized but when an
individual or group acting in concert controls the majority of a
blockchain's processing power, they can tamper with transactions and pave
the way for fraud. This is known as a 51% attack.
The possibility of a 51% attack has been one of the concerns institutions
such as banks and tech companies have had over the years about using the
blockchain for transactions; some have worried that the Chinese government
could at some point endeavor to do that, ordering all of the Chinese bitcoin
miners to act in concert. It's unlikely for bitcoin, but for smaller
cryptocurrencies, 51% attacks are a concern, one dramatized on a recent
episode of HBO's series Silicon Valley.
Cryptocurrency miners commit their computer processing power--or hash
power--to adding new transactions to a coin's blockchain. They are rewarded
in units of the coin in return. The idea is that these incentives create
competition among miners to add more hash power to the chain. The more hash
power is added, the better the chances of winning a reward.
So what's a 51% attack? It's when a single miner controls more than half of
the hash power on a particular blockchain. When this happens, that miner can
mess with transactions in a bunch of ways, including spending coins
twice. This is the *double-spending problem*, a puzzle surrounding digital
money that has vexed computer scientists for years -- and which was solved
by bitcoin. But the solution only holds if no single miner controls the
majority of the hash power on a chain.
Bitcoin Gold has been experiencing double-spending attacks for at least a
week, according to forum posts by Bitcoin Gold director of communications
Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's
hash rate and is double-spending coins. Since an attacker must spend coins
in his or her possession, and can't conjure up new coins, the attack is
somewhat limited.
What's happening now, according to Iskra, is that exchanges that
automatically accept large deposits are being targeted. The fraudster
deposits Bitcoin Gold into an account at an exchange, where coins are
traded. Once the exchange credits the Bitcoin Gold to the attacker's
account, the attacker trades those coins for another cryptocurrency and
withdraws it. The attacker can repeatedly make deposits of the same Bitcoin
Gold it deposited in the first exchange and profit in this way.
A bunch of other cryptocurrencies have been attacked in similar ways
recently. Something called Verge has been hit twice in the last two months,
leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and
Electroneum have also suffered from 51% attacks not too long ago.
------------------------------
Date: Sat, 26 May 2018 18:03:44 -0600
From: "Keith Medcalf" <kmed...@dessus.com>
Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
Google should be keelhauled for this (or at least the dolts who thought it
up should be keelhauled, and the sailors doing the hauling should be given
three toddy's of rum when the googlers' are half-way along the keel). HTTPS
does not mean that the Web Site is secure. It means that it is transport
encrypted. Similarly, that the web site is not using SSL/TLS does not mean
it is unsecure -- it simply means that the transport is not encrypted.
There is a *LOT* more to being *secure* that merely engaging transport
security. It should be noted that Google will not detect "forged" or MITM
certificates, and that as a result much of what they hold out as "secure"
actually does not even have meaningful transport security.
------------------------------
Date: Fri, 18 May 2018 09:13:42 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Google to remove `secure' indicator from HTTPS pages on Chrome
(ZDNet)
[In other news, your local second-level (province, state, prefecture,
etc.) government announced plans to remove those curve speed caution signs
to make the roads safer. Well, not actually. They have a bit more sense
than Google. GW]
http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/
Stephanie Condon, ZDNet, 17 May 2018
Google to remove "secure" indicator from HTTPS pages on Chrome
Users should expect the web to be safe by default, Google explained.
As part of its push to make the web safer, Google on Thursday said it will
stop marking HTTPS pages as "secure."
The logic behind the move, Google explained, is that "users should expect
that the web is safe by default." It will remove the green padlock and
"secure" wording from the address bar beginning with Chrome 69 in September.
------------------------------
Date: 28 May 2018 11:45:16 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
(ZDNet)
Google previously announced that it would mark HTTP pages as "not
secure" beginning with Chrome 68 in July.
By October with Chrome 70, Google will start showing a red "not
secure" warning when users enter data on HTTP pages. "Previously, HTTP
usage was too high to mark all HTTP pages with a strong red warning,"
Google said.
------------------------------
Date: Sun, 27 May 2018 08:54:17 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "How your web browser tells you when it's safe" (Gregg Keizer)
Gregg Keizer, Computerworld, 23 May 2018
https://www.computerworld.com/article/3275726/web-browsers/how-your-web-browser-tells-you-when-its-safe.html
As Google moves to change how its Chrome browser flags insecure websites,
rival browsers may be forced to follow suit. Here's how other browsers
currently handle website security and what changes they have coming.
selected text:
Google last week spelled out the schedule it will use to reverse years of
advice from security experts when browsing the Web - to "look for the
padlock." Starting in July, the search giant will mark insecure URLs in its
market-dominant Chrome, not those that already are secure. Google's goal?
Pressure all website owners to adopt digital certificates and encrypt the
traffic of all their pages.
Security pros praised Google's campaign, and the probable end-game. "I
won't have to tell my mom to look for the padlock," said Chester Wisniewski,
principal research scientist at security firm Sophos, of the
switcheroo. "She can just use her computer."
[Let us change stuff for the people who do not know much about computers.
That will make things simpler for them. These two sentences do not belong
together.]
But what are Chrome's rivals doing? Marching in step or sticking to
tradition? Computerworld fired up the Big Four -- Chrome, Mozilla's Firefox,
Apple's Safari and Microsoft's Edge -- to find out.
------------------------------
Date: Sun, 27 May 2018 09:07:11 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Smart lock user? Z-wave pairing flaw lets attackers open your doors
from yards away" (Liam Tung)
Liam Tung, ZDNet, 25 May 2018
https://www.zdnet.com/article/smart-lock-user-z-wave-pairing-flaw-lets-attackers-open-your-door-from-yards-away/
Up to 100 million Internet of Things devices could be at risk.
starting text:
Hackers may be able to remotely unlock your smart lock if it relies on the
Z-Wave wireless protocol.
According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable
to an attack that forces the current secure pairing mechanism, known as S2,
to an earlier version with known weaknesses, called S0.
The problem with S0 is that when two devices, like a controller and a smart
lock, are pairing, it encrypts the key exchange using a hardcoded key
'0000000000000000'. So, an attacker could capture traffic on the network and
easily decrypt it to discover the key.
S2 fixed this problem by employing the Diffie-Hellman algorithm for securely
sharing secret keys, but the downgrade removes that protection.
The researchers have posted a video demonstrating the downgrade attack --
dubbed Z-Shave -- on a Conexis L1 Smart Door Lock from lock manufacture
Yale. They note that an attacker within about 100 meters could, after the
downgrade attack, then steal the keys to the smart lock.
Z-Wave chips are in 100 million smart gadgets, from lights to heating
systems, but the risk is greater for things with security applications, such
as locks.
------------------------------
Date: May 27, 2018 at 9:56:50 AM EDT
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: FBI tells router users to reboot now to kill malware infecting 500k
devices (Dan Goodin)
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
Dan Goodin, Ars Technica, 25 May 2018
http://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/
The FBI is advising users of consumer-grade routers and network-attached
storage devices to reboot them as soon as possible to counter
Russian-engineered malware that has infected hundreds of thousands devices.
Researchers from Cisco's Talos security team first disclosed the
existence of the malware on Wednesday. The detailed report said the malware
infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP,
and TP-Link. Known as VPNFilter, the malware allowed attackers to collect
communications, launch attacks on others, and permanently destroy the
devices with a single command. The report said the malware was developed by
hackers working for an advanced nation, possibly Russia, and advised users
of affected router models to perform a factory reset, or at a minimum to
reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed
developed by a Russian hacking group, one known by a variety of names,
including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also
said the FBI had seized an Internet domain VPNFilter used as a backup means
to deliver later stages of the malware to devices that were already infected
with the initial stage 1. The seizure meant that the primary and secondary
means to deliver stages 2 and 3 had been dismantled, leaving only a third
fallback, which relied on attackers sending special packets to each infected
device.
Limited persistence
The redundant mechanisms for delivering the later stages address a
fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a
reboot, meaning they are wiped clean as soon as a device is
restarted. Instead, only stage 1 remains. Presumably, once an infected
device reboots, stage 1 will cause it to reach out to the recently seized
ToKnowAll.com address. The FBI's advice to reboot small office and home
office routers and NAS devices capitalizes on this limitation. In a
statement published Friday, FBI officials suggested that users of all
consumer-grade routers, not just those known to be vulnerable to VPNFilter,
protect themselves. The officials wrote:
The FBI recommends any owner of small office and home office routers rebo ot
the devices to temporarily disrupt the malware and aid the potential
identification of infected devices. Owners are advised to consider disabling
remote management settings on devices and secure with strong passwords and
encryption when enabled. Network devices should be upgraded to the latest
available versions of firmware.
In a statement also published Friday, Justice Department officials wrote:
Owners of SOHO and NAS devices that may be infected should reboot their
devices as soon as possible, temporarily eliminating the second stage
malware and causing the first stage malware on their device to call out
for instructions. Although devices will remain vulnerable to reinfection
with the second stage malware while connected to the Internet, these
efforts maximize opportunities to identify and remediate the infection
worldwide in the time available before Sofacy actors learn of the
vulnerability in their command-and-control infrastructure.
The US Department of Homeland Security has also issued a statement advising
that "all SOHO router owners power cycle (reboot) their devices to
temporarily disrupt the malware."
As noted in the statements, rebooting serves the objectives of (1)
temporarily preventing infected devices from running the stages that collect
data and other advanced attacks and (2) helping FBI officials to track who
was infected. Friday's statement said the FBI is working with the non-profit
Shadow Foundation to disseminate the IP addresses of infected devices to
ISPs and foreign authorities to notify end users.
Authorities and researchers still don't know for certain how compromised
devices are initially infected. They suspect the attackers exploited known
vulnerabilities and default passwords that end users had yet to patch or
change. That uncertainty is likely driving the advice in the FBI statement
that all router and NAS users reboot, rather than only users of the 14
models known to be affected by VPNFilter [...]
------------------------------
Date: Sun, 27 May 2018 13:25:03 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
*The New York Times*
``Those are the decisions you don't want to be making for the first time
during a real attack,'' said Bob Stasio, IBM's cyber range operations
manager and a former operations chief for the National Security Agency's
cyber center. One financial company's executive team did such a poor job of
talking to its technical team during a past IBM training drill, Mr. Stasio
said, that he went home and canceled his credit card with them.
Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
touches. Whiteboards and giant monitors fill nearly every wall, with
graphics that can be manipulated by touch.
``You can't have a fusion center unless you have really cool TVs,'' quipped
Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
global cybersecurity head, at a recent cybercrime conference. ``It's even
better if they do something when you touch them. It doesn't matter what
they do. Just something.''
Security pros mockingly refer to such eye candy as `pew pew' maps, an
onomatopoeia for the noise of laser guns in 1980s movies and video
arcades. They are especially useful, executives concede, to put on display
when V.I.P.s or board members stop by for a tour. Two popular pew maps are
from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the
defunct security vendor Norse http://www.norsecorp.com/ whose video
game-like maps show laser beams zapping across the globe. Norse went out of
business two years ago, and no one is sure what data
<https://na01.safelinks.protection.outlook.com/ the map is based on, but
everyone agrees that it looks cool.
http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html
------------------------------
Date: Sun, 27 May 2018 16:26:44 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: How One Company Scammed Silicon Valley. And How It Got Caught.
(John Carreyrou)
BAD BLOOD
John Carreyrou
Secrets and Lies in a Silicon Valley Startup
352 pp. Alfred A. Knopf. $27.95.
*The New York Times* Book Review
http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro
"Despite warnings from employees that Theranos wasn't ready to go live on
human subjects -- its devices were likened to an eighth-grade science
project -- Holmes was unwilling to disappoint investors or her commercial
partners. The result was a fiasco. Samples were stored at incorrect
temperatures. Patients got faulty results and were rushed to emergency
rooms. People who called Theranos to complain were ignored; employees who
questioned its technology, its quality control or its ethics were
fired. Ultimately, nearly a million tests conducted in California and
Arizona had to be voided or corrected."
Investors and personalities enamored by technological wizardry, though based
on fundamentally fraudulent solutions, were suckered in by Theranos' promise
to revolutionize routine blood tests with a few tiny blood droplets from a
pinprick. ~US$ 1B dropped on a real "unicorn" sighting.
The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues
who possessed 110-ohm noses (striped brown-brown-brown per the Resistor
color code) that kissed her fanny. Findings and facts that disputed her
vision were concealed from investors. Knowing how to ask the right questions
remains a valuable skill to possess.
When an ethical, professional engineer confronts a situation of this nature,
there are few alternatives to pursue: (a) become a whistle-blower; (b)
continue to document findings that support legal discovery and a fraud
investigation while holding your nose and tongue; or, (c) jump ship at the
earliest opportunity.
If something appears too good to be true, it is likely the case.
P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a
sucker born every minute." An aphorism that remains prescient today for the
incurious or greedy.
------------------------------
Date: Sun, 27 May 2018 17:30:59 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
https://www.npr.org/templates/transcript/transcript.php%3FstoryId%3D6140792
Get out your checkbook or boost your PayPal account balance. All the free
services "enjoyed" today, that exploit volunteered information for a little
dopamine, will shift to a subscription or micropayment model.
The Internet as a true utility, like the water and power that comes out of
the wall, billed per bit. Internet disenfranchisement is likely to evolve if
meter ticks attributed to premium information become unaffordable.
Will governments introduce a subsidy -- a new entitlement -- to boost the
information "have-nots" into a realm approximating the "haves"? Or will there
be a multi-tier model -- surrender your data for 24x7 tracking and attention
whipsaw for free, versus pay for the right to volunteer data with an
explicit opt-in (EU ePrivacy) granting license and viewing preferences as
the product?
------------------------------
Date: Mon, 28 May 2018 08:05:13 -0700
From: Richard M Stein <rms...@ieee.org>
Subject: YouTube stars' fury over algorithm tests (BBC.com)
http://www.bbc.com/news/technology-44279189
'Originally, the YouTube subscription feed was a chronological list of
videos from all the channels that a person had chosen to "subscribe"
to. The system let people curate a personalised feed full of content from
their favourite video-makers.
'However, many video-makers have previously complained that some of their
videos have not appeared in the subscription feed, and have questioned
whether YouTube manipulates the list to boost viewer retention and
advertising revenue.
'YouTube's latest experiment -- which it said appeared for a "small number"
of users -- changed the order of videos in the feed. Instead of showing the
most recent videos at the top, YouTube said the manipulated feed showed
people "the videos they want to watch".'
Algorithmic refactoring experiment adjusts video delivery order.
YouTube apparently 'wins' over content creator/copyright owners,
despite subscription historical preference and profile settings.
------------------------------
Date: Tue, 29 May 2018 16:10:52 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later
(Fortune)
http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/
The risk? Online/automated/robot cashiers. Same as my grocery store
self-checkout charged me for 22 avocados instead of 2. At least I could get
quick refund from on-scene humans.
------------------------------
Date: Tue, 29 May 2018 17:14:58 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
Evan Schuman, *Computerworld*, 26 May 2018
https://www.computerworld.com/article/3276347/mobile-wireless/amazons-echo-privacy-flub-has-big-implications-for-it.html
Amazon has confirmed that one of its Echo devices recorded a family's
conversation and then messaged it to a random person on the family's contact
list. The implications are terrifying.
------------------------------
Date: Tue, 29 May 2018 17:34:18 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Bank of Montreal, CIBC's Simplii Financial report customer data
breaches" (Asha McLean)
Asha McLean, ZDNet, 29 May 2018
http://www.zdnet.com/article/bank-of-montreal-cibcs-simplii-financial-confirm-customer-data-breaches/
Bank of Montreal, CIBC's Simplii Financial report customer data breaches The
Canadian banks have reported being contacted by external 'fraudsters'
claiming to have accessed information on an estimated 90,000 customers. The
trial appears to be limited to 24 plates.
The plates are digital displays that can be updated and modified remotely.
Therefore, they can be updated immediately once car registration is updated.
They can also be used to "broadcast" messages such as emergency and amber
alerts, and can be set to display personal messages when the car is not in
motion.
http://www.dailymail.co.uk/sciencetech/article-5781915/California-starts-trial-digital-license-plates-allow-police-track-move.html
or https://is.gd/NRJ4Ey
The plates also broadcast information to sensors in or beside roads, and can
communicate with each other.
I trust it is not too difficult to point out the huge numbers of ways these
plates could be attacked or misused.
Asha McLean, ZDNet, 1 Jun 2018
CBA sent over 650 emails holding data on 10k customers in error. The bank
has admitted discovering an issue with emails going to incorrect addresses.
https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/
opening text:
The Commonwealth Bank of Australia (CBA) has once again found itself in the
spotlight for the potential mishandling of customer information, admitting
it had sent over 650 incorrectly addressed internal emails.
The bank said on Friday it had completed an investigation that was initiated
after a concern was raised about internal CBA emails being inadvertently
sent to email addresses using the cba.com domain, prior to taking ownership
of that domain in April 2017.
Its usual email domain is cba.com.au.
------------------------------
Date: Thu, 31 May 2018 07:21:49 +0800
From: Jeremy Ardley <jer...@ardley.org>
Subject: License Plate Risks
Two different dynamically changeable number plates.
The traditional:
http://www.youtube.com/watch%3Fv%3DwSFXyIlq5xw
The $699 plus $7/month electronic paper version issued by the California
Department of Motor Vehicles:
https://youtu.be/XgyuIVePdEc
I leave it as an exercise for the reader as to what risks exist in
either. Asides that is from pointing out the stupidity of an electronic tag
in the age of high quality Automatic Number Plate Recognition systems linked
to a licensing computer.
However, there is a second risk in being able to detect unlicensed vehicles;
work overload. The Western Australian Police have had to turn off the
unlicensed vehicle feature in their ANPR system because there are too many
alerts!
"WA Police 'can't cope' with high number of auto-detect car registration
alerts"
http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160
------------------------------
Date: Wed, 30 May 2018 18:37:19 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Jira bug exposed private server keys at major companies,
researcher finds" (Zack Whittaker)
Zack Whittaker, ZDNet, 30 May 2018
https://www.zdnet.com/article/jira-bug-exposed-private-server-keys-at-major-companies-researcher-finds/
Jira bug exposed private server keys at major companies, researcher finds A
major TV network, a UK cell giant, and one US government agency are among
the companies affected.
------------------------------
Date: Thu, 31 May 2018 19:39:42 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: Google Started a Political Sh*tstorm Because of Its Over-Reliance
on Wikipedia (Motherboard)
https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation
As VICE News reported earlier Thursday, a Google search for `California
Republican Party' resulted in Google listing `Nazism' as the ideology of the
party. This happened because of Google's Featured Snippets tool, which pulls
basic information for search terms and puts it on the front page. These are
also sometimes called Google Cards and Knowledge Panels.
The information on these cards is often taken from Wikipedia entries, which
is what seems to have happened here. Six days ago, someone edited the
Wikipedia page for `California Republican Party' to include `Nazism',
something that wasn't changed until Wednesday, Wikipedia's edit logs show.
You take content from another site and put it into yours and pretend it's
"the truth", and all that is an automated process. Can't see what might go
wrong there.
------------------------------
Date: Fri, 01 Jun 2018 15:36:42 -0700
From: RICHARD M STEIN <rms...@ieee.org>
Subject: Signs of sophisticated cellphone spying found near White House,
U.S. officials say (WaPo)
https://www.washingtonpost.com/news/the-switch/wp/2018/06/01/signs-of-sophisticated-cell-phone-spying-found-near-white-house-say-u-s-officials/?utm_term=.3cff9618ae33
"A federal study found signs that surveillance devices for intercepting
cellphone calls and texts were operating near the White House and other
sensitive locations in the Washington area last year."
Only Rip Van Winkle would have been surprised by this headline. What
precautions are the SIGINT targets using to forestall intercept? Are
they effective, or have they been compromised too? Whatever happened to
good ol' "Blackbag" jobs?
------------------------------
Date: Fri, 1 Jun 2018 14:04:19 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
NNSquad
https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/
On Friday, VISA'S payment network suffered outages across Europe, limiting
transactions for both businesses and individuals. Banks and commerce
groups began advising customers to use cash or other payment cards if
possible, and reports indicated that online and contactless transactions
were having more success than chip cards. Though some Visa transactions
still went through, the failure appeared widespread. The Financial Times
even reported that some ATMs in the United Kingdom were already out of
cash within a couple of hours of the first outage reports. Some observers
saw in the outage a stark reminder of the fragility of payment networks,
and the weaknesses in global economic platforms.
------------------------------
Date: Sat, 2 Jun 2018 02:01:55 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How can criminals manipulate cryptocurrency markets?
(The Conversation)
https://theconversation.com/how-can-criminals-manipulate-cryptocurrency-markets-97294
------------------------------
Date: Fri, 25 May 2018 18:32:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds
of User Email Addresses (Gizmodo)
via NNSquad [Thanks, EU!]
http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313
Ad-blocking tool Ghostery suffered from a pretty impressive,
self-inflicted screwup Friday when the privacy-minded company accidentally
CCed hundreds of its users in an email, revealing their addresses to all
recipients. Fittingly, the inadvertent data exposure came in the form of
an email updating Ghostery users about the company's data collection
policies. The ad blocker was sending out the message to affirm its
commitment to user privacy as the European Union's digital privacy law,
known as the General Data Protection Regulation (GDPR), goes into effect.
The email arrived in inboxes with the subject line "Happy GDPR Day --
We've got you covered!" In the body of the email, the company informed
users, "We at Ghostery hold ourselves to a high standard when it comes to
users' privacy, and have implemented measures to reinforce security and
ensure compliance with all aspects of this new legislation."
------------------------------
Date: Sun, 27 May 2018 13:30:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Commentary: GDPR Misses the Point (Fortune)
http://fortune.com/2018/05/24/gdpr-data-privacy-cookies/
------------------------------
Date: Sun, 3 Jun 2018 12:08:40 -0700
From: Rob Slade" <rms...@shaw.ca>
Subject: GDPR, Privacy, and CISSPforum vs "Community"
The long running CISSPforum mailing list on Yahoo Groups is being closed by
ISC2, effective June 15, 2018. An alternate mailing list, run by volunteer
CISSPs, has been created on groups.io.
Yeah, I know. Those of you who don't have the CISSP cert don't care. (Even
those who, like Peter, have been given an honorary CISSP may not care.) But
the reason the CISSPforum is being closed is kind of interesting.
ISC2 itself isn't saying much about why. But most people discussing it seem
to think it has to do with GDPR. Yahoo has not had the greatest success
with security, so ISC2 may wish to limit it's exposure.
The thing is, if I want to give people instructions on getting to the new
CISSPforum, the easiest thing would be to send them to the page at
https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or
https://is.gd/lGXNgT if email mungs that and you want a shortened version).
Yes, you are correct. That Web page is one of the postings on the new,
supposedly private, "community" that ISC2 has created to replace the
CISSPforum mailing list as a communications venue for the membership.
And, if I want to send you to the existing discussion of the various privacy
issues to do with the new "community," I can point you to
https://community.isc2.org/t5/Welcome/Welcome-lets-talk-about-ISC2-no-censorship-Closing-of-CISSP/td-p/11021/page/2
or http://is.gd/GgHckH Or, you can search for it yourself, on Google:
http://lmgtfy.com/%3Fq%3Dsee%2Bthe%2Bamazing%2Bdancing%2BCISSPs%2Band%2Ball%2Btheir%2Bdiscussions
You will be able to see all kinds of discussion on the new forum. Do a
Google search with any term you want, and include site:community.isc2.org as
a term, and see what the amazing dancing CISSPs have said about it. (There
is one area of the "community" that is not searchable, but it's fairly
small.)
------------------------------
Date: Sun, 3 Jun 2018 19:24:04 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: German spy agency can keep tabs on Internet hubs: court (Phys)
http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html
De-Cix, the world's largest Internet hub, says Germany's spy agency is able
to get a complete and unfiltered copy of the all data passing through its
fibre optic cables
Germany's spy agency can monitor major Internet hubs if Berlin deems it
necessary for strategic security interests, a federal court has ruled.
In a ruling late on Wednesday, the Federal Administrative Court threw out a
challenge by the world's largest Internet hub, the De-Cix exchange, against
the tapping of its data flows by the BND foreign intelligence service.
The operator had argued the agency was breaking the law by capturing German
domestic communications along with international data.
http://rinzewind.org/blog-es
------------------------------
Date: Sat, 26 May 2018 13:02:30 -0400
From: John Ohno <john...@gmail.com>
Subject: Trendism and cognitive stagnation
Originally posted here:
http://medium.com/%40enkiv2/trendism-cognitive-stagnation-21c8e003df83
Trendism & cognitive stagnation
(This is a follow-up to Against Trendism
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956)
Basing visibility on popularity is a uniquely awful version of *tyrrany of
the majority* because uncommon views become invisible, even if, were they to
start on an even playing field, they would become popular.
In this way, it encourages mental stasis: since ranking is based on an
immediate appraisal of how popular something already is, and visibility is
based therefore on past shallow popularity, there's no room for
rumination.
This is NOT an attribute of `technology' or `social media', but an attribute
of visibility systems based on immediate ranking. Visibility systems based
on ranking delayed by, say, three days, or with the top 25% most popular
posts elided, would be fine.
Our capacity to imagine new possibilities is based largely on our
familiarity with the bounds of possibility space -- we can only
imagine views that are in the neighborhood of views we've heard
expressed in the past. So, making the already-unpopular invisible limits
imagination.
(There are hacks we can use to make it possible to imagine views nobody has
ever held. We can make random juxtapositions, impose meaning on them, and
then figure out a justification for them -- like tarot reading. Or,
we can merely iterate from some basic idea, getting more and more extreme,
while internalizing the perspective of each iteration as something someone
could possibly believe in good faith. The former -- the bibliomancy
approach -- is common in experimental art, while the latter is
typical of dystopian science fiction.
But, these hacks are pretty limited. We need a starting place. If
we've only heard mainstream ideas, we're going to have a
hard time going off the beaten path with the dystopia approach, while we
will struggle with the bibliomancy approach because most ideas can only be
made to seem reasonable with the help of other ideas. Getting into uncharted
territories with either of these approaches is difficult unless
you've already filled out the middle of your possibility space with
other ideas, because in their absence you would need to independently
reinvent them.)
This is not a justification, in of itself, for banning metrics entirely.
After all, this kind of exponential distribution happens with ideas even
without the use of popularity signifiers: ideas spread, and popular ideas
have more opportunities to spread. Trendism merely accelerates the process
and widens the gap between the most popular ideas and everything else.
Sites like reddit use segmentation to prevent total ordering of popularity
from dominating, although this ultimately means that popular subreddits have
a disproportionate impact on this total ordering when it is seen.
http://redditp.com/r/all
Similarly, we have seen piecemeal attempts to limit the effects of trendism
for particular topics -- the curation of trending topics at twitter and
facebook, for instance, or ad-hoc ranking demerits for particular tags on
lobste.rs.
However, we could be applying the measurements we already take to counteract
trendism rather than accelerating it: making popularity count less the
higher it gets, removing overly-popular content entirely, boosting the
visibility of mostly-unseen content, using information about organic reach
in sites like twitter to boost the synthetic reach of people who
don't have many followers (instead of boosting the synthetic reach
of the rich), systematically demoting posts that comment on trending topics,
spotlighting spotify tracks and youtube videos with zero views, and so on.
Where trendism devalues the function of recommendation systems as novelty
aggregators, these tools could be modified to be anti-trendist, pro-novelty,
and promote a cosmopolitanism that broadens our horizons in ways traditional
word-of-mouth never could. This is a unique capacity of recommendation
systems over curators: recommendation systems can recommend things nobody
has ever seen, and can recommend them on the grounds that nobody has seen
them.
------------------------------
Date: Mon, 28 May 2018 09:38:16 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Securing Elections
I don't wish to start a political argument, but from a practical POV, there
is merit to the US method of "the winner takes it all" -- eventually, one
candidate wins, and incumbents should be let to do their job to the best of
their ability. Compare that to relational methods in some European
countries, which have brought about unstable governments which are
reshuffled often (like in France before the 1968, or current Italy).
History has proven -- from the resign of Nixon to the recent upheaval in
Armenia -- that as long as freedom of expression and assembly are kept, the
public would eventually be able to express enough dissent to get rid of
corrupt politicians, no matter which system was used to elect them in the
first place.
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.71
************************
0 new messages