info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 31.05
74 views
Skip to first unread message
RISKS List Owner
Feb 4, 2019, 6:15:04 PM2/4/19
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Monday 4 February 2019 Volume 31 : Issue 05
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.05>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
A study of fake news in 2016 (Science via PGN)
Deep Fakes: A Looming Challenge for Privacy, Democracy, and
National Security by Robert Chesney, Danielle Keats Citron (SSRN)
Japanese government plans to hack into citizens' IoT devices (ZDNet)
"This smart light bulb could leak your Wi-Fi password" (ZDNet via
Gene Wirchenko)
Tech addicts seek solace in 12 steps and rehab (AP)
How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands
(Scientific American via Richard Stein)
Taking apart a botnet ... (Naked Security via Rob Slade)
What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)
iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a
Week Ago (NYTimes)
Apple revokes Google's ability to use internal iOS apps, just like Facebook
(WashPost)
Apple hits back at Facebook and revokes a key license (CNBC)
Putting the exact size of land in ads (Dan Jacobson)
Passwords, escrow, and fallback positions (CoinDesk via Rob Slade)
My old RISKS nightmare comes true - partially (Rex Sanders)
Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com)
ICE set up phony Michigan university in sting operation (WashPost via
Monty Solomon)
Chinese maker of radios for police, firefighters struggles to outlast
Trump trade fight (WashPost)
Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune via
Gabe Goldberg)
UK auto theft (Claire Duffin via Chris Drewe)
Problems with car key fobs (Gizmodo via Arthur T.)
Google, you sent this to too many people, so it must be spam (Dan Jacobson)
Re: Buy Bitcoin at the Grocery Store via Coinstar (John Levine)
Re: Hidden Automation Agenda of the Davos Elite (Henry Baker)
Re: Is it time for Linux? (J Coe)
Re: If 5G Is So Important, Why Isn't It Secure? (Mark Thorson)
Re: The Duty to Read the Unreadable (Amos Shapir)
Re: Risks of Deepfake videos (Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 2 Feb 2019 10:46:19 -0800
From: Peter G Neumann <Neu...@csl.sri.com>
Subject: A study of fake news in 2016 (Science)
Fake news on Twitter during the 2016 U.S. presidential election
Science (AAAS) 363 issue 6425, 25 Jan 2019, pp. 374-378
This a noteworthy five-authored paper on their detailed examination.
For example, only 1% of individuals accounted for 80% of fake news
source exposures, and 0.1% accounted for 80% of fake news sources
shared. For RISKS readers who are interested in this phenomenon,
the article is worth reading.
------------------------------
Date: February 3, 2019 at 12:48:30 AM GMT+9
From: geoff goodfellow <ge...@iconia.com>
Subject: Deep Fakes: A Looming Challenge for Privacy, Democracy, and
National Security by Robert Chesney, Danielle Keats Citron (SSRN)
Contains a landmark law article on deepfakes:
107 California Law Review (2019, Forthcoming)
U of Texas Law, Public Law Research Paper No. 692
U of Maryland Legal Studies Research Paper No. 2018-21
59 Pages Posted: 21 Jul 2018 Last revised: 23 Aug 2018
Robert Chesney, University of Texas School of Law
Danielle Keats Citron, University of Maryland Francis King Carey School of
Law; Yale University Yale Information Society Project; Stanford Law School
Center for Internet and Society
Date Written: July 14, 2018
Abstract
Harmful lies are nothing new. But the ability to distort reality has taken
an exponential leap forward with `deep fake' technology. This capability
makes it possible to create audio and video of real people saying and doing
things they never said or did. Machine learning techniques are escalating
the technology's sophistication, making deep fakes ever more realistic and
increasingly resistant to detection. Deep-fake technology has
characteristics that enable rapid and widespread diffusion, putting it into
the hands of both sophisticated and unsophisticated actors. While deep-fake
technology will bring with it certain benefits, it also will introduce many
harms. The marketplace of ideas already suffers from truth decay as our
networked information environment interacts in toxic ways with our cognitive
biases. Deep fakes will exacerbate this problem significantly. Individuals
and businesses will face novel forms of exploitation, intimidation, and
personal sabotage. The risks to our democracy and to national security are
profound as well. Our aim is to provide the first in-depth assessment of the
causes and consequences of this disruptive technological change, and to
explore the existing and potential tools for responding to it. We survey a
broad array of responses, including: the role of technological solutions;
criminal penalties, civil liability, and regulatory action; military and
covert-action responses; economic sanctions; and market developments. We
cover the waterfront from immunities to immutable authentication trails,
offering recommendations to improve law and policy and anticipating the
pitfalls embedded in various solutions.
https://papers.ssrn.com/sol3/papers.cfm%3Fabstract_id%3D3213954%26utm_source%3Dnewsletter%26utm_medium%3Demail%26utm_campaign%3Dnewsletter_axiosfutureofwork%26stream%3Dfuture
------------------------------
Date: Wed, 30 Jan 2019 11:55:34 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Japanese government plans to hack into citizens' IoT devices (ZDNet)
The Japanese government approved a law amendment on Friday that will allow
government workers to hack into people's Internet of Things devices as part
of an unprecedented survey of insecure IoT devices.
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
------------------------------
Date: Fri, 01 Feb 2019 20:32:42 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "This smart light bulb could leak your Wi-Fi password" (ZDNet)
[Q: How many hackers does it take to change a light bulb?
A: Only one, and keep him and it off your network.]
Charlie Osborne for Zero Day | 1 Feb 2019
This smart light bulb could leak your Wi-Fi password. LIFX smart bulbs
contained vulnerabilities that could be exploited with a little ingenuity
and the help of a hacksaw.
https://www.zdnet.com/article/this-smart-light-bulb-could-leak-your-wi-fi-password/
selected text:
LimitedResults used the LIFX mini white as a test product, a $15.99 device
which can be controlled via smartphone to change the temperature and dimness
levels of lighting at home.
After installing the bulb's accompanying app on an Android device and
setting up the Wi-Fi connection, the researcher grabbed a saw to hack his
way into the hardware within.
After exposing the innards of the bulb and wiping away fireproof paste, the
hacker found that the main component of the bulb is an ESP32D0WDQ6
system-on-chip (SoC) manufactured by Espressif.
It didn't take long to solder a few pins to a board in order to connect to
the LIFX hardware, and after this link was established, LimitedResults found
that Wi-Fi credentials were stored in plaintext within the flash memory.
------------------------------
Date: Sun, 3 Feb 2019 11:34:37 -0700
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Tech addicts seek solace in 12 steps and rehab (AP)
Martha Irvine, AP, December 26, 2018
https://www.apnews.com/38141d993106400f8228706334e9b7f4
BELLEVUE, Wash. (AP) — We like to say we're addicted to our phones or an
app or some new show on a streaming video service.
But for some people, tech gets in the way of daily functioning and
self-care. We're talking flunk-your-classes, can't-find-a-job,
live-in-a-dark-hole kinds of problems, with depression, anxiety and
sometimes suicidal thoughts part of the mix.
Suburban Seattle, a major tech center, has become a hub for help for
so-called `tech addicts', with residential rehab, psychologists who
specialize in such treatment and 12-step meetings.
------------------------------
Date: Mon, 4 Feb 2019 11:04:39 +0800
From: Richard Stein <rms...@ieee.org>
Subject: How Machine Learning Could Keep Dangerous DNA Out of Terrorists'
Hands (Scientific American)
https://www.scientificamerican.com/article/how-machine-learning-could-keep-dangerous-dna-out-of-terrorists-hands/
"But Rob Carlson, managing director at Bioeconomy Capital, a venture-capital
firm in Seattle, Washington, is skeptical that stopping DNA-synthesis
companies from being exploited will prevent bioterror attacks. 'If you look
at what sorts of biological threats have cropped up to date, this isn't one
of them,' he says. Most attacks have involved the release of existing
pathogens grown in labs; in 2001, for instance, five people in the United
States died and 17 were sickened after receiving anthrax-laced letters.
"Terrorists are more likely to follow the blueprint of published research,
rather than embark on a research project to design new organisms, Carlson
says. He fears that any government efforts to regulate DNA synthesis would
push would-be bioterrorists underground."
Risk: Ineffective government investment to deter bioweapon deployment by
terrorists.
------------------------------
Date: Mon, 4 Feb 2019 10:47:59 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Taking apart a botnet ... (Naked Security)
The FBI is messing with Joanap, a botnet run by a major North Korean
blackhat group.
https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/
Joanap itself is fairly complicated, with infections being started by an SMB
worm, which then installs the Joanap RAT (Remote Access Trojan). Command
and control is done via a peer-to-peer distributed network.
Which is where the FBI comes in. A court in the US granted them permission
to set up fake servers pretending to be controllers on Joanap. As such,
they could spy on individual machines, collect information, or even install
software (possibly to remove the infections and patch vulnerabilities).
In examining the ethics of active defence, I find this fascinating.
http://www.infosecbc.org/events/new-calendar-event-2/
I'm pretty sure than in Canadian law the FBI action would actually be
illegal, which is possibly why they are contacting host governments in the
cases of non-US victims.
(Oh, and remember to patch your systems, which is the only reason the
blackhats were able to build Joanap in the first place ...)
------------------------------
Date: Wed, 30 Jan 2019 11:10:15 +0800
From: Richard Stein <rms...@ieee.org>
Subject: What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)
https://www.scientificamerican.com/article/what-if-your-fitbit-could-run-on-a-wi-fi-signal/
"...molybdenum disulfide (MoS2) -- a two dimensional material because it is
just three atoms thick -- can act like an antenna to convert radio signals
from wi-fi, cell phones and radio or television broadcasts into power for
wireless devices.
"Palacios says the two-dimensional semiconductor can reap 30 to 50
microwatts from ambient wi-fi signals of about 100 microwatts, enough to
operate pacemakers, hearing aids, strain sensors, communication links and
many low-power IoT objects. Such a system could potentially operate without
a battery, lowering weight and avoiding leakage from a medical implant's
power source inside the body."
http://catless.ncl.ac.uk/Risks/30/72%23subj29.1 discusses harvesting human
body heat to power devices.
Steer clear of TEMPEST facilities, or low ambient RF environments if you
wear an implantable device powered by MoS2. Neglecting to use a battery
backup may be hazardous to your health.
------------------------------
Date: Tue, 29 Jan 2019 18:58:50 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a
Week Ago (NYTimes)
https://www.nytimes.com/2019/01/29/technology/facetime-glitch-apple.html
On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected
discovery: Using FaceTime, Apple's video chatting software, he could
eavesdrop on his friend's phone before his friend had even answered the
call. His mother, Michele Thompson, sent a video of the hack to Apple the
next day, warning the company of a "major security flaw" that exposed
millions of iPhone users to eavesdropping. When she didn't hear from Apple
Support, she exhausted every other avenue she could, including emailing
and faxing Apple's security team, and posting to Twitter and Facebook. On
Friday, Apple's product security team encouraged Ms. Thompson, a lawyer,
to set up a developer account to send a formal bug report. But it wasn't
until Monday, more than a week after Ms. Thompson first notified Apple of
the problem, that Apple raced to disable Group FaceTime and said it was
working on a fix. The company reacted after a separate developer reported
the FaceTime flaw and it was written about on the Apple fan site
9to5mac.com, in an article that went viral.
------------------------------
Date: Fri, 1 Feb 2019 02:41:51 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Apple revokes Google's ability to use internal iOS apps, just like
Facebook (WashPost)
The companies said they are hoping to resolve the issue quickly.
https://www.washingtonpost.com/technology/2019/01/31/apple-revokes-googles-ability-use-internal-ios-apps-just-like-facebook/
------------------------------
Date: Wed, 30 Jan 2019 15:27:08 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Apple hits back at Facebook and revokes a key license (CNBC)
* TechCrunch found that Facebook had been paying people to install a
research app that grants access to all of the user's phone and web
activity.
* Following the report, Apple said the app violates its policies.
* A Facebook spokesperson said the app had "a clear on-boarding
process" that asked participants for permission.
CNBC: Apple hits back at Facebook and revokes a key license
https://www.cnbc.com/2019/01/30/apple-says-facebook-violated-its-policies-with-its-research-app.html%3F__source%3Diosappshare%257Ccom.apple.UIKit.activity.Mail
------------------------------
Date: Sat, 02 Feb 2019 21:18:23 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Putting the exact size of land in ads
"5,678 square meters prime farm land for sale, $xx0000. Call Mrs. Holmes
at LLoyd 5-1212."
Or if Junior happens to have the local cadaster list, he can go visit
the property himself, disposing of Mrs. Holmes.
Just sort the list on the size column, and `voila', only one parcel in
town with that size!
------------------------------
Date: Sat, 2 Feb 2019 12:23:46 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Passwords, escrow, and fallback positions (CoinDesk)
Crypto exchange QuadrigaCX seems to be filing for bankruptcy. It's got lots
of money--locked up in cryptocurrency "cold storage." The password was only
known to the CEO. The CEO died in December.
https://www.coindesk.com/quadriga-creditor-protection-filing
Lots and lots of legal battles are involved ...
------------------------------
Date: Thu, 31 Jan 2019 12:31:40 -0800
From: Rex Sanders <rsan...@usgs.gov>
Subject: My old RISKS nightmare comes true - partially
On 28 Jan 2009 for RISKS 25.55 I wrote:
>Subject: What if you can't pull the plug?
>
>Last night I literally awoke from a nightmare about my iPhone getting
>hacked, spewing spam and doing other nasty things. The nightmare was that I
>had no way to shut it off, and no way to disconnect it from the Internet.
Recently, while trying to move from an old iPhone to an iPhone 8 Plus - and
following Apple's online instructions - the newer iPhone froze with the
power ON. The "hold the power button down for a long time" trick didn't
work. For one troubleshooting cycle, the 8+ stayed on-but-frozen for over 60
hours while connected to power.
Luckily, the 8+ doesn't appear to be hacked by anything other than buggy
upgrade software.
Called Apple support -- they gave me another combination of button presses
to unfreeze the phone. Except it took four tries to work.
Apparently Apple changed the forced restart scheme twice since the iPhone's
introduction. But if your phone is frozen, you probably don't have any way
to look up the latest method.
------------------------------
Date: Fri, 1 Feb 2019 00:08:00 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com)
Author writes:
In November, I broke the law. I crossed over a solid white line to make a
right turn at a traffic intersection. At the time I was unaware of my
violation. I was on my way to a shopping mall in an unfamiliar part of
town to buy my wife a gift for her birthday. My only defense is that I was
following the instructions emitted from the map app on my cellphone. It
told me to make a right turn. So I did. Little did I know I was being
watched.
https://devops.com/minor-crimes-and-misdemeanors-in-the-age-of-automation/
------------------------------
Date: Fri, 1 Feb 2019 02:34:51 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: ICE set up phony Michigan university in sting operation (WashPost)
Never heard of the University of Farmington? That's because it never
actually existed.
https://www.washingtonpost.com/nation/2019/01/31/ice-set-up-fake-university-hundreds-enrolled-not-realizing-it-was-sting-operation/
------------------------------
Date: Fri, 1 Feb 2019 02:41:19 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Chinese maker of radios for police, firefighters struggles to
outlast Trump trade fight (WashPost)
The Chinese firm Hytera is subject to a U.S. import ban after a judge ruled
it infringed on patents held by Motorola Solutions.
https://www.washingtonpost.com/business/economy/chinese-maker-of-radios-for-police-firefighters-promises-to-outlast-trump-trade-fight/2019/01/30/42a118a8-1f33-11e9-8b59-0a28f2191131_story.html
------------------------------
Date: Wed, 30 Jan 2019 11:58:13 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune)
“Thefts involving electronic devices are on the up, and it's clear
manufacturers could do more to make their vehicles secure,” the consumer
organization quoted David Jamieson, the West Midlands police commissioner,
as saying.
However, the U.K.’s Society of Motor Manufacturers and Traders (SMMT)
insisted that new cars “are more secure than ever, and the latest technology
has helped bring down theft dramatically with, on average, less than 0.3% of
the cars on our roads stolen.”
<https://www.autoexpress.co.uk/car-news/105809/almost-all-keyless-car-systems-vulnerable-to-relay-attacks
“We continue to call for action to stop the open sale of equipment with no
legal purpose that helps criminals steal cars,” said SMMT CEO Mike Hawes.
http://fortune.com/2019/01/28/keyless-car-theft-steal/
Who you gonna believe -- the manufacturers association or that empty space
where your car was?
------------------------------
Date: Mon, 28 Jan 2019 22:11:17 +0000
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: UK auto theft (Re: RISKS-30.96)
This has had much coverage in UK newspapers recently, such as this article
from today:
Claire Duffin, *The Daily Mail*, 28 Jan 2019
Almost all of the UK's best-selling cars can be 'unlocked in
minutes' by cheap gadgets bought online as watchdog warns of spike
in 'keyless thefts'
* Four out of five of the most popular cars in the UK last year at
risk of keyless theft.
* Official figures for the year to September showed car thefts were
up 10 per cent.
* In one test consumer watchdog Which? found only the Vauxhall Corsa
was safe.
https://www.dailymail.co.uk/news/article-6638121/Almost-UKs-best-selling-cars-unlocked-minutes-cheap-gadgets-bought-online.html
> Almost all of the UK's bestselling cars are at risk of keyless theft, a
> study shows.
> Many new cars now have keyless entry systems, or can have them added as
> an upgrade.
> It allows the driver to open and start the car without using a
> traditional key, as long as the fob is nearby.
>
> But thieves have taken advantage of this new technology. Using two
> devices, known as a relay amplifier and a relay transmitter, they can
> capture electromagnetic signals emitted by key fobs from where they are
> sitting inside the car owner's home.
> Working in pairs, one thief stands by the car with his transmitter,
> while a second waves the amplifier close to the house.
> The amplifier will detect a signal from the key fob, amplify it and send
> it to the accomplice's transmitter.
> This tricks the car into thinking the key is in close proximity,
> prompting it to open. Thieves can then drive the vehicle away using the
> push-button keyless ignition.
> The process can take less than one minute � and once they have the car,
> they can quickly replace locks and entry devices.
I'm guessing that the cars constantly send a signal inviting any fobs within
range to respond, and if one does reply with the correct code for the car,
it unlocks the doors and allows the engine to be started; it's designed to
work only over a few yards/metres, but the thieves' relays enable the range
to be extended. People often drop their keys in a bowl or case just inside
the front door of their houses so that they can be grabbed as they leave.
(In the olden days, thieves used magnets on rods passed through the
letterbox to snaffle bunches of keys on keyrings, or would ring the doorbell
and have an accomplice discreetly take keys while the householder was
distracted.) By the way, Vauxhall was the UK brand name for GM cars,
although it's recently been sold to a European automaker.)
------------------------------
Date: Sat, 02 Feb 2019 15:12:37 -0500
From: "Arthur T." <Risks20190...@xoxy.net>
Subject: Problems with car key fobs (Gizmodo)
People with car key fobs were staying away from a Canadian co-op store
because they might not be able to start their cars. Anarchists? Gremlins?
Competitors? No, just "a malfunctioning remote car starter" nearby.
https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387
------------------------------
Date: Sun, 03 Feb 2019 04:50:33 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Google, you sent this to too many people, so it must be spam
> The big announcement came,
> From: "Google+ Team" <nor...@plus.google.com>
> Subject: Your personal Google+ account is going away on April 2, 2019
: X-VR-STATUS: SPAM
Alas, a little too big, as it was nailed as spam by big-time mail filtering
companie(s). Wonder what will happen when Facebook eventually sends theirs
to an even larger list.
My mom says that "X-VR-SPAMCAUSE: ggystttmpsimb..." means "GooGle, you sent
this to too many people so it must be spam."
------------------------------
Date: 28 Jan 2019 22:55:16 -0500
From: "John Levine" <jo...@iecc.com>
Subject: Re: Buy Bitcoin at the Grocery Store via Coinstar (Fortune)
Coinstar? Those are the machines where you put in $10 in cash and it
gives you a slip for $8. Seems just the thing for Bitcoin.
------------------------------
Date: Tue, 29 Jan 2019 07:32:45 -0800
From: Henry Baker <hba...@pipeline.com>
Subject: Re: Hidden Automation Agenda of the Davos Elite (NYT)
A couple of thoughts on automation:
1. What do we really want these soon-to-be-laid-off people to do? Does it
make any sense to pay people to produce goods inefficiently, in the style of
Soviet factories making goods that will never be consumed, just so they have
a job? The economist Milton Friedman supposedly asked why workmen were
using shovels instead of machinery to build a canal. The answer came back:
"We need to provide more jobs." Friedman's response: "Then why not give
them spoons instead of shovels."
To his credit, Friedman championed a version of universal basic income (UBI)
to allow for both economic efficiency and economic support for those
displaced. I'm not sure that UBI provides much of an identity of self-worth
for these ex-workers, but it is at least a start in the right direction.
2. Since the Great Recession starting in 2008-9, governments around the
First World have kept interest rates at negative or zero ("ZIRP"). Who do
you think benefits directly from ZIRP? The coal miner? The minimum wage
employee? Not so much. When capital becomes cheaper than labor, it's a
*no-brainer* to invest in automation, and the Davos elites have "backed up
the truck" to gorge on zero-interest-rate money to invest in robotics and
AI, knowing that eventually ZIRP would end, and this gravy train would stop.
At that point, these investments would pay off as labor became more
expensive relative to robots and automation.
The truth is, most of the First World has a demographic problem, in that
their populations are *falling*, so countries like Japan and China are going
to become totally reliant upon robots just to support their ever-growing
percentage of retired workers. So we're going to need robots and
automation, but we're also going to need mechanisms to provide support and
activities other than meaningless jobs to enable people to live full and
meaningful lives.
------------------------------
Date: Tue, 29 Jan 2019 20:43:04 +0000
From: J Coe <spen...@gmail.com>
Subject: Re: Is it time for Linux? (Dave Crooke)
I was waiting for another to reply to this message from Risk 31.02 as I feel
my lowly station of systems engineer in a small team in an education setting
I shouldn't be preaching to the masses, there are many more worth voices
than my own.
That being said, I don't feel Linux is the solution that some seems to claim
it is.
As always, all views are my own and do not represent anyone other than
myself.
I disagree with the ideas and ideals that Linux is some bastion of security
while I will admit Linux does have the edge on Microsoft OS's I simply do
not believe that in itself this enough to necessarily say it should be used
over any operating system, Microsoft or otherwise. I also feel Linux has a
perceived higher level of security than it actually does along with a number
of userbase and technical climate realities that skews both hard and
anecdotal evidence in Linux's favor.
The first of these things is the Linux userbase. windows is the worlds most
popular desktop OS. This leads by default to a less technical userbase,
where Linux as a desktop OS is often used by the more technically adept.
The more technically adept and I.T. security savvy are less likely to fall
for certain types of attacks such as phishing and clicking on suspicious
links. Both the higher volume of users and the chances of encountering one
of these less savvy users means windows is the more profitable target when
engaging on attacks when the net is cast wide.
Despite its open source nature this doesn't make Linux impervious to
vulnerabilities. Last year Windows 10 had 28 {1} vulnerabilities given a CVE
rating of 9 or more. Debian (which I'm using and I could get the stats
easily) had 20 in 2018 {2}. While 9 is a significant number Debian received
a total of 938 CVE's in 2018 with windows 10 only receiving 254. Some of
this can be chalked up to the open source model allowing vulnerabilities to
be more easily identified but the concept that Linux has fewer
vulnerabilities or doesn't ship with them is simply not true.
Furthermore the low use case of thing like anti malware products on Linux
means that there is currently a lack of research in this area. In December
2018 ESET discovered 21 "new" families of Linux based malware. The issue
being these malware families weren't new, some appeared to be over 4 years
old. Furthermore, ESET only discovered these families because they we're
being removed by a competing malware ESET were actually investigating.
When you ask a long-term Linux user when they last saw some Linux malware
the answer will likely be never, but with the lack of strong widely used
anti malware tools for Linux the real question would be how would you know?
If everyone was to take the advice and switch to Linux exclusively for both
home and work environment to outcome could result in worse security as
threat actors target the new environment, more malicious actors looking for
weaknesses and vulnerabilities and a lack of tools to provide a decent
defense in depth response.
While this may be a pie in the sky idea, I believe security principles
should be both hardware and software agnostic and this simple changing of an
OS doesn't necessarily make you more secure. Defense in depth, user training
and engagement, proper configuration, and a healthy dose of skepticism and
luck in equal measures. Is really the only way to provide a safe
environment, not specific tools, tech.
------------------------------
Date: Tue, 29 Jan 2019 16:15:33 -0800
From: Mark Thorson <e...@dialup4less.com>
Subject: Re: If 5G Is So Important, Why Isn't It Secure?
I can think of two reasons, both of which make an equal amount of sense. a)
If 5G was perfect how would we sell them 6G? We have to make money too. b)
Security is like global warming -- if we can get by just by paying lip
service to the notion and not doing anything effective about it, that's the
easier and less expensive path. Until we have a real Pearl Harbor on the
Internet, nobody that matters is going to care. It's going to take an
incident that bankrupts a large high-profile company, paralyzes the
Internet, kills hundreds of people, or forces the recall of millions of
devices before what is optional becomes mandatory.
------------------------------
Date: Wed, 30 Jan 2019 10:22:38 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The Duty to Read the Unreadable (RISKS-31.04)
I once tried to read a shrink-wrap EULA (of commercial software) in its
entirety; it took almost an hour, and that's just the reading, I cannot
claim to have actually understood it -- despite having more than the 14.5
years of education cited as required by the article, I have no formal legal
education.
That's irrelevant anyway, because under that EULA, by clicking "I agree" I
have put any future dispute I may have with the company under the
jurisdiction of courts in the State of New York; there aren't many lawyers
around here who know enough about NY law to file a case (not at any
reasonable price), so this clause essentially puts possible legal resolution
out of my reach.
IOW, this is not really an "agreement", more like a CYA legal trick designed
to exempt the company from legal responsibility to possible damage
(accidental, and even intentional) their software might inflict upon their
customers.
------------------------------
Date: Wed, 30 Jan 2019 10:48:42 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Risks of Deepfake videos (Risks 31.04)
In the age of instant ubiquitous global communication, there is no need to
manipulate reality in a professional level in order to make people believe
in misinformation.
See for example the anti-Vax case, where a pseudo scientific article
(rejected later) which connected one type of (disused) vaccine to a rare
type of autism -- or rather, just the rumour of the article, since it seems
no one had actually read it anyway -- had caused so many people to stop
vaccination completely, enough to cause new outbreaks of diseases thought to
be long gone.
Unfortunately, it seems too many people would just believe anything sent by
their friends, rather than bother one click to check facts.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.05
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.05>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
A study of fake news in 2016 (Science via PGN)
Deep Fakes: A Looming Challenge for Privacy, Democracy, and
National Security by Robert Chesney, Danielle Keats Citron (SSRN)
Japanese government plans to hack into citizens' IoT devices (ZDNet)
"This smart light bulb could leak your Wi-Fi password" (ZDNet via
Gene Wirchenko)
Tech addicts seek solace in 12 steps and rehab (AP)
How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands
(Scientific American via Richard Stein)
Taking apart a botnet ... (Naked Security via Rob Slade)
What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)
iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a
Week Ago (NYTimes)
Apple revokes Google's ability to use internal iOS apps, just like Facebook
(WashPost)
Apple hits back at Facebook and revokes a key license (CNBC)
Putting the exact size of land in ads (Dan Jacobson)
Passwords, escrow, and fallback positions (CoinDesk via Rob Slade)
My old RISKS nightmare comes true - partially (Rex Sanders)
Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com)
ICE set up phony Michigan university in sting operation (WashPost via
Monty Solomon)
Chinese maker of radios for police, firefighters struggles to outlast
Trump trade fight (WashPost)
Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune via
Gabe Goldberg)
UK auto theft (Claire Duffin via Chris Drewe)
Problems with car key fobs (Gizmodo via Arthur T.)
Google, you sent this to too many people, so it must be spam (Dan Jacobson)
Re: Buy Bitcoin at the Grocery Store via Coinstar (John Levine)
Re: Hidden Automation Agenda of the Davos Elite (Henry Baker)
Re: Is it time for Linux? (J Coe)
Re: If 5G Is So Important, Why Isn't It Secure? (Mark Thorson)
Re: The Duty to Read the Unreadable (Amos Shapir)
Re: Risks of Deepfake videos (Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 2 Feb 2019 10:46:19 -0800
From: Peter G Neumann <Neu...@csl.sri.com>
Subject: A study of fake news in 2016 (Science)
Fake news on Twitter during the 2016 U.S. presidential election
Science (AAAS) 363 issue 6425, 25 Jan 2019, pp. 374-378
This a noteworthy five-authored paper on their detailed examination.
For example, only 1% of individuals accounted for 80% of fake news
source exposures, and 0.1% accounted for 80% of fake news sources
shared. For RISKS readers who are interested in this phenomenon,
the article is worth reading.
------------------------------
Date: February 3, 2019 at 12:48:30 AM GMT+9
From: geoff goodfellow <ge...@iconia.com>
Subject: Deep Fakes: A Looming Challenge for Privacy, Democracy, and
National Security by Robert Chesney, Danielle Keats Citron (SSRN)
Contains a landmark law article on deepfakes:
107 California Law Review (2019, Forthcoming)
U of Texas Law, Public Law Research Paper No. 692
U of Maryland Legal Studies Research Paper No. 2018-21
59 Pages Posted: 21 Jul 2018 Last revised: 23 Aug 2018
Robert Chesney, University of Texas School of Law
Danielle Keats Citron, University of Maryland Francis King Carey School of
Law; Yale University Yale Information Society Project; Stanford Law School
Center for Internet and Society
Date Written: July 14, 2018
Abstract
Harmful lies are nothing new. But the ability to distort reality has taken
an exponential leap forward with `deep fake' technology. This capability
makes it possible to create audio and video of real people saying and doing
things they never said or did. Machine learning techniques are escalating
the technology's sophistication, making deep fakes ever more realistic and
increasingly resistant to detection. Deep-fake technology has
characteristics that enable rapid and widespread diffusion, putting it into
the hands of both sophisticated and unsophisticated actors. While deep-fake
technology will bring with it certain benefits, it also will introduce many
harms. The marketplace of ideas already suffers from truth decay as our
networked information environment interacts in toxic ways with our cognitive
biases. Deep fakes will exacerbate this problem significantly. Individuals
and businesses will face novel forms of exploitation, intimidation, and
personal sabotage. The risks to our democracy and to national security are
profound as well. Our aim is to provide the first in-depth assessment of the
causes and consequences of this disruptive technological change, and to
explore the existing and potential tools for responding to it. We survey a
broad array of responses, including: the role of technological solutions;
criminal penalties, civil liability, and regulatory action; military and
covert-action responses; economic sanctions; and market developments. We
cover the waterfront from immunities to immutable authentication trails,
offering recommendations to improve law and policy and anticipating the
pitfalls embedded in various solutions.
https://papers.ssrn.com/sol3/papers.cfm%3Fabstract_id%3D3213954%26utm_source%3Dnewsletter%26utm_medium%3Demail%26utm_campaign%3Dnewsletter_axiosfutureofwork%26stream%3Dfuture
------------------------------
Date: Wed, 30 Jan 2019 11:55:34 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Japanese government plans to hack into citizens' IoT devices (ZDNet)
The Japanese government approved a law amendment on Friday that will allow
government workers to hack into people's Internet of Things devices as part
of an unprecedented survey of insecure IoT devices.
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
------------------------------
Date: Fri, 01 Feb 2019 20:32:42 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "This smart light bulb could leak your Wi-Fi password" (ZDNet)
[Q: How many hackers does it take to change a light bulb?
A: Only one, and keep him and it off your network.]
Charlie Osborne for Zero Day | 1 Feb 2019
This smart light bulb could leak your Wi-Fi password. LIFX smart bulbs
contained vulnerabilities that could be exploited with a little ingenuity
and the help of a hacksaw.
https://www.zdnet.com/article/this-smart-light-bulb-could-leak-your-wi-fi-password/
selected text:
LimitedResults used the LIFX mini white as a test product, a $15.99 device
which can be controlled via smartphone to change the temperature and dimness
levels of lighting at home.
After installing the bulb's accompanying app on an Android device and
setting up the Wi-Fi connection, the researcher grabbed a saw to hack his
way into the hardware within.
After exposing the innards of the bulb and wiping away fireproof paste, the
hacker found that the main component of the bulb is an ESP32D0WDQ6
system-on-chip (SoC) manufactured by Espressif.
It didn't take long to solder a few pins to a board in order to connect to
the LIFX hardware, and after this link was established, LimitedResults found
that Wi-Fi credentials were stored in plaintext within the flash memory.
------------------------------
Date: Sun, 3 Feb 2019 11:34:37 -0700
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Tech addicts seek solace in 12 steps and rehab (AP)
Martha Irvine, AP, December 26, 2018
https://www.apnews.com/38141d993106400f8228706334e9b7f4
BELLEVUE, Wash. (AP) — We like to say we're addicted to our phones or an
app or some new show on a streaming video service.
But for some people, tech gets in the way of daily functioning and
self-care. We're talking flunk-your-classes, can't-find-a-job,
live-in-a-dark-hole kinds of problems, with depression, anxiety and
sometimes suicidal thoughts part of the mix.
Suburban Seattle, a major tech center, has become a hub for help for
so-called `tech addicts', with residential rehab, psychologists who
specialize in such treatment and 12-step meetings.
------------------------------
Date: Mon, 4 Feb 2019 11:04:39 +0800
From: Richard Stein <rms...@ieee.org>
Subject: How Machine Learning Could Keep Dangerous DNA Out of Terrorists'
Hands (Scientific American)
https://www.scientificamerican.com/article/how-machine-learning-could-keep-dangerous-dna-out-of-terrorists-hands/
"But Rob Carlson, managing director at Bioeconomy Capital, a venture-capital
firm in Seattle, Washington, is skeptical that stopping DNA-synthesis
companies from being exploited will prevent bioterror attacks. 'If you look
at what sorts of biological threats have cropped up to date, this isn't one
of them,' he says. Most attacks have involved the release of existing
pathogens grown in labs; in 2001, for instance, five people in the United
States died and 17 were sickened after receiving anthrax-laced letters.
"Terrorists are more likely to follow the blueprint of published research,
rather than embark on a research project to design new organisms, Carlson
says. He fears that any government efforts to regulate DNA synthesis would
push would-be bioterrorists underground."
Risk: Ineffective government investment to deter bioweapon deployment by
terrorists.
------------------------------
Date: Mon, 4 Feb 2019 10:47:59 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Taking apart a botnet ... (Naked Security)
The FBI is messing with Joanap, a botnet run by a major North Korean
blackhat group.
https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/
Joanap itself is fairly complicated, with infections being started by an SMB
worm, which then installs the Joanap RAT (Remote Access Trojan). Command
and control is done via a peer-to-peer distributed network.
Which is where the FBI comes in. A court in the US granted them permission
to set up fake servers pretending to be controllers on Joanap. As such,
they could spy on individual machines, collect information, or even install
software (possibly to remove the infections and patch vulnerabilities).
In examining the ethics of active defence, I find this fascinating.
http://www.infosecbc.org/events/new-calendar-event-2/
I'm pretty sure than in Canadian law the FBI action would actually be
illegal, which is possibly why they are contacting host governments in the
cases of non-US victims.
(Oh, and remember to patch your systems, which is the only reason the
blackhats were able to build Joanap in the first place ...)
------------------------------
Date: Wed, 30 Jan 2019 11:10:15 +0800
From: Richard Stein <rms...@ieee.org>
Subject: What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)
https://www.scientificamerican.com/article/what-if-your-fitbit-could-run-on-a-wi-fi-signal/
"...molybdenum disulfide (MoS2) -- a two dimensional material because it is
just three atoms thick -- can act like an antenna to convert radio signals
from wi-fi, cell phones and radio or television broadcasts into power for
wireless devices.
"Palacios says the two-dimensional semiconductor can reap 30 to 50
microwatts from ambient wi-fi signals of about 100 microwatts, enough to
operate pacemakers, hearing aids, strain sensors, communication links and
many low-power IoT objects. Such a system could potentially operate without
a battery, lowering weight and avoiding leakage from a medical implant's
power source inside the body."
http://catless.ncl.ac.uk/Risks/30/72%23subj29.1 discusses harvesting human
body heat to power devices.
Steer clear of TEMPEST facilities, or low ambient RF environments if you
wear an implantable device powered by MoS2. Neglecting to use a battery
backup may be hazardous to your health.
------------------------------
Date: Tue, 29 Jan 2019 18:58:50 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: iPhone FaceTime Bug That Allows Spying Was Flagged to Apple Over a
Week Ago (NYTimes)
https://www.nytimes.com/2019/01/29/technology/facetime-glitch-apple.html
On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected
discovery: Using FaceTime, Apple's video chatting software, he could
eavesdrop on his friend's phone before his friend had even answered the
call. His mother, Michele Thompson, sent a video of the hack to Apple the
next day, warning the company of a "major security flaw" that exposed
millions of iPhone users to eavesdropping. When she didn't hear from Apple
Support, she exhausted every other avenue she could, including emailing
and faxing Apple's security team, and posting to Twitter and Facebook. On
Friday, Apple's product security team encouraged Ms. Thompson, a lawyer,
to set up a developer account to send a formal bug report. But it wasn't
until Monday, more than a week after Ms. Thompson first notified Apple of
the problem, that Apple raced to disable Group FaceTime and said it was
working on a fix. The company reacted after a separate developer reported
the FaceTime flaw and it was written about on the Apple fan site
9to5mac.com, in an article that went viral.
------------------------------
Date: Fri, 1 Feb 2019 02:41:51 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Apple revokes Google's ability to use internal iOS apps, just like
Facebook (WashPost)
The companies said they are hoping to resolve the issue quickly.
https://www.washingtonpost.com/technology/2019/01/31/apple-revokes-googles-ability-use-internal-ios-apps-just-like-facebook/
------------------------------
Date: Wed, 30 Jan 2019 15:27:08 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Apple hits back at Facebook and revokes a key license (CNBC)
* TechCrunch found that Facebook had been paying people to install a
research app that grants access to all of the user's phone and web
activity.
* Following the report, Apple said the app violates its policies.
* A Facebook spokesperson said the app had "a clear on-boarding
process" that asked participants for permission.
CNBC: Apple hits back at Facebook and revokes a key license
https://www.cnbc.com/2019/01/30/apple-says-facebook-violated-its-policies-with-its-research-app.html%3F__source%3Diosappshare%257Ccom.apple.UIKit.activity.Mail
------------------------------
Date: Sat, 02 Feb 2019 21:18:23 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Putting the exact size of land in ads
"5,678 square meters prime farm land for sale, $xx0000. Call Mrs. Holmes
at LLoyd 5-1212."
Or if Junior happens to have the local cadaster list, he can go visit
the property himself, disposing of Mrs. Holmes.
Just sort the list on the size column, and `voila', only one parcel in
town with that size!
------------------------------
Date: Sat, 2 Feb 2019 12:23:46 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Passwords, escrow, and fallback positions (CoinDesk)
Crypto exchange QuadrigaCX seems to be filing for bankruptcy. It's got lots
of money--locked up in cryptocurrency "cold storage." The password was only
known to the CEO. The CEO died in December.
https://www.coindesk.com/quadriga-creditor-protection-filing
Lots and lots of legal battles are involved ...
------------------------------
Date: Thu, 31 Jan 2019 12:31:40 -0800
From: Rex Sanders <rsan...@usgs.gov>
Subject: My old RISKS nightmare comes true - partially
On 28 Jan 2009 for RISKS 25.55 I wrote:
>Subject: What if you can't pull the plug?
>
>Last night I literally awoke from a nightmare about my iPhone getting
>hacked, spewing spam and doing other nasty things. The nightmare was that I
>had no way to shut it off, and no way to disconnect it from the Internet.
Recently, while trying to move from an old iPhone to an iPhone 8 Plus - and
following Apple's online instructions - the newer iPhone froze with the
power ON. The "hold the power button down for a long time" trick didn't
work. For one troubleshooting cycle, the 8+ stayed on-but-frozen for over 60
hours while connected to power.
Luckily, the 8+ doesn't appear to be hacked by anything other than buggy
upgrade software.
Called Apple support -- they gave me another combination of button presses
to unfreeze the phone. Except it took four tries to work.
Apparently Apple changed the forced restart scheme twice since the iPhone's
introduction. But if your phone is frozen, you probably don't have any way
to look up the latest method.
------------------------------
Date: Fri, 1 Feb 2019 00:08:00 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Minor Crimes and Misdemeanors in the Age of Automation (DevOps.com)
Author writes:
In November, I broke the law. I crossed over a solid white line to make a
right turn at a traffic intersection. At the time I was unaware of my
violation. I was on my way to a shopping mall in an unfamiliar part of
town to buy my wife a gift for her birthday. My only defense is that I was
following the instructions emitted from the map app on my cellphone. It
told me to make a right turn. So I did. Little did I know I was being
watched.
https://devops.com/minor-crimes-and-misdemeanors-in-the-age-of-automation/
------------------------------
Date: Fri, 1 Feb 2019 02:34:51 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: ICE set up phony Michigan university in sting operation (WashPost)
Never heard of the University of Farmington? That's because it never
actually existed.
https://www.washingtonpost.com/nation/2019/01/31/ice-set-up-fake-university-hundreds-enrolled-not-realizing-it-was-sting-operation/
------------------------------
Date: Fri, 1 Feb 2019 02:41:19 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Chinese maker of radios for police, firefighters struggles to
outlast Trump trade fight (WashPost)
The Chinese firm Hytera is subject to a U.S. import ban after a judge ruled
it infringed on patents held by Motorola Solutions.
https://www.washingtonpost.com/business/economy/chinese-maker-of-radios-for-police-firefighters-promises-to-outlast-trump-trade-fight/2019/01/30/42a118a8-1f33-11e9-8b59-0a28f2191131_story.html
------------------------------
Date: Wed, 30 Jan 2019 11:58:13 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Keyless Cars Are Easy to Steal Using Cheap Theft Equipment (Fortune)
“Thefts involving electronic devices are on the up, and it's clear
manufacturers could do more to make their vehicles secure,” the consumer
organization quoted David Jamieson, the West Midlands police commissioner,
as saying.
However, the U.K.’s Society of Motor Manufacturers and Traders (SMMT)
insisted that new cars “are more secure than ever, and the latest technology
has helped bring down theft dramatically with, on average, less than 0.3% of
the cars on our roads stolen.”
<https://www.autoexpress.co.uk/car-news/105809/almost-all-keyless-car-systems-vulnerable-to-relay-attacks
“We continue to call for action to stop the open sale of equipment with no
legal purpose that helps criminals steal cars,” said SMMT CEO Mike Hawes.
http://fortune.com/2019/01/28/keyless-car-theft-steal/
Who you gonna believe -- the manufacturers association or that empty space
where your car was?
------------------------------
Date: Mon, 28 Jan 2019 22:11:17 +0000
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: UK auto theft (Re: RISKS-30.96)
This has had much coverage in UK newspapers recently, such as this article
from today:
Claire Duffin, *The Daily Mail*, 28 Jan 2019
Almost all of the UK's best-selling cars can be 'unlocked in
minutes' by cheap gadgets bought online as watchdog warns of spike
in 'keyless thefts'
* Four out of five of the most popular cars in the UK last year at
risk of keyless theft.
* Official figures for the year to September showed car thefts were
up 10 per cent.
* In one test consumer watchdog Which? found only the Vauxhall Corsa
was safe.
https://www.dailymail.co.uk/news/article-6638121/Almost-UKs-best-selling-cars-unlocked-minutes-cheap-gadgets-bought-online.html
> Almost all of the UK's bestselling cars are at risk of keyless theft, a
> study shows.
> Many new cars now have keyless entry systems, or can have them added as
> an upgrade.
> It allows the driver to open and start the car without using a
> traditional key, as long as the fob is nearby.
>
> But thieves have taken advantage of this new technology. Using two
> devices, known as a relay amplifier and a relay transmitter, they can
> capture electromagnetic signals emitted by key fobs from where they are
> sitting inside the car owner's home.
> Working in pairs, one thief stands by the car with his transmitter,
> while a second waves the amplifier close to the house.
> The amplifier will detect a signal from the key fob, amplify it and send
> it to the accomplice's transmitter.
> This tricks the car into thinking the key is in close proximity,
> prompting it to open. Thieves can then drive the vehicle away using the
> push-button keyless ignition.
> The process can take less than one minute � and once they have the car,
> they can quickly replace locks and entry devices.
I'm guessing that the cars constantly send a signal inviting any fobs within
range to respond, and if one does reply with the correct code for the car,
it unlocks the doors and allows the engine to be started; it's designed to
work only over a few yards/metres, but the thieves' relays enable the range
to be extended. People often drop their keys in a bowl or case just inside
the front door of their houses so that they can be grabbed as they leave.
(In the olden days, thieves used magnets on rods passed through the
letterbox to snaffle bunches of keys on keyrings, or would ring the doorbell
and have an accomplice discreetly take keys while the householder was
distracted.) By the way, Vauxhall was the UK brand name for GM cars,
although it's recently been sold to a European automaker.)
------------------------------
Date: Sat, 02 Feb 2019 15:12:37 -0500
From: "Arthur T." <Risks20190...@xoxy.net>
Subject: Problems with car key fobs (Gizmodo)
People with car key fobs were staying away from a Canadian co-op store
because they might not be able to start their cars. Anarchists? Gremlins?
Competitors? No, just "a malfunctioning remote car starter" nearby.
https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387
------------------------------
Date: Sun, 03 Feb 2019 04:50:33 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Google, you sent this to too many people, so it must be spam
> The big announcement came,
> From: "Google+ Team" <nor...@plus.google.com>
> Subject: Your personal Google+ account is going away on April 2, 2019
: X-VR-STATUS: SPAM
Alas, a little too big, as it was nailed as spam by big-time mail filtering
companie(s). Wonder what will happen when Facebook eventually sends theirs
to an even larger list.
My mom says that "X-VR-SPAMCAUSE: ggystttmpsimb..." means "GooGle, you sent
this to too many people so it must be spam."
------------------------------
Date: 28 Jan 2019 22:55:16 -0500
From: "John Levine" <jo...@iecc.com>
Subject: Re: Buy Bitcoin at the Grocery Store via Coinstar (Fortune)
Coinstar? Those are the machines where you put in $10 in cash and it
gives you a slip for $8. Seems just the thing for Bitcoin.
------------------------------
Date: Tue, 29 Jan 2019 07:32:45 -0800
From: Henry Baker <hba...@pipeline.com>
Subject: Re: Hidden Automation Agenda of the Davos Elite (NYT)
A couple of thoughts on automation:
1. What do we really want these soon-to-be-laid-off people to do? Does it
make any sense to pay people to produce goods inefficiently, in the style of
Soviet factories making goods that will never be consumed, just so they have
a job? The economist Milton Friedman supposedly asked why workmen were
using shovels instead of machinery to build a canal. The answer came back:
"We need to provide more jobs." Friedman's response: "Then why not give
them spoons instead of shovels."
To his credit, Friedman championed a version of universal basic income (UBI)
to allow for both economic efficiency and economic support for those
displaced. I'm not sure that UBI provides much of an identity of self-worth
for these ex-workers, but it is at least a start in the right direction.
2. Since the Great Recession starting in 2008-9, governments around the
First World have kept interest rates at negative or zero ("ZIRP"). Who do
you think benefits directly from ZIRP? The coal miner? The minimum wage
employee? Not so much. When capital becomes cheaper than labor, it's a
*no-brainer* to invest in automation, and the Davos elites have "backed up
the truck" to gorge on zero-interest-rate money to invest in robotics and
AI, knowing that eventually ZIRP would end, and this gravy train would stop.
At that point, these investments would pay off as labor became more
expensive relative to robots and automation.
The truth is, most of the First World has a demographic problem, in that
their populations are *falling*, so countries like Japan and China are going
to become totally reliant upon robots just to support their ever-growing
percentage of retired workers. So we're going to need robots and
automation, but we're also going to need mechanisms to provide support and
activities other than meaningless jobs to enable people to live full and
meaningful lives.
------------------------------
Date: Tue, 29 Jan 2019 20:43:04 +0000
From: J Coe <spen...@gmail.com>
Subject: Re: Is it time for Linux? (Dave Crooke)
I was waiting for another to reply to this message from Risk 31.02 as I feel
my lowly station of systems engineer in a small team in an education setting
I shouldn't be preaching to the masses, there are many more worth voices
than my own.
That being said, I don't feel Linux is the solution that some seems to claim
it is.
As always, all views are my own and do not represent anyone other than
myself.
I disagree with the ideas and ideals that Linux is some bastion of security
while I will admit Linux does have the edge on Microsoft OS's I simply do
not believe that in itself this enough to necessarily say it should be used
over any operating system, Microsoft or otherwise. I also feel Linux has a
perceived higher level of security than it actually does along with a number
of userbase and technical climate realities that skews both hard and
anecdotal evidence in Linux's favor.
The first of these things is the Linux userbase. windows is the worlds most
popular desktop OS. This leads by default to a less technical userbase,
where Linux as a desktop OS is often used by the more technically adept.
The more technically adept and I.T. security savvy are less likely to fall
for certain types of attacks such as phishing and clicking on suspicious
links. Both the higher volume of users and the chances of encountering one
of these less savvy users means windows is the more profitable target when
engaging on attacks when the net is cast wide.
Despite its open source nature this doesn't make Linux impervious to
vulnerabilities. Last year Windows 10 had 28 {1} vulnerabilities given a CVE
rating of 9 or more. Debian (which I'm using and I could get the stats
easily) had 20 in 2018 {2}. While 9 is a significant number Debian received
a total of 938 CVE's in 2018 with windows 10 only receiving 254. Some of
this can be chalked up to the open source model allowing vulnerabilities to
be more easily identified but the concept that Linux has fewer
vulnerabilities or doesn't ship with them is simply not true.
Furthermore the low use case of thing like anti malware products on Linux
means that there is currently a lack of research in this area. In December
2018 ESET discovered 21 "new" families of Linux based malware. The issue
being these malware families weren't new, some appeared to be over 4 years
old. Furthermore, ESET only discovered these families because they we're
being removed by a competing malware ESET were actually investigating.
When you ask a long-term Linux user when they last saw some Linux malware
the answer will likely be never, but with the lack of strong widely used
anti malware tools for Linux the real question would be how would you know?
If everyone was to take the advice and switch to Linux exclusively for both
home and work environment to outcome could result in worse security as
threat actors target the new environment, more malicious actors looking for
weaknesses and vulnerabilities and a lack of tools to provide a decent
defense in depth response.
While this may be a pie in the sky idea, I believe security principles
should be both hardware and software agnostic and this simple changing of an
OS doesn't necessarily make you more secure. Defense in depth, user training
and engagement, proper configuration, and a healthy dose of skepticism and
luck in equal measures. Is really the only way to provide a safe
environment, not specific tools, tech.
------------------------------
Date: Tue, 29 Jan 2019 16:15:33 -0800
From: Mark Thorson <e...@dialup4less.com>
Subject: Re: If 5G Is So Important, Why Isn't It Secure?
I can think of two reasons, both of which make an equal amount of sense. a)
If 5G was perfect how would we sell them 6G? We have to make money too. b)
Security is like global warming -- if we can get by just by paying lip
service to the notion and not doing anything effective about it, that's the
easier and less expensive path. Until we have a real Pearl Harbor on the
Internet, nobody that matters is going to care. It's going to take an
incident that bankrupts a large high-profile company, paralyzes the
Internet, kills hundreds of people, or forces the recall of millions of
devices before what is optional becomes mandatory.
------------------------------
Date: Wed, 30 Jan 2019 10:22:38 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The Duty to Read the Unreadable (RISKS-31.04)
I once tried to read a shrink-wrap EULA (of commercial software) in its
entirety; it took almost an hour, and that's just the reading, I cannot
claim to have actually understood it -- despite having more than the 14.5
years of education cited as required by the article, I have no formal legal
education.
That's irrelevant anyway, because under that EULA, by clicking "I agree" I
have put any future dispute I may have with the company under the
jurisdiction of courts in the State of New York; there aren't many lawyers
around here who know enough about NY law to file a case (not at any
reasonable price), so this clause essentially puts possible legal resolution
out of my reach.
IOW, this is not really an "agreement", more like a CYA legal trick designed
to exempt the company from legal responsibility to possible damage
(accidental, and even intentional) their software might inflict upon their
customers.
------------------------------
Date: Wed, 30 Jan 2019 10:48:42 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Risks of Deepfake videos (Risks 31.04)
In the age of instant ubiquitous global communication, there is no need to
manipulate reality in a professional level in order to make people believe
in misinformation.
See for example the anti-Vax case, where a pseudo scientific article
(rejected later) which connected one type of (disused) vaccine to a rare
type of autism -- or rather, just the rumour of the article, since it seems
no one had actually read it anyway -- had caused so many people to stop
vaccination completely, enough to cause new outbreaks of diseases thought to
be long gone.
Unfortunately, it seems too many people would just believe anything sent by
their friends, rather than bother one click to check facts.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.05
************************
0 new messages