precedence: bulk Subject: Risks Digest 27.64 RISKS-LIST: Risks-Forum Digest Wednesday 18 December 2013 Volume 27 : Issue 64 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: [Way backlogged. More coming. PGN] Chinese hackers attacked crucial government election website (CNN) The latest example of a large, failed British government IT system (Peter Bernard Ladkin) Taiwanese tourist walks off Australia pier while checking Facebook (Mark Brader) Confirming the MOOC Myth (Carl Straumsheim via ACM TechNews) After Setbacks, Online Courses Are Rethought (Tamar Lewin via ACM TechNews) RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (Genkin/Shamir/Tromer via Lauren Weinstein) Snowden ``stole everything -- literally everything'' (Henry Baker) NSA Uses Google Cookies to Pinpoint Targets for Hacking (Soltani/Peterson/ Gellman) MacBook webcams vs. spying (Lauren Weinstein) "Two million log-ins stolen from Facebook, Google, ADP payroll processor" (Jeremy Kirk via Gene Wirchenko) French cybersecurity agency says they forged Google certificates due to ... "human error" (ANSSI via Lauren Weinstein) The Mission to De-Centralize the Internet (Joshua Kopstein) The Dumbest Privacy Case of the Year (Stewart Baker) "Where pass-the-hash attacks could be hiding" (Roger Grimes via Gene Wirchenko) Re: New FCC Chairman appears to simultaneously endorse Net Neutrality and letting ISPs crush Net services and consumers (Bob Frankston) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 17 Dec 2013 15:02:44 PST From: "Peter G. Neumann" Subject: Chinese hackers attacked crucial government election website (CNN) [Source: CNN, 17 Dec 2013] Chinese hackers tapped into the Federal Election Commission's website during the federal government shutdown in October, a report released Tuesday by an investigative news organization says. The report from the Center for Public Integrity, one of the country's oldest and largest nonpartisan, nonprofit investigative news organizations, indicates that hackers crashed the FEC's computer systems, which compiles federal election campaign finance information like contributions to parties and candidates, and how those billions of dollars are spent in each election by candidates, political parties, and independent groups such as political action committees. The attack came as nearly all of the FEC's employees, except for the presidential-appointed commissioners, were furloughed due to the government shutdown, with not even one staffer being deemed "necessary to the prevention of imminent threats" to federal property. And it came a few months after an independent auditor hired by the government warned that the FEC's computer systems were at "high risk" to infiltration, a charge the commission disputed. "Hackers from China, in Russia, Syria, you name it are constantly targeting U.S. websites. But what happened here with the Federal Election Commission, which is the independent watchdog sponsored by the government to keep elections fair and free, effectively got hit about as hard as it ever has gotten hit," David Levinthal of the Center for Public Integrity said on CNN's "New Day." "It came as the FEC had absolutely no regular employees actually serving at the agency because of the government shutdown. It was one of the agencies that actually went completely dark during the government shutdown, only had the commissioners themselves manning the doors, manning the systems. They are not IT experts by any stretch of the imagination," Levinthal told CNN's Chris Cuomo. The CPI says the hacking incident was confirmed by three government officials involved in an ongoing investigation that included the Department of Homeland Security. "Here you have for days at a time, the FEC's website - which is part and parcel of the agency's mission to provide Americans with the ability to access information about their elections, access information about political campaigns and candidates - and nobody in America could do it during that time. So it was a huge black eye, not only for the agency but for the country's government in general," Levinthal added. The FEC is not commenting at this time about the hacking incident. Following the hacking incident, the FEC in November said it had moved certain data servers off-line and replace[d] them with less powerful backup servers, that the agency said would slow the ability for users to navigate the website. [... but presumably not slow down the hackers... PGN] ------------------------------ Date: Tue, 10 Dec 2013 10:15:52 +0100 From: Peter Bernard Ladkin Subject: The latest example of a large, failed British government IT system This time, it's the IT support for the Department of Work and Pensions' new program Universal Credit, which is supposed to replace many benefits programs with just one. The write-off current stands at £40.1m (it has been going up steadily over the last few months) but it is expected that up to £90m will be written down in the next five years. The quote below suggests it was the result of requirements creep. Mike Driver, finance director general at the Department for Work and Pensions, said: "There is no use for the IT code built to run the computer systems. It has no future value. It is not going to generate any future return for the department."...... ..... the specifications made by the department had changed, especially over security. The code was well written and engineered, the department added. http://gu.com/p/3y42y ------------------------------ Date: Wed, 18 Dec 2013 02:38:32 -0500 (EST) From: msb@vex.net (Mark Brader) Subject: Taiwanese tourist walks off Australia pier while checking Facebook At least she kept hold of her phone! http://www.bbc.co.uk/news/world-asia-25426263 [PGN notes after reading the article:] There once was a tourist in Melbourne Whose Facebook contacts were well borne. Although not a swimmer, Her cellphone grew dimmer As she lay on her back, waterworn. [Yes, I am a Canadian submitting a British report of an incident about a Taiwanese person in Australia to an American RISKS moderator. --msb] ------------------------------ Date: Tue, 10 Dec 2013 11:56:38 -0500 From: ACM TechNews Subject: Confirming the MOOC Myth (Carl Straumsheim) Carl Straumsheim, Inside Higher Ed, 6 Dec 2013 (via ACM TechNews 9 Dec 2013) Massive open online courses (MOOCs) are neither transforming education nor yielding large profits, but more time is needed to experiment with various applications, said participants at a conference hosted by the University of Texas at Arlington. Preliminary results from the MOOC Research Initiative, a grant program founded by the Bill and Melinda Gates Foundation and administered by Athabasca University, were presented at the conference. The University of Pennsylvania Graduate School of Education presented research that analyzed the study habits of 1 million students in 16 Coursera courses between June of 2012 and 2013. "Emerging data...show that [MOOCs] have relatively few active users, that user 'engagement' falls off dramatically especially after the first one to two weeks of a course, and that few users persist to the course end," the study says. Speakers noted that MOOCs can cost hundreds of thousands of dollars to develop, which has created a problematic scenario in which some institutions develop MOOCs while others buy them. However, some say more time is needed to research MOOCs and test different uses, as students are benefiting from the courses in unexpected ways. For example, Wake Technical Community College and Udacity created an introductory algebra review MOOC to prepare students for college placement tests, but found that more than two-thirds of users were using it to improve their general math skills. http://www.insidehighered.com/news/2013/12/06/mooc-research-conference-confirms-commonly-held-beliefs-about-medium [With musers in every mooc and granny? PGN] ------------------------------ Date: Wed, 11 Dec 2013 11:56:44 -0500 From: ACM TechNews Subject: After Setbacks, Online Courses Are Rethought (Tamar Lewin) Tamar Lewin, *The New York Times* 10 Dec 2013 (via ACM TechNews, Wednesday, December 11, 2013) A recent University of Pennsylvania study of a million users of massive open online courses (MOOCs) found that, on average, only about 50 percent of those who registered for a course ever viewed a lecture, and only about 4 percent completed the courses. Although MOOCs were started with the goal of providing courses for students in poor countries with little access to higher education, the study found that about 80 percent of those taking MOOCs had already earned a degree of some kind. In response to some of the initial shortcomings of several MOOC programs, their designers are making changes to broaden their appeal. For example, edX is producing videos to use in some high school Advanced Placement classes, and Coursera is experimenting with using its courses, along with a facilitator, in small discussion classes at some U.S. consulates. In addition, Udacity is revamping its software so future students could have more time to work through the courses. "We are seeing significant improvement in learning outcomes and student engagement," says Udacity founder and Stanford University professor Sebastian Thurn. Meanwhile, some MOOC pioneers are developing a connectivist MOOC model, which is more about the connections and communications among students than about the content delivered by a professor. http://www.nytimes.com/2013/12/11/us/after-setbacks-online-courses-are-rethought.html ------------------------------ Date: Wed, 18 Dec 2013 08:54:32 -0800 From: Lauren Weinstein Subject: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (Genkin/Shamir/Tromer) Daniel Genkin, Adi Shamir, Eran Tromer, assisted by Lev Pachmanov and others http://www.cs.tau.ac.il/~tromer/acoustic/ and http://j.mp/1dmRAYj (via NNSquad) "Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away." [The summary at the above URLs has a link to the full version of the paper. PGN] ------------------------------ Date: Tue, 17 Dec 2013 18:12:33 -0800 From: Henry Baker Subject: Snowden ``stole everything -- literally everything'' FYI -- This particular source of news may not be the most reliable, but the mere _possibility_ that Snowden took this amount of information, and that the NSA itself considers it possible, makes you wonder if the NSA can be trusted to keep secret any of the information that they sweep up on all US residents. Even more troubling: suppose that some of the speculation is true, and there really are _backdoors_ installed by the NSA into the encryption systems widely utilized on the Internet. Snowden, or another NSA contractor with fewer scruples, could bring down a significant fraction of the world's Internet economy. This is _precisely why_ these backdoors are so troubling -- they can be used by others -- e.g., criminals, not-so-friendly nation-states -- as well as the NSA. http://dailycaller.com/2013/12/17/dod-official-snowden-stole-everything-literally-everything/ The Daily Caller - http://dailycaller.com - Posted By Giuseppe Macri, 17 Dec 2013 Former National Security Agency contractor Edward Snowden stole vastly more information than previously speculated, and is holding it at ransom for his own protection. ``What's floating is so dangerous, we'd be behind for twenty years in terms of access (if it were to be leaked). He stole everything -- literally everything.'' a ranking Department of Defense official told the Daily Caller. Last month British and U.S. intelligence officials speculated Snowden had in his possession a `doomsday cache' of intelligence information, including the names of undercover intelligence personnel stationed around the world. Sources briefed on the matter told Reuters that such a cache could be used as an insurance policy in the event Snowden was captured, and that, ``the worst was yet to come.'' The officials cited no hard evidence of such a cache, but indicated it was a possible worst-case-scenario. Some version of that scenario appears to have come true. [... Truncated for RISKS. PGN] The Daily Caller: http://dailycaller.com http://dailycaller.com/2013/12/17/dod-official-snowden-stole-everything-literally-everything/ ------------------------------ Date: Wed, 11 Dec 2013 11:56:44 -0500 From: ACM TechNews Subject: NSA Uses Google Cookies to Pinpoint Targets for Hacking Ashkan Soltani, Andrea Peterson, and Barton Gellman, *The Washington Post*, 11 Dec 2013 New documents released by former U.S. National Security Agency (NSA) contractor Edward Snowden indicate the agency is using Internet cookies in its efforts to hack the computers of suspicious individuals. NSA's Special Source Operations (SSO) division reportedly focuses primarily on Google's proprietary "PREF" cookie. Google uses PREF cookies to uniquely track users who utilize Google services or visit sites that contain Google Plus "widgets" in order to show them personalized ads. PREF cookies make this possible because they contain numerical codes that enable websites to identify a person's browser. SSO shares this information with NSA's offensive hacking division, Tailored Access Operations, which uses the numerical identifiers to filter out the Internet communications of individuals who are already under suspicion so it can send them malicious software that gives the agency access to their computers. The information gleaned from PREF cookies, which does not contain personal information such as names and email addresses, also is reportedly shared with the U.K.'s Government Communications Headquarters. The documents do not address the nature of the cyberattacks carried out by the NSA with the help of PREF cookies, and it is unclear how NSA is obtaining PREF cookies, or whether Google is providing them to the agency. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/ ------------------------------ Date: Wed, 18 Dec 2013 12:13:44 -0800 From: Lauren Weinstein Subject: MacBook webcams vs. spying "The built-in cameras on Apple computers were designed to prevent this, says Stephen Checkoway, a computer science professor at Johns Hopkins and a co-author of the study. "Apple went to some amount of effort to make sure that the LED would turn on whenever the camera was taking images," Checkoway says. The 2008-era Apple products they studied had a "hardware interlock" between the camera and the light to ensure that the camera couldn't turn on without alerting its owner ..." http://j.mp/1dne8bt (*The Washington Post* via NNSquad) - - - There is considerable variation in how these hardware/software interlocks are implemented, and for some it remains impossible to use the camera without lighting the light. But this is something manufacturers can fix to always be true -- it's not rocket science. In fact, protecting yourself from the camera is pretty easy -- just cover it up when not in use. Integral mics are much harder to protect against, and really, they also need hardwired activity lights in this day and age. ------------------------------ Date: Fri, 06 Dec 2013 12:14:55 -0800 From: Gene Wirchenko Subject: "Two million log-ins stolen from Facebook, Google, ADP payroll processor" (Jeremy Kirk) Jeremy Kirk, InfoWorld, 4 Dec 2013 The attackers are using the 'Pony' botnet command-and-control server software http://www.infoworld.com/d/security/two-million-log-ins-stolen-facebook-google-adp-payroll-processor-232051 ------------------------------ Date: Sat, 7 Dec 2013 16:28:35 -0800 From: Lauren Weinstein Subject: French cybersecurity agency says they forged Google certificates due to ... "human error" "As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrsor (Treasury) which is attached to the IGC/A." http://j.mp/1boGSAZ (ANSSI via NNSquad) "Human error" ... Yeah. ------------------------------ Date: Sat, 14 Dec 2013 16:36:49 -0500 From: David Farber Subject: The Mission to De-Centralize the Internet (Joshua Kopstein) Joshua Kopstein, *The New Yorker* blog, 13 Dec 2013 http://www.newyorker.com/online/blogs/elements/2013/12/the-mission-to-decentralize-the-internet.html?goback=%2Egde_1430_member_5817512945197801473#%21 THE MISSION TO DECENTRALIZE THE INTERNET In the nineteen-seventies, the Internet was a small, decentralized collective of computers. The personal-computer revolution that followed built upon that foundation, stoking optimism encapsulated by John Perry Barlow's 1996 manifesto ``A Declaration of the Independence of Cyberspace.'' Barlow described a chaotic digital utopia, where ``netizens'' self-govern and the institutions of old hold no sway. ``On behalf of the future, I ask you of the past to leave us alone,'' he writes. ``You are not welcome among us. You have no sovereignty where we gather.'' This is not the Internet we know today. Nearly two decades later, a staggering percentage of communications flow through a small set of corporations -- and thus, under the profound influence of those companies and other institutions. Google, for instance, now comprises twenty-five per cent of all North American Internet traffic; an outage last August caused worldwide traffic to plummet by around forty per cent. Engineers anticipated this convergence. As early as 1967, one of the key architects of the system for exchanging small packets of data that gave birth to the Internet, Paul Baran, predicted the rise of a centralized ``computer utility'' that would offer computing much the same way that power companies provide electricity. Today, that model is largely embodied by the information empires of Amazon, Google, and other cloud-computing companies. Like Baran anticipated, they offer us convenience at the expense of privacy. Internet users now regularly submit to terms-of-service agreements that give companies license to share their personal data with other institutions, from advertisers to governments. In the U.S., the Electronic Communications Privacy Act, a law that predates the Web, allows law enforcement to obtain without a warrant private data that citizens entrust to third parties -- including location data passively gathered from cell phones and the contents of e-mails that have either been opened or left unattended for a hundred and eighty days. As Edward Snowden's leaks have shown, these vast troves of information allow intelligence agencies to focus on just a few key targets in order to monitor large portions of the world's population. One of those leaks, reported by the Washington Post in late October, revealed that the National Security Agency secretly wiretapped the connections between data centers owned by Google and Yahoo, allowing the agency to collect users' data as it flowed across the companies' networks. Google engineers bristled at the news, and responded by encrypting those connections to prevent future intrusions; Yahoo has said it plans to do so by next year. More recently, Microsoft announced it would do the same, as well as open ``transparency centers'' that will allow some of its software's source code to be inspected for hidden back doors. (However, that privilege appears to only extend to ``government customers.'') On Monday, eight major tech firms, many of them competitors, united to demand an overhaul of government transparency and surveillance laws. Still, an air of distrust surrounds the U.S. cloud industry. The N.S.A. collects data through formal arrangements with tech companies; ingests Web traffic as it enters and leaves the U.S.; and deliberately weakens cryptographic standards. A recently revealed document detailing the agency's strategy specifically notes its mission to ``influence the global commercial encryption market through commercial relationships'' with companies developing and deploying security products. One solution, espoused by some programmers, is to make the Internet more like it used to be -- less centralized and more distributed. Jacob Cook, a twenty-three-year-old student, is the brains behind ArkOS, a lightweight version of the free Linux operating system. It runs on the credit-card-sized Raspberry Pi, a thirty-five dollar microcomputer adored by teachers and tinkerers. It's designed so that average users can create personal clouds to store data that they can access anywhere, without relying on a distant data center owned by Dropbox or Amazon. It's sort of like buying and maintaining your own car to get around, rather than relying on privately owned taxis. Cook's mission is to ``make hosting a server as easy as using a desktop P.C. or a smartphone,'' he said. Like other privacy advocates, Cook's goal isn't to end surveillance, but to make it harder to do en masse. ``When you couple a secure, self-hosted platform with properly implemented cryptography, you can make N.S.A.-style spying and network intrusion extremely difficult and expensive,'' he told me in an e-mail. Persuading consumers to ditch the convenience of the cloud has never been an easy sell, however. In 2010, a team of young programmers announced Diaspora, a privacy-centric social network, to challenge Facebook's centralized dominance. A year later, Eben Moglen, a law professor and champion of the Free Software movement, proposed a similar solution called the Freedom Box. The device he envisioned was to be a small computer that plugs into your home network, hosting files, enabling secure communication, and connecting to other boxes when needed. It was considered a call to arms -- you alone would control your data. But, while both projects met their fund-raising goals and drummed up a good deal of hype, neither came to fruition. Diaspora's team fell into disarray after a disappointing beta launch, personal drama, and the appearance of new competitors such as Google+; apart from some privacy software released last year, Moglen's Freedom Box has yet to materialize at all. ``There is a bigger problem with why so many of these efforts have failed'' to achieve mass adoption, said Brennan Novak, a user-interface designer who works on privacy tools. The challenge, Novak said, is to make decentralized alternatives that are as secure, convenient, and seductive as a Google account. ``It's a tricky thing to pin down,'' he told me in an encrypted online chat. ``But I believe the problem exists somewhere between the barrier to entry (user-interface design, technical difficulty to set up, and over-all user experience) versus the perceived value of the tool, as seen by Joe Public and Joe Amateur Techie.'' One of Novak's projects, Mailpile, is a crowd-funded e-mail application with built-in security tools that are normally too onerous for average people to set up and use -- namely, Phil Zimmermann's revolutionary but never widely adopted Pretty Good Privacy. ``It's a hard thing to explain. A lot of peoples' eyes glaze over,'' he said. Instead, Mailpile is being designed in a way that gives users a sense of their level of privacy, without knowing about encryption keys or other complicated technology. Just as important, the app will allow users to self-host their e-mail accounts on a machine they control, so it can run on platforms like ArkOS. ``There already exist deep and geeky communities in cryptology or self-hosting or free software, but the message is rarely aimed at non-technical people,'' said Irina Bolychevsky, an organizer for Redecentralize.org, an advocacy group that provides support for projects that aim to make the Web less centralized. Several of those projects have been inspired by Bitcoin, the math-based e-money created by the mysterious Satoshi Nakamoto. While the peer-to-peer technology that Bitcoin employs isn't novel, many engineers consider its implementation an enormous technical achievement. The network's ``nodes'' -- users running the Bitcoin software on their computers -- collectively check the integrity of other nodes to ensure that no one spends the same coins twice. All transactions are published on a shared public ledger, called the ``block chain,'' and verified by ``miners,'' users whose powerful computers solve difficult math problems in exchange for freshly minted bitcoins. The system's elegance has led some to wonder: if money can be decentralized and, to some extent, anonymized, can't the same model be applied to other things, like e-mail? Bitmessage is an e-mail replacement proposed last year that has been called the ``the Bitcoin of online communication.'' Instead of talking to a central mail server, Bitmessage distributes messages across a network of peers running the Bitmessage software. Unlike both Bitcoin and e-mail, Bitmessage ``addresses'' are cryptographically derived sequences that help encrypt a message's contents automatically. That means that many parties help store and deliver the message, but only the intended recipient can read it. Another option obscures the sender's identity; an alternate address sends the message on her behalf, similar to the anonymous ``re-mailers'' that arose from the cypherpunk movement of the nineteen-nineties. Another ambitious project, Namecoin, is a P2P system almost identical to Bitcoin. But instead of currency, it functions as a decentralized replacement for the Internet's Domain Name System. The D.N.S. is the essential ``phone book'' that translates a Web site's typed address (www.newyorker.com) to the corresponding computer's numerical I.P. address (192.168.1.1). The directory is decentralized by design, but it still has central points of authority: domain registrars, which buy and lease Web addresses to site owners, and the U.S.-based Internet Corporation for Assigned Names and Numbers, or I.C.A.N.N., which controls the distribution of domains. The infrastructure does allow for large-scale takedowns, like in 2010, when the Department of Justice tried to seize ten domains it believed to be hosting child pornography, but accidentally took down eighty-four thousand innocent Web sites in the process. Instead of centralized registrars, Namecoin uses cryptographic tokens similar to bitcoins to authenticate ownership of ``.bit'' domains. In theory, these domain names can't be hijacked by criminals or blocked by governments; no one except the owner can surrender them. Solutions like these follow a path different from Mailpile and ArkOS. Their peer-to-peer architecture holds the potential for greatly improved privacy and security on the Internet. But existing apart from commonly used protocols and standards can also preclude any possibility of widespread adoption. Still, Novak said, the transition to an Internet that relies more extensively on decentralized, P2P technology is ``an absolutely essential development,'' since it would make many attacks by malicious actors -- criminals and intelligence agencies alike -- impractical. Though Snowden has raised the profile of privacy technology, it will be up to engineers and their allies to make that technology viable for the masses. ``Decentralization must become a viable alternative,'' said Cook, the ArkOS developer, ``not just to give options to users that can self-host, but also to put pressure on the political and corporate institutions.'' ``Discussions about innovation, resilience, open protocols, data ownership and the numerous surrounding issues,'' said Redecentralize's Bolychevsky, ``need to become mainstream if we want the Internet to stay free, democratic, and engaging.'' ------------------------------ Date: Mon, 16 Dec 2013 11:25:12 PST From: "Peter G. Neumann" Subject: The Dumbest Privacy Case of the Year In Dave Farber's IP distribution, Stewart Baker contributed an item with the above subject line, with three candidates for such an award. Go to Dave's site for all the subtended URLs. I have simplified this for RISKS. Stewart notes that All Three Awards -- and All the Nominees -- Are Listed Here: http://www.skatingonstilts.com/skating-on-stilts/dubious-achievements-in-privacy-law-introducing-the-2013-privies.html a. Boston Police Department (Commissioner William Evans) Record Your Talk with Boston Police, Face Felony Wiretap Charges When Taylor Harding called the Boston Police Department's press spokesman about his case, he recorded the call and posted it to YouTube. At which point the Boston police charged him with felony wiretapping. Pretty stupid, but don't blame the cops. Blame privacy law. Under Massachusetts law, it's a righteous bust, thanks to the privacy advocates who persuaded the Massachusetts legislature that both participants in a call had to agree before the call could be recorded. Spurred by a technological panic, the legislature couldn't have been clearer about its intent: "The uncontrolled development and unrestricted use of modern electronic surveillance devices pose grave dangers to the privacy of all citizens of the Commonwealth. Therefore, the secret use of such devices by private individuals must be prohibited.'' Chalk up another unintended consequence for privacy advocates trying to stop the march of technology. As the tools for recording conversations and even video spread to everyone, the two-party consent law doesn't make sense and is mostly enforced only on behalf of the rich and powerful. So this case was almost nominated in the category "Worst Use of Privacy Law to Protect Power and Privilege." But in the end, the Boston Police Department was ridiculed into dropping the case. Turns out that the police don't quite have as much power and privilege as the technorati. Which is really only comforting if you think the technorati lynch mob will never come for you. b. Joffe v. Google (Hon. Jay Bybee, Ninth Circuit) "Radio Waves Aren't Radio. Publicly Accessible Broadcasts Aren't Publicly Accessible. And #$kjhi&#^- ..." When Google's Street View car collected wi-fi signals from the homes and businesses it passed, it only gathered information that anyone could have gathered without leaving the street. The users who hadn't secured their wi-fi signals decided to shoot the messenger, suing Google for illegally wiretapping them. Kind of a long shot legal claim, since the law exempts the capturing of radio broadcasts and publicly accessible communications; there's not much doubt that wi-fi uses radio waves and can be accessed by the public if it's not secured. But Judge Bybee of the Ninth Circuit wasn't deterred by either of the barriers to holding Google liable. He decided that radio communications are only those things we hear on the AM-FM dial. As for being publicly accessible, he writes, why that's ridiculous: if you listened to wi-fi signals on an AM radio, "they would sound indistinguishable from random noise." Come to think of it, so does this opinion. c. FTC v. LabMD (Federal Trade Commission) Stupid Mistake + Media Coverage = Unfair Practice When LabMD set up security for its network, it didn't expect a rogue employee to poke holes in its security by running Limewire, a program notorious for sharing pirated music -- as well as any business or personal records that happen to be on the same network. And it certainly didn't expect a complaint from the Federal Trade Commission when Limewire shared a spreadsheet with customer data. There's no doubt that LabMD made a mistake, and a bad one. But the Federal Trade Commission isn't empowered to correct every mistake made by American businesses. It only has authority to charge companies that have committed "unfair practices." What LabMD did may have been dumb; it may have been sloppy; but you've got to strain pretty hard to call it an unfair practice. The FTC has been trying for years to become America's privacy and security enforcer. For just as long, Congress has refused to give it that role. You have to admire an agency with the *cojones* to argue that it can make up its own legal authority as well as the offenses that it chooses to punish. Maybe if you look closely at the seal, you can see the agency's true motto: "Whatever It Takes: Finding Ways To Punish Companies Criticized by the New York Times Since 1914." d. The Gmail Wiretapping Claims (Hon. Lucy Koh, N.D. Cal.) Judge Uncovers Wiretap Plot with 425 Million Co-Conspirators Is there anyone left who doesn't know that Google provides free email and pays for it by serving ads tied to the content of your correspondence? In fact, it's the most popular free email service on the planet, endorsed by 425 million subscribers who voted with their feet for Gmail. Apparently the Gmail business model was news to Lucy Koh, a federal judge in San Francisco, who decided that all 425 million Gmail subscribers were dopes who couldn't possibly have consented to Google's automated scanning of email content, even though its terms of service said the company reserved the right to "pre-screen, review, flag, [or] modify ... any or all Content from any Service." That language didn't count, Judge Koh said, because it didn't tell consumers that Google was reviewing the mail to provide ads as well as to find objectionable content. Maybe Google could have written a clearer (though longer and therefore less readable) document. But the effect of Judge Koh's tortured reading was to make Google potentially liable under the wiretap laws for tapping the communications of all 425 million users, plus everyone they wrote to. At $10,000 per violation, that's a pretty heavy price for free email. Not to mention that, if you were one of the 424,999,999 subscribers who actually understood the business model, it looks as though Judge Koh just exposed you to liability for aiding and abetting the wiretapping of everyone you slyly tricked into exchanging mail with you. In fact, the result was so strained that it couldn't even persuade a magistrate in the same court, who read her opinion and ruled the other way despite being outranked by Judge Koh. Oh, and those spam filters you couldn't live without? In a footnote, Judge Koh suggests they're wiretapping too unless they have a consent clause that even a federal judge can understand. Before this decision, Judge Koh was most famous for telling an attorney for Apple that he must be "smoking crack." Judge Koh, in contrast, seems intent on smoking the rubble of the Internet economy. ------------------------------ Date: Wed, 18 Dec 2013 10:06:09 -0800 From: Gene Wirchenko Subject: "Where pass-the-hash attacks could be hiding" (Roger Grimes) Roger A. Grimes | InfoWorld, 17 Dec 2013 Windows computer and service accounts, as opposed to user accounts, can be especially vulnerable to hash theft. Here's how to reduce the risk http://www.infoworld.com/d/security/where-pass-the-hash-attacks-could-be-hiding-232757 ------------------------------ Date: 5 Dec 2013 14:58:51 -0500 From: "Bob Frankston" Subject: Re: New FCC Chairman appears to simultaneously endorse Net Neutrality and letting ISPs crush Net services and consumers (RISK-27.63) When a scientist sees such a contradiction, it's an indication that is an error in the hypothesis or statement of the problem. In this case this we have yet another reminder that today's telecommunications policies modeled on the ICC which regulated railroads no longer makes sense now that value is created outside of the networks. Yet we continue to treat each of these symptoms on their own. It's like spending all our time analyzing each new perpetual motion machine without figuring that the principles of thermodynamics. Part of this is the risk of failing to see that business models are subject to the same reality checks as technology. Science isn't just about physics -- it's about learning from counterexamples. By ascribing these symptoms to moral failings -- bad policies by bad people -- we fail to learn and simply repeat history. The bigger risk, perhaps, is that these just-so stories dominate the public forum to the point that saying something like "another perpetual motion machine" seems like crying wolf. [Further discussion on Dave Farber's IP. PGN] ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 27.64 ************************