precedence: bulk Subject: Risks Digest 30.02 RISKS-LIST: Risks-Forum Digest Thursday 15 December 2016 Volume 30 : Issue 02 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Thunderbird Felled by Sticky Button (AirForceMag) Yahoo Says 1 Billion User Accounts Were Hacked (NYT) More details on massive new Yahoo hack -- it only gets worse (Business Insider via LW) Stolen Yahoo Data Includes Government Employee Information (DataCenterKnowldge) Interview with Charles Delavan on Podesta's e-mail (Slate) Colorado election omits more than 20,000 ballots (The DenverChannel) Uber said it protects you from spying. Security sources say otherwise (RevealNews) Bruce Schneier's latest CryptoGram (PGN) Value of having a computer at home is mixed (WashPo item via Ridgely C. Evers) Re: SHAME ON YOU, GOOGLE! (Craig Burton) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 15 Dec 2016 7:04:16 PST From: "Peter G. Neumann" Subject: Thunderbird Felled by Sticky Button (AirForceMag) [Thanks to Todd Carpenter. PGN] The Thunderbirds aerial demonstration team F-16 that crashed in Colorado on 2 Jun 2016 -- minutes after a flyby of the Air Force Academy graduation, attended by President Obama -- was done in by a stuck button on the throttle, the service announced Wednesday. Normally the throttle won't move all the way to cutoff unless the button is depressed, but the button had become stuck in the depressed position due to accumulated metallic debris, stray lubricant, a misaligned clevis pin, and wear on the spring mechanism, USAF's official accident investigation found. The pilot, Maj. Alex Turner, inadvertently rotated the throttle to the engine cutoff position, and by the time he realized what had happened, was too low to restart the engine, though he attempted to do so. Turner delayed ejection for a few seconds to steer the jet away from a house. He ejected with only minor injury, was picked up, and was later introduced to Obama. Though the Air Force said it will not comment on disciplinary action, Turner apparently was considered blameless in the accident because he was promptly returned to flying duty. Though the jet, tail No. 92-3890, seemingly landed upright and largely intact, it was declared a total loss, at a value of $29.4 million. Technical orders have been changed to require a more thorough regular inspection of the mechanism and the proper alignment of the pin. The accident board wrote that "a significant number of sticky throttle triggers in F-16 history have led to hardware changes that have reduced but not eliminated the number of occurrences" of this problem. The throttle was recovered intact and the investigation team operated the button 50 times, finding that the button got stuck about 36 percent of the time. http://www.airforcemag.com/AircraftAccidentReports/Documents/2016/060216_F16CJ_ElPasoCounty.pdf ------------------------------ Date: Wed, 14 Dec 2016 14:48:10 -0800 From: Lauren Weinstein Subject: Yahoo Says 1 Billion User Accounts Were Hacked [via NNSquad] Yahoo, already under a cloud from its summertime disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that another attack a year earlier had compromised more than 1 billion Yahoo accounts. The newly disclosed attack involved more sensitive user information, including unencrypted security questions. Yahoo is forcing all of the affected users to change their passwords and it is invalidating the security questions. Yahoo had agreed to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said that it might seek to renegotiate the terms of the transaction after the first hacking was disclosed. It's unclear how the newest information will affect its view of the purchase. http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html?partner=rss&emc=rss Security Questions are potential security disasters, especially if you give "correct" answers to the typical ones. [LW] ------------------------------ Date: Wed, 14 Dec 2016 16:53:27 -0800 From: Lauren Weinstein Subject: More details on massive new Yahoo hack -- it only gets worse http://www.businessinsider.com/yahoo-data-breach-billion-accounts-2016-12 "The company has not been able to identify the intrusion associated with this theft," Yahoo said on Wednesday about the new incident ... With a billion accounts at risk, that would make this the biggest breach of ever -- bigger than the Myspace breach of 360 million user accounts and 427 million passwords. Yahoo said that payment-card data and bank-account information were not stored on the system the company "believes" was affected. But the hackers may have collected a trove of other valuable personal information, such as user names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Anyone now willing to pay more than $0 for Yahoo is an idiot. ------------------------------ Date: Thu, 15 Dec 2016 10:01:41 -0800 From: Lauren Weinstein Subject: Stolen Yahoo Data Includes Government Employee Information http://www.datacenterknowledge.com/archives/2016/12/15/stolen-yahoo-data-includes-government-employee-information/ More than 150,000 U.S. government and military employees are among the victims of Yahoo! Inc.'s newly disclosed data breach, and their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals. It's a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were ever locked out of their e-mail. [Bottom line: Cookies hacked. PGN] [PGN notes: See also] Yahoo Says It Was Hacked. Here's How to Protect Yourself. http://www.nytimes.com/interactive/2016/technology/personaltech/what-to-do-if-hacked.html https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/ http://www.infoworld.com/article/3150706/security/yahoo-reports-massive-data-breach-involving-1-billion-accounts.html Important Security Information for Yahoo Users http://www.businesswire.com/news/home/20161214006239/en/ ------------------------------ Date: Thu, 15 Dec 2016 12:01:17 PST From: "Peter G. Neumann" Subject: Interview with Charles Delavan on Podesta's e-mail (Slate) http://www.slate.com/articles/technology/future_tense/2016/12/an_interview_with_charles_delavan_the_it_guy_whose_typo_led_to_the_podesta.html I called up Charles Delavan because I thought he was lying. Delavan, 29, has achieved a measure of infamy among politicos and security wonks as the IT guy who assured John Podesta that a phishing email intended to steal his Gmail password was "a legitimate email." The detail emerged in an October WikiLeaks dump and was reported as a stunning example of incompetence on the part of the Hillary Clinton campaign's tech team. Podesta or one of its aides, it seemed, had initially been suspicious of the email but went ahead and opened the fateful link after Delavan vouched for its authenticity. But a front-page *New York Times* article published Tuesday gave the story an almost incredible twist. *The Times* quotes Delavan as saying that he actually recognized that the email was a hoax-but mistakenly typed the word legitimate when he meant to type illegitimate. The implication was that the Clinton campaign was compromised not by incompetence, but by a slip of the fingers. The anecdote triggered headlines around the web: "A Typo Might Have Cost Clinton the Election," gushed the Week. [...] If Delavan had meant to type *illegitimate* rather than *legitimate*, why did he preface it with the article *a* rather than *an*? Was that a typo, too? Moreover, if Delavan's goal had been to warn Podesta that the email was a scam, you'd think he would have told Podesta not to follow its instructions and not to click on the "change password" link therein. Instead, he followed his assertion that the email was "legitimate" by reiterating to Podesta the instructions contained in the email itself, almost to the word. The phishing email told Podesta, "You should change your password immediately"-which is exactly what Delavan told him. So Delavan not only called the email "legitimate," he practically ordered Podesta to do what it said. All of which led me immediately to suspect something rather uncharitable of Delavan: that he not only fell for the phishing scheme but that he subsequently lied about it to *The New York Times*, perhaps trying to pass it off as a typo because he was too embarrassed to admit the truth. (A quick search of Twitter made it clear that I was not the only one who suspected this.) I doubted I could actually get a hold of Delavan to confront him with my hypothesis. I figured he would have retreated from the public Internet months ago. Still, I figured it was worth a shot. The first thing I tried was to call the cellphone number contained in his email itself, which is still publicly available on WikiLeaks' site. He picked up on the second ring. ------------------------------ Date: Thu, 15 Dec 2016 7:02:14 PST From: "Peter G. Neumann" Subject: Colorado election omits more than 20,000 ballots More than 20K ballots in Colorado not counted because of signature discrepancies, ID problems http://www.thedenverchannel.com/news/politics/more-than-20k-ballots-in-colorado-not-counted-because-of-signature-discrepancies-id-problems) DENVER – More than 21,000 General Election ballots in Colorado weren't counted because voters either failed to verify discrepancies in their signatures, didn't sign their ballots or didn't verify their registration with a form of identification. The Colorado Secretary of State's Office certified the state's election results late last week. The certified results show 2,859,216 ballots were cast –- a number that differed from a spreadsheet released by the office Dec. 5 -– before the results were certified –- that showed more than 2.88 million ballots had been counted. The 2016 General Election was the first presidential election in which Colorado used a mail-in ballot system. Registered voters were mailed a ballot weeks before Election Day and had to either mail them back or drop them off at their county clerk's office or drop-off locations. Each ballot required a signature that matched the signature on the person's voter registration form in order to minimize any possible voter fraud. If there were discrepancies, those people had eight days to verify their signatures with their local county clerk after Election Day, lest their ballot not count. Lynn Bartels, a spokeswoman for the Secretary of State's Office, said there were a total of 21,408 ballots that were mailed in or dropped off that weren't counted because of the various discrepancies. Ballots with signature discrepancies amounted to the largest group that weren't counted; 16,209 ballots had signatures that weren't verified. A total of 2,606 ballots weren't signed at all, and Bartels said 2,593 ballots weren't counted because no identification to verify a person's registration was provided. Many of the ballots not counted because a person's identity wasn't verified likely came from people who registered through voter registration drives or who registered late and needed to provide a copy of a U.S. or Colorado ID in order for their vote to count. [...] ------------------------------ Date: Thu, 15 Dec 2016 11:25:35 -0500 From: Monty Solomon Subject: Uber said it protects you from spying. Security sources say otherwise Uber said it protects you from spying. Security sources say otherwise https://www.revealnews.org/article/uber-said-it-protects-you-from-spying-security-sources-say-otherwise/ ------------------------------ Date: Thu, 15 Dec 2016 6:59:32 PST From: "Peter G. Neumann" Subject: Bruce Schneier's latest CryptoGram Bruce's new CryptoGram contains his thoughts on these two items (among others). My Priorities for the Next Four Years Hacking and the 2016 Presidential Election See https://www.schneier.com/crypto-gram.html for the entire issue. ------------------------------ Date: December 14, 2016 at 3:04:01 PM From: "Evers Ridgely C." Subject: Value of having a computer at home is mixed [I wonder if a similar study couldn't show that having books at home had a similar mixed value DFJ] Several years ago, economists conducted a fascinating and first-of-its-kind experiment to answer that question. Some of the latest results from that project, which were released Monday in a working paper from the National Bureau of Economic Research, show that the benefits of having a computer at home are subtle and somewhat counterintuitive. https://www.washingtonpost.com/news/wonk/wp/2016/12/14/giving-children-computers-basically-does-the-opposite-of-what-you-expect/ ------------------------------ Date: Thu, 15 Dec 2016 11:18:33 +1100 From: Craig Burton Subject: Re: SHAME ON YOU, GOOGLE! (Weinstein, RISKS-30.01) >[google] should clearly label [holocaust denier page] as being >false, a lie, or at least as having no credibility. Call it "CredRank" If you search Google for "is the earth flat" you get a top listed hit and Google extract offering ten reasons why the earth is flat. I'm guessing this is google's Pagerank finding *only answers going against* what is widely assumed knowledge - because why would there be web pages bothering to simply state the opposite of an example of broad knowledge is false? Also, I suspect there are infinitely many ways of asking about *the opposite of* a single truth (Albert Einstein had something to say about this). The problem is a serious one but I wonder if Google can act. Google would not maintain a kind of reverse page-rank for web garbage pages. There would be no commercial reason to do this since high ranking garbage pages would be of no value for adsense. And there would be a lot of them. I even wonder if there may be pages specifically to trap and monetise diligent fake news verification questions to google like "Is Hillary Clinton Ill?". I don't care if some people think the earth is flat so long as they aren't commercial pilots. But I do think Google could run a bucket list of top history-denier questions a reasonable person would consider hate speech and handle them specially, as a public service. Still even this might be as google says in its hate speech policy "a delicate balancing act". Either that or we all sit down and write competing web pages specifically addressing questions like "Are less intelligent than ? NO" and perhaps a billion others? I'll do this over the Christmas break. ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 30.02 ************************