precedence: bulk Subject: Risks Digest 30.37 RISKS-LIST: Risks-Forum Digest Friday 14 July 2017 Volume 30 : Issue 37 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: DIY devices let car owners add autonomous features to vehicles (Carolyn Said via PGN) Kaspersky in the crosshairs (Engadget) Requested voter details may be gold for cybercriminals (John Wildermuth) On the request for states to provide all personal info on voters (The Washington Post) FTC Halts Operation That Unlawfully Shared and Sold Consumers' Sensitive Data (FTC) Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case (DoJ) The White House just posted the emails of critics without censoring sensitive personal information (Vox via Lauren Weinstein) Beware of a new scam involving "relatives" and gift cards (CBS) Computerization and overnight train service (Mark Brader) Why fact-checking 'fake news' stories is a waste of time (WeForum) Web gets built-in copy protection hooks with a few key flaws (Engadget) "Charging Phone Kills 14-Year-Old Girl in Bathtub" (Harriet Sinclair) Funny how these articles are all the same... (Gabe Goldberg) Woman's selfie causes $200,000 of damage to LA art exhibit (Pamela Ng) FDA Deal Would Relax Rules on Reporting Medical Device Problems (The New York Times) Judges refuse to order fix for court software that put people in jail by mistake (Ars Technica) Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard) Backdoor built in to widely used tax app seeded last week's NotPetya outbreak (Ars Technica) Hackers have been stealing credit card numbers from Trump's hotels for months (The Washington Post) Everybody lies: how Google search reveals our darkest secrets (The Guardian) Re: Volvo admits its self-driving cars are confused by kangaroos (Dave Horsfall) Re: Western tech firms bow to Russian demands to share cybersecrets (Anthony Youngman) Press kits or other publications on thumb drives? (Gabe Goldberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 12 Jul 2017 16:33:21 PDT From: "Peter G. Neumann" Subject: DIY devices let car owners add autonomous features to vehicles Carolyn Said, San Francisco Chronicle, Business Report, C1, 7 Jul 2017 (PGN-ed) The original goal of some developers was to provide kits to enable owners to retrofit conventional cars to be self-driving. The article mentions Panda, OpenPilot, Chffr, Cabana, Comma, Neodriven, and more. ``The adaptive cruise-control from Honda Sensing is almost embarrassing in bumper-to-bumper traffic; it drives just like a 16-year-old just learning.'' Fascinating article, but lacking in assurance that nothing bad is likely to happen. Risks (totally unmentioned, and often left to the imagination of RISKS readers) might include (for example), * Tinkering with (enhancing) the kits * Disabling kit-provided safety features, intentionally or unintentionally? * Providing new or augmented kits that can alter the hardware and software of off-the-shelf kit-based hand-tinkered conventional cars, or in emerging self-driving cars * Disrupting surrounding vehicles (e.g., passing in heavy traffic, or jamming communications of neighboring vehicles), circumventing rules and regulations, and lots more. ------------------------------ Date: Fri, 14 Jul 2017 15:25:05 -0700 From: Lauren Weinstein Subject: Kaspersky in the crosshairs (Engadget) via NNSquad https://www.engadget.com/2017/07/14/kaspersky-in-the-crosshairs/ Kaspersky is in what you might call "a bit of a pickle." The Russian cybersecurity firm, famous for its antivirus products and research reports on active threat groups is facing mounting accusations of working with, or for, the Russian government. These accusations have been made in press and infosec gossip for years. In the past month there's been more scuttlebutt in the press, an NSA probe surfaced, and the Senate got involved by pushing for a product ban. This week things reached a peak with fresh accusations from Bloomberg and a surprising attack from the Trump administration. Which is odd, considering how eager the current regime is to please and grease the wheels of its Russian counterparts. Either way, Kaspersky is really in a tight spot this time. The hammer dropped Tuesday when Bloomberg published Kaspersky Lab Has Been Working With Russian Intelligence. It comes from the same reporters who started 2015's "banyagate," in which Kaspersky Lab Has Close Ties to Russian Spies alleged CEO Eugene Kaspersky colluded with Russian intel in secret sauna meetings. ------------------------------ Date: Fri, 7 Jul 2017 7:49:57 PDT From: "Peter G. Neumann" Subject: Requested voter details may be gold for cybercriminals (John Wildermuth) John Wildermuth, *San Francisco Chronicle*, front page, 7 Jul 2017 The article caption tells it all for RISKS readers. "Kobach could be setting up a one-stop shop of personal information that would be a treasure trove not only for shady online entrepeneurs, but also for identity thieves and criminal hackers." ------------------------------ Date: Mon, 10 Jul 2017 17:43:57 PDT From: "Peter G. Neumann" Subject: On the request for states to provide all personal info on voters https://www.washingtonpost.com/local/public-safety/trump-voting-panel-tells-states-to-hold-off-sending-data-while-court-weighs-privacy-impact/2017/07/10/c4c837fa-6597-11e7-a1d7-9a32c91c6f40_story.html Trump voting panel tells states to hold off sending data while court weighs privacy impact President Trump's voting commission on Monday asked states and the District to hold off submitting the sweeping voter data the panel had requested until a federal judge in Washington decides whether the White House has done enough to protect Americans' privacy. The Electronic Privacy Information Center (EPIC), a watchdog group, has asked U.S. District Judge Colleen Kollar-Kotelly to block the commission's data request, arguing that the panel had not conducted the full privacy impact statement required by federal law for new government electronic data-collection systems. Separately Monday, two civil liberties groups filed lawsuits to prevent the commission from holding its first scheduled meeting next week, alleging that the panel had been working in secret and in violation of government regulations on public transparency. The two new lawsuits add to the potential roadblocks faced by the commission, whose request for voting information from more than 150 million registered voters has drawn bipartisan criticism across the states as an assault on privacy and states' rights and a stealth attempt at voter suppression. [...] ------------------------------ Date: Fri, 7 Jul 2017 10:29:26 -0400 From: Monty Solomon Subject: FTC Halts Operation That Unlawfully Shared and Sold Consumers' Sensitive Data (FTC) Lead generation firm earned millions by falsely promising to match consumers with low-rate loans https://www.ftc.gov/news-events/press-releases/2017/07/ftc-halts-operation-unlawfully-shared-sold-consumers-sensitive ------------------------------ Date: Thu, 13 Jul 2017 20:31:36 -0400 From: Gabe Goldberg Subject: Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case (DoJ) WASHINGTON – Two former staff employees of a member of the U.S. House of Representatives have been indicted following an investigation into the circulation of private, nude images and videos of the member and the member's spouse, announced U.S. Attorney Channing D. Phillips and Matthew R. Verderosa, Chief of the United States Capitol Police. ... The indictment alleges that, during the course of his employment, McCullum offered in March 2016 to assist the House member in repairing the member’s malfunctioning, password-protected cellular iPhone by taking the device to a local Apple store. According to the indictment, the House member provided McCullum with the device solely to have the iPhone repaired. McCullum was not given permission to take, copy, or distribute any of the contents of the iPhone. The iPhone contained the private, nude images and videos. https://www.justice.gov/usao-dc/pr/two-former-employees-house-member-indicted-federal-charges-cyberstalking-case Well, of course -- what could go wrong? ------------------------------ Date: July 14, 2017 at 4:31:10 PM EDT From: Lauren Weinstein Subject: The White House just posted the emails of critics without censoring sensitive personal information INCOMPETENT and ILLEGAL! https://www.vox.com/policy-and-politics/2017/7/14/15973464/white-house-election-integrity-doxx The White House just responded to concerns it would release voters' sensitive personal information by releasing a bunch of voters' sensitive personal information. Last month, the White House's "election integrity" commission sent out requests to every state asking for all voters' names, party IDs, addresses, and even the last four digits of their Social Security numbers, among other information. The White House then said this information would be made available to the public. A lot of people did not like the idea, fearing that their personal information could be made public. So some sent emails to the White House, demanding that it rescind the request. This week, the White House decided to make those emails from concerned citizens public through the commission's new website. But the administration made a big mistake: It didn't censor any of the personal information -- such as names, email addresses, actual addresses, and phone numbers -- included in those emails. In effect, the White House just released the sensitive personal information of a lot of concerned citizens giving feedback to their government. That's made even worse by the fact that the White House did this when the thing citizens were complaining about was the possibility that their private information would be made public. As of Friday afternoon, the emails are still uncensored and available on the White House's website. They include all sorts of feedback, from concerns about privacy to outright insults of the Trump administration. One email just links to an image of the terrifying pornographic meme Goatse. (Do not Google this if you value your eyes.) ------------------------------ Date: Fri, 7 Jul 2017 09:04:03 -0400 From: Monty Solomon Subject: Beware of a new scam involving "relatives" and gift cards (CBS) In a new twist on an old phone scam, criminals are preying on family ties by asking people to buy gift cards to help relatives they falsely claim are in trouble. http://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/ ------------------------------ Date: Sun, 9 Jul 2017 00:11:51 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Computerization and overnight train service Once upon a time, if you were operating a train service and you decided to extend its operating hours to run all night, your only concerns would be finding the staff to operate it, and what to do about maintenance that formerly occurred during the nightly downtime. Last year the London Underground began two nights per week of all-night operations on some lines, with continuous service from Friday morning through Sunday evening. And according to Mark Curran in the June issue of "Modern Railways" magazine: | The greatest single cost in implementing Night Tube has been | modifications to the signalling systems, which were not designed | to operate through the end/beginning of the traffic day at 03:00. | The next day's timetables are uploaded around this time and the | signalling and control systems undertake various test routines. | | The typical issues were self-tests bringing all trains to | a halt... loss of train control data... loss of any customer | information on the train or platform, and extended periods when | trains would need to be manually signalled. | | ...The ticketing system on the Underground was also not designed to | operate through the end/beginning of the ticketing day at 04:30... | a customer touching in at 04:15 and out at 04:45 would be charged | two incomplete single journeys... Of course the systems would not have been designed this way if overnight service had already been contemplated when they were introduced. ------------------------------ Date: Mon, 10 Jul 2017 16:41:35 -0700 From: Lauren Weinstein Subject: Why fact-checking 'fake news' stories is a waste of time (WeForum) via NNSquad https://www.weforum.org/agenda/2017/07/why-fact-checking-fake-news-stories-is-a-waste-of-time A new study suggests that fact-checking has little influence on what online news media covers, and fact-checks of false news stories spreading online--"fake news"--may use up resources newsrooms could better use covering substantive stories. Don't bother fact checking them. When they're clearly false by reasonable objective measures, delete them -- or alternatively, de-rank them into oblivion in search results and post surfacing algorithms. ------------------------------ Date: Sat, 8 Jul 2017 11:10:45 -0700 From: Lauren Weinstein Subject: Web gets built-in copy protection hooks with a few key flaws via NNSquad https://www.engadget.com/2017/07/08/w3c-approves-built-in-web-copy-protection-hook/ Like it or not, the web is getting some built-in padlocks. The World Wide Web Consortium has decided to publish Encrypted Media Extensions, a standard for hooking copy protection into web-based streaming video, without making significant changes to a version agreed to in March. While it's not perfect, the W3C argues (you still need to deal with a vendor's content decryption module), it's purportedly better than the make-it-yourself approach media providers have to deal with right now. There do appear to be some improvements to the status quo for digital rights management. However, there are more than a few detractors -- there are concerns that the W3C simply ignored concerns in the name of expediency. This really has become necessary. ------------------------------ Date: Wed, 12 Jul 2017 19:38:55 -0700 From: Gene Wirchenko Subject: "Charging Phone Kills 14-Year-Old Girl in Bathtub" (Harriet Sinclair) [There is something to be said for understanding the basics of technology. GW] Harriet Sinclair, *Newsweek*, 11 Jul 2017 http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208 opening text: A teenager has been killed after using her cell phone in the bath and suffering an electric shock. Madison Coe, 14, died at her father's home in Lovington, New Mexico, on Sunday in an accident her family said took place when she either plugged in her phone or reached for a phone that was already plugged into the wall while she was in the bath. ------------------------------ Date: Thu, 13 Jul 2017 17:34:05 -0400 From: Gabe Goldberg Subject: Funny how these articles are all the same... https://www.linkedin.com/pulse/realizing-potential-blockchain-don-tapscott ...repeating "It's wonderful" with no details how it works. An encryption-savvy colleague has said this quickly gets into the weeds -- but how about clues on how (for example (quoting): Realizing the Potential of Blockchain Innovators are programming this new digital ledger to record anything of value to humankind – birth and death certificates, marriage licenses, deeds and titles of ownership, rights to intellectual property, educational degrees, financial accounts, medical history, insurance claims, citizenship and voting privileges, location of portable assets, provenance of food and diamonds, job recommendations and performance ratings, charitable donations tied to specific outcomes, employment contracts, managerial decision rights and anything else that we can express in code. --- It's always proof by assertion with NO insight how these wildly different functions will be implemented. And regarding this idea -- give me a break, put everyone's IoT online for sharing? What could go wrong with THAT? The emperor may actually have a fine wardrobe but I'm awaiting the fashion show. Paul Brody, principal and global innovation leader of blockchain technology at Ernst & Young, thinks that all our appliances should donate their processing power to the upkeep of a blockchain: “Thanks to the smartphone business driving very low-cost systems, your lawnmower or dishwasher is going to come with a CPU that is probably a thousand times more powerful than it actually needs, so why not have the appliance mine? Not to make money, but to contribute to the security and viability of the blockchain as a whole,” he said. ------------------------------ Date: Fri, 14 Jul 2017 12:14:21 -0600 From: Jim Reisert AD1C Subject: Woman's selfie causes $200,000 of damage to LA art exhibit (Pamela Ng) Pamela Ng, Fox News, 14 Jul 2017 http://www.foxnews.com/tech/2017/07/14/womans-selfie-causes-200000-damage-to-la-art-exhibit.html A woman taking a selfie at a Los Angeles art exhibit sent shockwaves around the room after knocking over several displays, causing $200,000 in damage. The unidentified woman was at The 14th Factory for the "Hypercaine" installation when she appeared to crouch down in front of one of the displays for a photo and fall backwards, video of the incident shows. ------------------------------ Date: Thu, 13 Jul 2017 23:14:05 -0400 From: Monty Solomon Subject: FDA Deal Would Relax Rules on Reporting Medical Device Problems The makers of cardiac defibrillators, insulin pumps, breast implants and other devices will be able to delay the reporting of malfunctions under an agreement headed to Congress. https://www.nytimes.com/2017/07/11/health/fda-medical-device-problems-rules.html ------------------------------ Date: Wed, 28 Jun 2017 23:42:34 -0400 From: Monty Solomon Subject: Judges refuse to order fix for court software that put people in jail by mistake (Ars Technica) https://arstechnica.com/tech-policy/2017/06/appeals-court-public-defender-lacks-standing-in-dispute-over-court-software/ ------------------------------ Date: Fri, 14 Jul 2017 09:49:54 -0400 From: Monty Solomon Subject: Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard) https://www.upguard.com/breaches/verizon-cloud-leak ------------------------------ Date: Mon, 10 Jul 2017 08:39:12 -0400 From: Monty Solomon Subject: Backdoor built in to widely used tax app seeded last week's NotPetya outbreak Operation that hit thousands was “thoroughly well-planned and well-executed.” https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/ ------------------------------ Date: Wed, 12 Jul 2017 21:53:50 -0400 From: Monty Solomon Subject: Hackers have been stealing credit card numbers from Trump's hotels for months This is the third cybersecurity breach to hit the luxury hotel chain since 2014. https://www.washingtonpost.com/news/business/wp/2017/07/11/hackers-have-been-stealing-credit-card-numbers-from-trumps-hotels-for-months/ ------------------------------ Date: Sun, 9 Jul 2017 09:53:26 -0400 From: Monty Solomon Subject: Everybody lies: how Google search reveals our darkest secrets (The Guardian) https://www.theguardian.com/technology/2017/jul/09/everybody-lies-how-google-reveals-darkest-secrets-seth-stephens-davidowitz ------------------------------ Date: Wed, 12 Jul 2017 10:06:48 +1000 (EST) From: Dave Horsfall Subject: Re: Volvo admits its self-driving cars are confused by kangaroos (The Guardian) A colleague told me that the vehicle determines the distance to the object by the apparent height above ground from the camera's point of view, thus a mid-air roo appears to be further away than it really is. And when it lands... Dave Horsfall, Unit 13, 79 Glennie St, North Gosford NSW 2250, Australia ------------------------------ Date: Fri, 7 Jul 2017 20:15:43 +0100 From: Anthony Youngman Subject: Re: Western tech firms bow to Russian demands to share cybersecrets (Ward, RISKS-30.35) Unfortunately, formal methods also lead you to the proof that your formal proof is worthless ... too many people believe (Godel's proof to the contrary notwithstanding) that it is possible to guarantee that systems are bug-free. A formal proof is mathematics. It is only as good as its axioms (which by definition are unprovable). And, as we keep on discovering, all too often reality has a habit of saying "you've got the wrong axioms". To say nothing of Godel's proof that you can NOT get all your axioms right even within the world of logic, let alone align them correctly with reality. Then of course, there is the little problem that any program of any size will likely exhibit knapsack complexity, i.e., an automated proof would take longer than the universe has existed. That's not to decry formal proofs, or even the attempt thereat. They are a very useful tool, but you need to remember that they *guarantee* *nothing* in reality. [Reality guarantees nothing in reality either. It's the total system that counts, including squirrels, cosmic rays, and whatever might bite you. PGN] ------------------------------ Date: Thu, 13 Jul 2017 17:41:24 -0400 From: Gabe Goldberg Subject: Press kits or other publications on thumb drives? [RE:????] Interesting comments on material distributed that way: (E.g., "Blue Cross wants you to insert this USB card into your computer. You'd be safer inserting it into your you-know-what.) https://plus.google.com/+LaurenWeinstein/posts/4TS3iRwjXuo ...of course, how do you check out shrink-wrapped commercial thumb drives products without potentially compromising your systems? ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 30.37 ************************