RISKS-LIST: Risks-Forum Digest Friday 28 September 2018 Volume 30 : Issue 84
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.84>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt&...
Contents: [Seriously backlogged]
The Plot to Subvert an Election (NYTimes)
In Georgia, a legal battle over electronic vs. paper voting (WashPo)
Wisconsin Officials Prepare for Potential Election Hackers (USNews)
Here's the science behind the Brexit vote and Trump's rise
(Michele Gelfand, The Guardian)
Democrat pushes changes to protect senators' personal accounts from
continued threats (WashPo)
Electronic temporary registration (Phil Smith III)
GM Recalls One Million Pickups and SUVs in U.S. for Crash Risk (WSJ)
How Can AI Help to Prepare for Floods in a Climate-Changed World (SciAm)
Major Japanese ramen chain's logo confuses Honda cars' AI
(Master Blaster)
Florence: At least 13 deaths reported as storm slogs across Carolinas
(WashPo)
EU Preliminarily Passes Horrific Articles 11 & 13 (Lauren Weinstein)
Seeing Is Now Not Believing Anymore: Researchers Come Out With Yet
Another Unnerving, New Deepfake Method (Gizmodo)
Google Knows Where You've Been, but Does It Know Who You Are? (NYT)
Uber Glitch Stops Payments To Drivers, Prices Surge (Slashdot)
Bay Area city blocks 5G deployments over cancer concerns (TechCrunch)
Elon Musk said a Tesla could drive itself across the country by 2018.
One just crashed backing out of a garage (LATimes)
Phishing attacks are targeting students' financial aid, officials say
(WashPo)
Stealing From a Cashierless Store -- Without You, or the Cameras, Knowing It
(New York Times)
New Research Can Identify Extremists Online, Even Before They Post
Dangerous Content (ForensicMag)
Weather Channel: Seeing Is Not Believing, Take 2 (GatewayPundit)
Bug in Bitcoin code also opens smaller cryptocurrencies to attacks (ZDNet)
Quantum computing may *not* be better ... (Rob Slade)
What cardiologists think about the Apple Watch's heart-tracking feature
(WashPo)
"This Windows file may be secretly hoarding your passwords and emails"
(ZDnet)
Bloat (Rob Slade)
How to Keep Forever the Music, Movies or Ebooks You 'Buy' on Amazon or
iTunes (Gabe Goldberg)
Re: "Are Digital Devices Altering Our Brains? (Gene Wirchenko)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 20 Sep 2018 14:41:11 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The Plot to Subvert an Election (NYTimes)
Unraveling the Russia Story So Far
Scott Shane and Mark Mazzetti
*The New York Times* Special Report, Section F, 20 Sep 2018
F2-F3. As the Trump campaign advanced, Russia stepped up efforts on three
fronts: hacks and leaks, social media fakery, and outreach to Trump
associates.
F4-F8. Vladimir Putin was nostalgic for Russia's lost superpower status and
believed the United States had sought to undermine his presidency.
F9-F10. As hacked emails shook the Democratic Party, Russian online trolls
reached an audience of nearly as many Americans as would vote in the
election.
F11-12. President Trump has sown doubts about the federal investigation and
created a new affinity for Russia among his most devoted supporters.
There is also a remarkably comprehensive running timeline (across the tops
of pages F4 to F12), ``showing the full scale of Russia's unprecedented
interference in the 2016 election -- and its aftermath.'' This would be
an invaluable read for people who are deniers (other than those who measure
fine silk or value old European coins).
------------------------------
Date: Sun, 16 Sep 2018 12:15:40 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: In Georgia, a legal battle over electronic vs. paper voting (WashPo)
via NNSquad
https://www.washingtonpost.com/world/national...
e-over-electronic-vs
-paper-voting/2018/09/16/d655c070-b76f-11e8-94eb-3bd52dfe917b_story.html
Logan Lamb, a cybersecurity sleuth, thought he was conducting an innocuous
Google search to pull up information on Georgia's centralized system for
conducting elections. He was taken aback when the query turned up a file
with a list of voters and then alarmed when a subsequent, simple data pull
retrieved the birth dates, drivers' license numbers and partial Social
Security numbers of more than 6 million voters, as well as county election
supervisors' passwords for use on Election Day. He also discovered the
server had a software flaw that an attacker could exploit to take control
of the machine. The unsecured server that Lamb exposed in August 2016 is
part of an election system -- the only one in the country that is
centrally run and relies upon computerized touch screen voting machines
for Georgia's 6.8 million voters -- that is now at the heart of a legal
and political battle with national security implications.
------------------------------
Date: Mon, 17 Sep 2018 9:23:44 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Wisconsin Officials Prepare for Potential Election Hackers (USNews)
Grigor Atanesian, Wisconsin Center for Investigative Journalism.
https://www.usnews.com/news/best-states/wisco...
=-officials-prepare- for-potential-election-hackers
[Very long item. Heavily PGN-excerpted.
PLEASE READ THE ENTIRE ARTICLE IF YOU SEEK ELECTION INTEGRITY.]
Cybersecurity experts say Wisconsin and many other states have specific
potential vulnerabilities in their election systems, including the use of
private vendors to program and service voting machines.
Madison, Wis. (AP) A private vendor inadvertently introduces malware into
voting machines he is servicing. A hacker hijacks the cellular modem used
to transmit unofficial Election Day results. An email address is
compromised, giving bad actors the same access to voting software as a local
elections official. These are some of the potential vulnerabilities of
Wisconsin's election system described by cybersecurity experts. [...]
In July, the Wisconsin Center for Investigative Journalism reported that
Russian hackers have targeted websites of the Democratic Party of Wisconsin,
the state Department of Workforce Development and municipalities including
Ashland, Bayfield and Washburn. Elections in this swing state are
administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin
Elections Commission. Top cybersecurity experts from the United States,
Canada and Russia interviewed by the Center said that some practices and
hardware components could make voting in Wisconsin open to a few types of
malicious attacks, and that Russian actors have a record of these specific
actions. And it is not just Wisconsin -- this is a nationwide threat, the
National Academy of Sciences, Engineering and Medicine stated in its newly
released report, Securing the Vote. [...]
Former longtime Legislative Audit Bureau manager Karen McKim, a coordinator
for the Madison-based grassroots group Wisconsin Election Integrity, said
many Wisconsin elections officials do not realize "how very much is
completely outside their control. They really, truly, do believe that if
they keep the individual voting machines unconnected from the Internet and
do pre-election testing, that the software is safe," said McKim, whose group
advocates for measures to secure Wisconsin's elections. [...]
Dane County Clerk Scott McDonell said large counties in Wisconsin such as
his "typically code their own elections," but "the small ones are
outsourcing. If I were being paranoid," he added, "I would worry about the
outsourced ones." [...]
Computer scientist J. Alex Halderman, who was part of the team that pushed
for the 2016 recount of the presidential vote in Wisconsin, told the
U.S. Senate Intelligence Committee that private vendors can make elections
systems vulnerable. "Attackers could target one or a few of these companies
and spread malicious code to election equipment that serves millions of
voters," Halderman, director of the University of Michigan's Center for
Computer Security and Society, testified in 2017. [...]
Harri Hursti, an international expert on election cybersecurity and
co-founder of the Voting Machine Hacking Village at the annual DEFCON hacker
conference, agreed. He said that "it is hard to make the claim that anything
using any kind of USB devices can be air-gapped," or physically isolated
from attack. "USB memory cards are mini-computers," Hursti said, "and we
have known for years how to reprogram those to carry malicious content over
air gaps and extract confidential information." [...]
Experts said another potential vulnerability is associated with the use of
modems in voting machines across Wisconsin to transmit unofficial Election
Day results. In some cases, those modems are transmitting results over the
Internet, Haas, the former Elections Commission administrator, acknowledged
in 2016 testimony during the legal battle over Wisconsin's presidential
recount. [...]
However, computer scientists say that existing defense measures can be
overrun. According to *The New Yorker*, such concerns have prompted four
states -- New York, Maryland, Virginia and Alabama -- to prohibit the use of
machines with modems to transmit election results. [...]
Another practice criticized by the computer scientists is the use of
cellular technology to transmit unofficial election results. Cellular
networks' security liabilities were detailed in a 2017 U.S. Department of
Homeland Security report, which called for enhanced protections when
governments use cellular technology. [...]
In February, two Princeton University computer science professors, Andrew
Appel and Kyle Jamieson, published a blog describing possible scenarios to
hack modems used in DS200 paper ballot tabulators, including erecting fake
cellphone towers near voting locations like police do with Stingray devices.
"If your state laws, or a court with jurisdiction, say not to connect your
voting machines to the Internet, then you probably shouldn't use telephone
modems either," they said. [...]
But even discrepancies between initially reported unofficial results and the
outcome of the election may achieve Russia's goal of sowing discord,
according to FireEye's McNamara. He is among those cautioning against
becoming too focused on the vulnerabilities of America's vote-tallying
systems. McNamara said the Kremlin's goal may be simpler: "Attacking the
confidence of electoral process itself." [...]
------------------------------
Date: Mon, 17 Sep 2018 18:53:42 +0900
From: "Dave Farber" <farber@gmail.com>
Subject: Here's the science behind the Brexit vote and Trump's rise
(Michele Gelfand, The Guardian)
https://www.theguardian.com/commentisfree/201...
e-trump
-------------------------------------------
Date: Thu, 20 Sep 2018 07:27:19 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Democrat pushes changes to protect senators' personal accounts from
continued threats (WashPo)
Sen. Ron Wyden (D-Ore.) is trying to expand the Senate Sergeant at Arms'
mandate to provide protection for senatorsΓÇÖ and staffers' personal accounts
and devices, as well as their official ones.
https://www.washingtonpost.com/powerpost/demo...
ators-personal-accou
nts-from-continued-threats/2018/09/19/57ff1678-bc69-11e8-8792-78719177250f_stor
y.html
------------------------------
Date: Tue, 11 Sep 2018 21:41:17 -0400
From: Phil Smith III <phs3@akphs.com>
Subject: Electronic temporary registration
I got a loaner/rental from a car dealership today, and rather than printing
out a contract, they sent me a text message with a link to a bare-bones PDF
that, to be honest, I could have forged in about 15 seconds. But I suppose a
car thief wouldn't bother.
In any case, the risk is that I get pulled over and have no cell service (or
my phone has died because I left the charging cord in my car). What would I
do -- ask the cop to follow me until I got service??
A small risk, but seems like maybe they're trying too hard to be all
high-tech.
Interesting: the host in the link was an amazonaws host.
------------------------------
Date: Tue, 18 Sep 2018 09:26:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: GM Recalls One Million Pickups and SUVs in U.S. for Crash Risk
(WSJ)
Defect is latest example of problems generated by the growing use of
software to control a car's mechanical functions
https://www.wsj.com/articles/gm-recalls-one-m...
-crash-risk-15368457 25
------------------------------
Date: Thu, 13 Sep 2018 13:13:10 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: How Can AI Help to Prepare for Floods in a Climate-Changed
World? (Scientific American)
https://www.scientificamerican.com/article/fo...
-for-hurricanes-and- rising-seas/
Predicting greater flood potential can be applied to determine insurance
eligibility. Application may force families, communities, or businesses to
relocate as rates adjust to accommodate storm surge or inundation risks.
------------------------------
Date: Sun, 16 Sep 2018 20:37:35 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Major Japanese ramen chain's logo confuses Honda cars' AI
Master Blaster
https://soranews24.com/2018/09/17/major-japan...
da-cars-ai/
Motorist and Twitter user Yukiesu (@yuk381) posted a scene from his driver
seat in front of a Tenkaippin ramen store. In it, despite just sitting in
the parking lot, a warning on his dashboard is indicating that the car sees
a "Do Not Enter" sign.
------------------------------
Date: Sun, 16 Sep 2018 10:58:16 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Florence: At least 13 deaths reported as storm slogs across Carolinas
(WashPo)
With road conditions changing rapidly, officials advised travelers to check
back frequently ΓÇö especially because satellite navigation systems were still
directing drivers to dangerous stretches of roadway.
https://www.washingtonpost.com/news/post-nati...
deaths-reported-as-s torm-swamps-carolinas/
------------------------------
Date: Wed, 12 Sep 2018 09:36:50 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: EU Preliminarily Passes Horrific Articles 11 & 13 -- Here's How to
Fight Back!"
Lauren's Blog
https://lauren.vortex.com/2018/09/12/eu-preli...
11-13-heres-how-to-f ight-back
By a vote of 438 to 226, the massively confused and lobbyists-owned EU
Parliament has preliminary passed horrific Article 11 and Article 13, aimed
at turning ordinary users into the slaves of government-based Internet
censorship and abuse.
The war isn't over, however. These articles now enter a period of
negotiation with EU member states, and then are subject to final votes next
year, probably in the spring.
So now's the time for the rest of the world to show Europe some special
"tough love" -- to help them understand what their Internet island universe
will look like if these terrible articles are ever actually implemented.
Article 11 is an incredibly poorly defined "link tax" aimed at news
aggregators. If Article 11 is implemented, the reaction by most aggregators
who have jurisdictional exposure to the EU (e.g., EU-based points of
presence) will not be to pay the link taxes, but rather will be to
completely cease indexing those EU sites.
Between now and the final votes next year, news aggregation sites should
consider temporarily ceasing to index those EU sites for various periods of
time at various intervals, to give those sites a taste of what happens to
their traffic when such indexing stops, and what their future would look
like under Article 11.
Then we have Article 13's massive, doomed-to-disaster content filtering
scheme, which would be continually inundated with false matches and fake
claims (there are absolutely no penalties under Article 13 for submitting
bogus claims). While giant firms like Google and Facebook would have the
resources to implement Article 13's mandates, virtually nobody else
could. And even the incredibly expensive filtering systems built by these
largest firms have significant false positive error rates, frequently block
permitted content, and cost vast sums to maintain.
A likely response to Article 13 by many affected firms would be to geoblock
EU users from those company's systems. That process can begin now on a
"demonstration" basis. The IP address ranges for EU countries can be easily
determined in an automated manner, and servers programmed to present an
explanatory "Sorry about that, Chief -- You're in the EU!" message to EU
users instead of the usual services. As with the Article 11 protest
procedure noted above, these Article 13 IP blocks would be implemented at
various intervals for various durations, between now and the final votes
next year.
The genuinely sad part about all this is that none of it should be
necessary. Article 11 and 13 mandates will never work as their proponents
hope, and if deployed will actually do massive damage not only to EU (and
other) users at large, but to the very constituencies that have lobbied for
passage of these articles!
And that's a lose-lose situation in any language.
[Gene Wirchenko noted this item by David Meyer: "The EU's new Copyright
Directive really is that bad": New rules will make it harder to share
links and content. So can it be stopped? 13 Sep 2018
https://www.zdnet.com/article/the-eus-new-cop...
d/
------------------------------
Date: Fri, 14 Sep 2018 10:07:57 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Seeing Is Now Not Believing Anymore: Researchers Come Out With Yet
Another Unnerving, New Deepfake Method (Gizmodo)
https://gizmodo.com/deepfake-videos-are-getti...
*Deepfakes*, ultra-realistic fake videos manipulated using machine learning,
are getting pretty convincing
And researchers continue to develop new methods to create these types of
videos, for better or, more likely, for worse. The most recent method comes
from researchers at Carnegie Mellon University, who have figured out a way
to automatically transfer the style of one person to another...
https://gizmodo.com/it-was-only-a-matter-of-t...
2463473
https://gizmodo.com/researchers-come-out-with...
977488
------------------------------
Date: Wed, 12 Sep 2018 10:14:19 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Google Knows Where You've Been, but Does It Know Who You Are? (NYT)
https://www.nytimes.com/2018/09/12/magazine/g...
tml
How looking at the location data that the company collects about you lets
you see yourself in a whole new way.
------------------------------
Date: Sat, 15 Sep 2018 15:41:42 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Uber Glitch Stops Payments To Drivers, Prices Surge (Slashdot)
NNSquad
https://tech.slashdot.org/story/18/09/15/2147...
drivers-prices-surge
Now the San Diego Reader reports the issue "is forcing San Diego drivers
off the road," with the shortage of drivers triggering surge pricing
throughout the entire region as much as triple the usual rate. Surge
pricing is also hitting riders in Dallas, according to another Uber
driver's tweet, who complains "It's a shame that a $48 billion 'tech'
company can't get it together.
[Also noted by Gabe Goldberg. PGN]
------------------------------
Date: Sun, 16 Sep 2018 10:30:42 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Bay Area city blocks 5G deployments over cancer concerns
(TechCrunch)
The Bay Area may be the center of the global technology industry, but that
hasn't stopped one wealthy enclave from protecting itself from the future.
The city council of Mill Valley, a small town located just a few miles north
of San Francisco, voted unanimously late last week to effectively block
deployments of small-cell 5G wireless towers in the city's residential
areas.
Through an urgency ordinance, which allows the city council to immediately
enact regulations that affect the health and safety of the community, the
restrictions and prohibitions will be put into force immediately for all
future applications to site 5G telecommunications equipment in the
city. Applications for commercial districts are permitted under the passed
ordinance. The ordinance was driven by community concerns over the health
effects of 5G wireless antennas. According to the city, it received 145
pieces of correspondence from citizens voicing opposition to the technology,
compared to just five letters in support of it ΓÇö a ratio of 29 to 1. While
that may not sound like much, the cityΓÇÖs population is roughly 14,000,
indicating that about 1% of the population had voiced an opinion on the
matter.
https://techcrunch.com/2018/09/10/bay-area-ci...
er-concerns/
------------------------------
Date: Sun, 16 Sep 2018 10:33:48 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Elon Musk said a Tesla could drive itself across the country by
2018. One just crashed backing out of a garage (LATimes)
When Mangesh Gururaj's wife left home to pick up their child from math
lessons one Sunday this month, she turned on her Tesla Model S and hit
"Summon," a self-parking feature that the electric automaker has promoted as
a central step toward driverless cars.
But as the $65,000 sedan reversed itself out of the garage, Gururaj said,
the car bashed into a wall, ripping off its front end with a loud crack. He
said the damaged Tesla looked like it would have kept driving if his wife
hadn't hit the brakes.
No one was hurt, but Gururaj was rattled: The car had failed disastrously,
during the simplest of maneuvers, using one of the most basic features from
the self-driving technology he and his family had trusted countless times at
higher speeds.
http://www.latimes.com/business/la-fi-hy-tesl...
------------------------------
Date: Sun, 16 Sep 2018 12:05:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Phishing attacks are targeting students' financial aid, officials say
(WashPo)
The agency warned that attackers may be refining a scheme to redirect
federal student aid money to private bank accounts, preparing for times when
large volumes of aid are disseminated, and said the phishing attempt is a
serious threat.
https://www.washingtonpost.com/education/2018...
that-students-financ ial-aid-are-being-targeted-phishing-attacks/
------------------------------
Date: Fri, 14 Sep 2018 07:43:59 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: Stealing From a Cashierless Store -- Without You, or the Cameras,
Knowing It (New York Times)
https://www.nytimes.com/2018/09/13/technology...
-behavioral-data.htm l
"The goal is to predict, and prevent, shoplifting, because unlike Amazon's
Go stores, which have a subway turnstile-like gate for entry and exit,
Standard Market has an open door, and the path is clear."
This 24/7 shop got at least one thing right: there are no locks on the
doors!
------------------------------
Date: Fri, 14 Sep 2018 11:53:30 +0900
From: "Dave Farber" <farber@gmail.com>
Subject: New Research Can Identify Extremists Online, Even Before They Post
Dangerous Content (ForensicMag)
https://www.forensicmag.com/news/2018/09/new-...
nline-even-they-post -dangerous-content
New research has found a way to identify extremists, such as those
associated with the terrorist group ISIS, by monitoring their social media
accounts, and can identify them even before they post threatening content.
The research, "Finding Extremists in Online Social Networks," which was
recently published in the INFORMS journal Operations Research, was conducted
by Tauhid Zaman of the Massachusetts Institute of Technology; Lieutenant
Colonel Christopher E. Marks, U.S. Army; and Jytte Klausen of Brandeis
University
The number and size of online extremist groups using social networks to
harass users, recruit new members, and incite violence is rapidly
increasing. While social media platforms are working to combat this (in
2016, Twitter reported it had shut down 360,000 ISIS accounts) they
traditionally rely heavily on users' reports to identify these accounts.
In addition, once an account has been suspended, there is little that can be
done to prevent a user from opening up a new account, or multiple accounts.
"Social media has become a powerful platform for extremist groups, ranging
from ISIS to white nationalist "alt-right" groups," said Zaman. "These
groups use social networks to spread hateful propaganda and incite violence
and terror attacks, making them a threat to the general public."
Identifying extremists before they pose a threat online
The researchers collected Twitter data from approximately 5,000 "seed" users
who were either known ISIS members or who were connected to many known ISIS
members as friends or followers. They obtained their names through news
stories, blogs, and reports released by law enforcement agencies and think
tanks.
In addition to reviewing the content of 4.8 million tweets from these users'
timelines (including text, links, hash tags, and mentions), they also
tracked account suspensions, as well as any suspensions of their friends and
followers accounts.
For the purpose of this study, the researchers focused on the account
networks forged by known ISIS and Al Qaeda sympathizers and known foreign
fighters and content that had been flagged by Twitter as terrorist in
nature.
Using statistical modeling of extremist behavior with optimized search
policies and actual ISIS user data, the researchers developed a method to
predict new extremist users, identify if more than one account belongs to
the same user, as well as predict network connections of suspended extremist
users who start a new account.
In addition, by tracking and comparing data on screen names, user name,
profile images and banner images, the researchers were also able to identify
70 percent of additional Twitter profiles held by extremist users, with only
a 2 percent incidence of misclassifying profiles.
"We created a new set of operational capabilities to deal with the threat
posed by online extremists in social networks," said Marks. "We are able to
predict who is an extremist before they post any content, and then able to
predict where they will re-enter the network after they are suspended. In
short, we can automatically figure out who is an extremist and keep them of
the social network."
While the study was conducted using data from accounts belonging to ISIS
extremists on Twitter, their methodology can be applied to any extremist
group and any social network.
"Users that engage in some form of online extremism or harassment will have
very similar behavioral characteristics in social networks," said
Klausen. "They will connect to a specific set of users which form their
extremist group. They will create new accounts which will resemble their old
accounts after being suspended, and when the return to the social network
following a suspension, there is a high probability they will reconnect with
certain former friends."
------------------------------
Date: Sat, 15 Sep 2018 11:31:49 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Weather Channel: Seeing Is Not Believing, Take 2 (GatewayPundit)
Whoops! Weather Channel Caught in Fake News Scam -- Blown Reporter Did Not
Expect Kids in Shorts to Spoil Shot?
https://www.thegatewaypundit.com/2018/09/whoo...
news-scam-wind-blown
-reporter-did-not-expect-kids-in-shorts-to-spoil-shot-video/
------------------------------
Date: Wed, 19 Sep 2018 18:53:33 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Bug in Bitcoin code also opens smaller cryptocurrencies to attacks
(ZDNet)
Catalin Cimpanu for Zero Day | 19 Sep 2018
Simple denial of service bug can crash unpatched Bitcoin network nodes and
may also affect many Bitcoin-based cryptocurrency offshoots. The Bitcoin
team fixed today a severe vulnerability in the software that underpins the
entire Bitcoin network.
https://www.zdnet.com/article/bug-in-bitcoin-...
encies-to-attacks/
------------------------------
From: Rob Slade <rmslade@shaw.ca>
Date: Wed, 19 Sep 2018 18:30:23 -0700
Subject: Quantum computing may *not* be better ...
I have been studying quantum computing, in terms of its implications for
security, for some time now.
itsecurity.co.uk/2016/09/security-implications-quantum-computing/
Sometimes the news is good.
https://community.isc2.org/t5/Industry-News/Q...
/m-p/11746#M1140
or
https://is.gd/tkLyQF
Oftentimes people get it wrong.
https://community.isc2.org/t5/Tech-Talk/Crypt...
-hole-suggestions/m- p/13293/highlight/true#M386
or
https://is.gd/70hYhU
But this news is extremely disturbing.
https://www.scientificamerican.com/article/re...
aks-quantum-mechanic s-mdash-and-stumps-physicists1/
or https://is.gd/Ylj3jM If the implications of this thought experiment are
true, then quantum computers may be impossible. (Or, if possible, then
subject to extremely weird sorts of race conditions that make Intel
architectures seem positively reliable ...)
https://community.isc2.org/t5/Industry-News/F...
as-we-know-it/m-p/13 822#M1456
or https://is.gd/sFO1MV
------------------------------
Date: Wed, 19 Sep 2018 15:22:47 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: What cardiologists think about the Apple Watch's heart-tracking
feature (WashPo)
https://www.washingtonpost.com/technology/201...
bout-apple-watchs-he art-tracking-feature
"But there is also concern that widespread use of electrocardiograms without
an equally broad education initiative could burden an already taxed
health-care system. Heart rhythms naturally vary, meaning that it's likely
that Apple Watch or any heart monitor could signal a problem when there
isn't one -- and send someone running to the doctor for no reason."
"The FDA has cleared Apple's device as a Class II medical device, meaning
that it is intended to diagnose or treat a medical condition and poses a
minimal risk to use. (Other Class II devices include some powered
wheelchairs and pregnancy kits, according to the FDA website.) In its
letter to Apple clearing the feature, the FDA listed as a risk factor the
potential for mistakenly flagging a problem, prompting unneeded treatment."
Hypochondriacs take note: This watch is for you.
------------------------------
Date: Wed, 19 Sep 2018 19:03:29 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "This Windows file may be secretly hoarding your passwords and
emails" (ZDnet)
Catalin Cimpanu for Zero Day | 19 Sep 2018
A little-known Windows feature will create a file that stores text extracted
from all the emails and plaintext-files found on your PC, which sometimes
may reveal passwords or private conversations.
If you're one of the people who own a stylus or touchscreen-capable Windows
PC, then there's a high chance there's a file on your computer that has
slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and
Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on
touchscreen-capable Windows PCs where the user has enabled the handwriting
recognition feature [1, 2] that automatically translates stylus/touchscreen
scribbles into formatted text.
The handwriting to formatted text conversion feature has been added in
Windows 8, which means the WaitList.dat file has been around for years.
"In my testing, population of WaitList.dat commences after you begin using
handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the
switch' (registry key) to turn the text harvester functionality (which
generates WaitList.dat) on."
"Once it is on, text from every document and email which is indexed by the
Windows Search Indexer service is stored in WaitList.dat. Not just the
files interacted via the touchscreen writing feature," Skeggs says.
https://www.zdnet.com/article/this-windows-fi...
asswords-and-emails/
------------------------------
Date: Wed, 19 Sep 2018 12:20:30 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Bloat
Before I "upgraded" to Windows 10 (yeah, I seriously regret it ...) my
editor of choice was Word Perfect. Version 4.2. For those of you not old
enough to understand that, it was written in 1985. I used it for 30 years.
It worked just fine.
It was, as far as I know, the last commercial program to be code optimized.
So I have great sympathies with this fellow who is disenchanted with our
current bloated software practices. http://tonsky.me/blog/disenchantment/
Lest you think this is just another rant from an old IT curmudgeon, it does
have a security point. Complexity is the enemy of security. It's not just
that now, in order to run these bloated applications, we have to have
multi-core CPUs that are subject to race conditions
https://community.isc2.org/t5/Industry-News/T...
10827
or https://is.gd/Asvvhx or give away secret information.
https://community.isc2.org/t5/Industry-News/F...
as-we-know-it/m-p/13 822
or https://is.gd/O2Jfrb It's having to have 150 megabyte programs just to
draw a keyboard on a screen. (Yes, I know we get autocorrect thrown in.
Not everyone considers that a benefit.) http://www.damnyouautocorrect.com/
When we used to have viruses that clocked in at hundreds of bytes (and, yes,
I know even malware has gotten bloated these days) how much damage can you
do with that much space to hide in?
It follows that their demolitions of the White House, Los Angeles, Sydney
Opera House, and so on were probably not intended as conquering tactics,
merely assertions of good taste - Verity Stob victoria.tc.ca/techrev/rms.htm
http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archive...
http://twitter.com/rslade
------------------------------
Date: Mon, 17 Sep 2018 20:02:36 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How to Keep Forever the Music, Movies or Ebooks You 'Buy'
on Amazon or iTunes
More griping...
http://screencrush.com/you-dont-own-your-itun...
https://theoutline.com/post/6167/apple-can-de...
out-telling-you
And the real story:
https://www.cnet.com/news/no-apple-didnt-dele...
lly-happened/
Bottom line:
Though his tweets went viral
<https://twitter.com/drandersgs/status/1039270... he did chat with
Apple Support, the company didn't delete or actively "remove" the movies
that disappeared from Anders Gonçalves da Silva's iTunes library and his
devices. It seems to have been a more complicated mix-up, based on the fact
that da Silva moved his residence from one country to another.
------------------------------
Date: Wed, 19 Sep 2018 10:41:08 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: Re: "Are Digital Devices Altering Our Brains? (RISKS-30.83)
Let me add to the mix.
In one of the courses on my Bachelor of Computing Science, we were required
to give a presentation. Mine was entitled "The Worldwide Web / An
Invitation to Stupidity". I found a lot of material.
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an
=> alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textf...
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.84
************************
... I know a good tagline when I steal one.
--- GoldED+/LNX 1.1.5-b20170303
* Origin: Outpost BBS * Limestone, TN, USA (618:618/1)
|
Computer Support/Help/Discussion... 
