precedence: bulk
Subject: Risks Digest 29.18

RISKS-LIST: Risks-Forum Digest  Thursday 24 December 2015  Volume 29 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.18.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Seasons' Greetings and best wishes for a less riskful new year]
Power failure and equipment damage causing continuing major
  shutdowns at U.S. Patent and Trademark Office (USPTO)
The Strangest, Most Spectacular Bridge Collapse -- and How We Got It
  Wrong (Motherboard)
Driverless Cars (Analog)
Driverless cars: too safe at any speed? (Keith Naughton)
How difficult it is to do crypto properly (Steve Bellovin)
Juniper backdoor (PGN)
Apple Pushes Against British Talk of Softening Encryption (NYTimes)
Meet the woman in charge of the FBI's most controversial high-tech
  tools (WashPost)
MIT's Vuvuzela Messaging System Uses 'Noise' to Ensure Privacy
  (Tim Greene)
Believe it -- or don't: InterApp: The Gadget That Can Spy on Any
  Smartphone (Softpedia)
Vulnerability in popular bootloader puts locked-down Linux
  computers at risk (Lucian Constantin)
The Mystery of India's Deadly Exam Scam (TheGuardian via Ashish Gehani)
Cisco shocker: Some network switches may ELECTROCUTE you
  (The Register)
European Space Agency records leaked (Clive Page)
Database leak exposes 3.3-million Hello Kitty fans (CSO)
Idiot naughty word filter strikes again (Gabe Goldberg)
New cybercrime thread, forging deeds using online records
  (nasdaq item via Robert Schaefer)
Super-literate software reads and comprehends better than humans
  (New Scientist)
Hotmail and how not to block spam  (Turgut Kalfaoglu)
President of China calls for the world to cooperate with China
  to censor the entire Internet (USNews)
Wish list app from Target springs a major personal data leak
  (Ars Technica)
Comcast Users Beware (Malwarebytes & Help Net)
US Politics: redirecting URLs (Politico)
Re: British government admits selling Internet addresses to Saudi Arabia
  (Amos Shapir)
Re: The Moral Failure of Computer Scientists (Karl Auerbach)
Re: Philips Locks Purchasers ... (Chris Drewe)
Re: Lie-detecting Software uses Machine Learning to Achieve 75% ...
  (Stephen Doig)
Re: Lie-detecting Software uses Machine Learning to Achieve
  75 Percent Accuracy (Gene Wirchenko)
Re: A looming anniversary, and an offer (David Gillett)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 23 Dec 2015 14:28:35 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Power failure and equipment damage causing continuing major
  shutdowns at U.S. Patent and Trademark Office

http://www.uspto.gov/blog/ebiz/

  A major power outage at USPTO headquarters occurred last night resulting
  in damaged equipment that required the subsequent shutdown of many of our
  online and IT systems. This includes our filing, searching, and payment
  systems, as well as the systems our examiners across the country use. We
  are working diligently to assess the operational impact on all our systems
  and to determine how soon they can be safely brought back into service in
  the coming days. We understand how critical these systems are for our
  customers, and our teams will continue to work around the clock to restore
  them as quickly as possible, though the impacts may be felt through the
  Christmas holiday. We know many people have questions regarding filing and
  payment deadlines. We are reviewing this topic and will provide an update
  when we have further information.

------------------------------

Date: Tue, 15 Dec 2015 16:11:20 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: The Strangest, Most Spectacular Bridge Collapse -- and How We Got It
  Wrong

http://motherboard.vice.com/read/the-myth-of-galloping-gertie

  For physics teachers, the footage of Gertie has proved irresistible as a
  lesson in wave motion--and, specifically, a textbook example of the power
  of forced resonance. The image of the undulating bridge left its mark on
  scores of students (including me) as a demonstration of what one canonical
  version of the film calls `resonance vibrations'.  Since then, scores of
  books and articles, from Encyclopedia Britannica to a Harvard course
  website, have reported that the Tacoma Narrows was destroyed by resonance.
  But it turns out it wasn't.

A long and fascinating article about a bridge collapse, and the filmed
footage that we've all likely seen many times in our lives.

  [This illustrated article is a fabulous item for RISKS.  It is beautifully
  put together, and clearly illustrated.  The `flutter' explanation seems to
  win out quite clearly, even after so many years of belief in `resonance'.
  But the explanation is quite elaborate and multifaceted.  PGN]

------------------------------

Date: Tue, 15 Dec 2015 22:04:08 -0600
From: Alister Wm Macintyre <macwheel99@wowway.com>
Subject: Driverless Cars (Analog)

The Jan/Feb 2016 (double) issue of Analog Science Fiction and Fact magazine
has an article on challenges of implementing driverless cars.

Check out `Home James' article starting page 88.  For info about Analog, if
it is not sold at your local news stand: www.analogsf.com

Robot cars, of today, know the rules of the road, but not the psychology of
other participants on the highways.  One approach being taken is to try to
mimic behavior of the most expert drivers, such as those who drive 150 mph
in major auto races.  This reminds me of the early days of computers playing
Chess, which did not get really good, until programmers consulted Chess
Masters, in other words international champions, so then the computers
playing chess became as good as those guys.

If bugs are found, the software can be patched overnight.  If it were only
that simple for Volkswagen anti-pollution and anti-theft.

Stanford is experimenting with a driverless shuttle bus, traveling around
campus @ 12 mph.  If the OS does not know what to do, it stops.

Have you ever watched bicycle races on sports channels?  Those riders seem
dangerously close to each other, that way to save energy.

Driverless trucks can do the same thing, if linked electronically, so if
anything bad happens with the one in front, they all slow down in unison,
especially if the one with the best brakes is in the rear.  This saves them
significant fuel.

Human reaction times can't handle that, and following less than a car length
behind at 65 mph is illegal.

Not addressed are the human self-confident drivers who might see that &
think ``If they can do that, so can I,'' not knowing `they' are computers.

------------------------------

Date: Fri, 18 Dec 2015 07:18:52 -0800
From: spl@tirebiter.org (Steve Lamont)
Subject: Driverless cars: too safe at any speed?

  Keith Naughton, 18 Dec 2015  [Not new to RISKS, but more.  PGN]
  Accident rates are twice as high for driverless cars as for regular
  cars, but the driverless cars have never been at fault.
https://www.autonews.com/article/20151218/OEM11/151219874/humans-are-slamming-into-driverless-cars-and-exposing-a-key-flaw

  DETROIT (Bloomberg) -- The self-driving car, that cutting-edge creation
  that's supposed to lead to a world without accidents, is achieving the
  exact opposite right now: The vehicles have racked up a crash rate double
  that of those with human drivers.

  The glitch?

  They obey the law all the time, as in, without exception. This may sound
  like the right way to program a robot to drive a car, but good luck trying
  to merge onto a chaotic, jam-packed highway with traffic flying along well
  above the speed limit. It tends not to work out well.

  As the accidents have piled up -- all minor scrape-ups for now -- the
  arguments among programmers at places like Google Inc. and Carnegie Mellon
  University are heating up: Should they teach the cars how to commit
  infractions from time to time to stay out of trouble? [...]

------------------------------

Date: Tue, 22 Dec 2015 9:39:16 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: How difficult it is to do crypto properly (Steve Bellovin)

https://www.cs.columbia.edu/~smb/blog/2015-12/2015-12-22.html is an
attempt to demonstrate to policy types just how hard crypto is.
         --Steve Bellovin, https://www.cs.columbia.edu/~smb

------------------------------

Date: Sun, 20 Dec 2015 9:50:13 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Juniper backdoor

This is an amazingly intricate situation that is still unfolding.  Here are
a few relevant URLs, more or less in REVERSE chronological order.

https://www.imperialviolet.org/2015/12/19/juniper.html

http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

https://news.ycombinator.com/item?id=10764274

------------------------------

Date: Mon, 21 Dec 2015 18:28:19 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Apple Pushes Against British Talk of Softening Encryption

http://www.nytimes.com/2015/12/22/world/europe/apple-pushes-against-british-talk-of-softening-encryption.html?partner=rss&emc=rss

  "The best minds in the world cannot rewrite the laws of mathematics," the
  company told the British Parliament, submitting formal comments on a
  proposed law that would require the company to supply a way to break into
  the iChat and FaceTime conversations of iPhone users.

------------------------------

Date: Wed, 16 Dec 2015 15:53:36 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Meet the woman in charge of the FBI's most controversial high-tech
  tools (WashPost)

https://www.washingtonpost.com/world/national-security/meet-the-woman-in-charge-of-the-fbis-most-contentious-high-tech-tools/2015/12/08/15adb35e-9860-11e5-8917-653b65c809eb_story.html

The advent of strong encryption, however, is presenting Hess with a huge,
perhaps insurmountable, challenge. In the past few years, tech firms and app
developers have increasingly built platforms that employ a form of
encryption that only the user, not the company, can unlock.

The bureau's encryption dilemma is exacerbated by a chill that settled over
the relationship between the FBI and Silicon Valley in the wake of leaks in
2013 about government surveillance by former National Security Agency
contractor Edward Snowden.

Firms that feared being tagged as tools of a privacy-invading government
became less willing to assist in surveillance ``because it was perceived as
not a good business model to be seen as cooperating with the government,''
Hess said.

It used to be, she said, that companies meeting a legal requirement to
provide `technical assistance' generally would try to comply with wiretap
orders.  ``Now all of a sudden we get hung up on the question of what,
exactly, does that mean I have to provide to you?'' she said.

In recent months, the FBI's conversations with companies have become more
productive, she said, ``but it's not to the level we were pre-Snowden.''  ...

More than any other FBI executive, Hess must navigate the tension between
privacy and security.

While she might be seen as a kind of female Q, head of the fictional spy
agency Skunkworks in the James Bond movies, Christopher Soghoian, principal
technologist at the American Civil Liberties Union, sees her as ``the queen
of domestic surveillance''.

Said Soghoian: ``All of the most interesting and troubling stuff that the
FBI does happens under Amy Hess.''  Whether it's turning on the taps to
collect data from tech companies to pass to the NSA (under court order), or
covertly entering people's houses to install bugs (with a warrant), he said,
``if it's high-tech and creepy, it's happening in the Operational Technology
Division.''

... Privacy advocates also worry that to carry out its hacks, the FBI is
using `zero-day' exploits that take advantage of software flaws that have
not been disclosed to the software maker. That practice makes consumers who
use the software vulnerable, they argue.

Hess acknowledged that the bureau uses zero-days -- the first time an
official has done so. She said the trade-off is one the bureau wrestles
with.  ``What is the greater good -- to be able to identify a person who is
threatening public safety?''  Or to alert software makers to bugs that, if
unpatched, could leave consumers vulnerable?  ``How do we balance that?
That is a constant challenge for us.''

She added that hacking computers is not a favored FBI technique. ``It's
frail.''  As soon as a tech firm updates its software, the tool vanishes.
``It clearly is not reliable'' in the way a traditional wiretap is, she
said.

   [What could go wrong?]

------------------------------

Date: Fri, 18 Dec 2015 12:13:23 -0500 (EST)
From: "ACM TechNews" <technews@hq.acm.org>
Subject: MIT's Vuvuzela Messaging System Uses 'Noise' to Ensure Privacy

Tim Greene, Network World, 17 Dec 2015   (via ACM TechNews, 18 Dec 2015)

Massachusetts Institute of Technology (MIT) researchers' experimental
Vuvuzela messaging system offers more privacy than The Onion Router (Tor) by
rendering text messages sent through it untraceable.  MIT Ph.D. student
David Lazar says Vuvuzela resists traffic analysis attacks, while Tor
cannot.  The researchers say the system functions no matter how many parties
are using it to communicate, and it employs encryption and a set of servers
to conceal whether or not parties are participating in text-based dialogues.
"Vuvuzela prevents an adversary from learning which pairs of users are
communicating, as long as just one out of [the] servers is not compromised,
even for users who continue to use Vuvuzela for years," they note.  Vuvuzela
can support millions of users hosted on commodity servers deployed by a
single group of users.  Instead of anonymizing users, Vuvuzela prevents
outside observers from differentiating between people sending messages,
receiving messages, or neither, according to Lazar.  The system imposes
noise on the client-server traffic which cannot be distinguished from actual
messages, and all communications are triple-wrapped in encryption by three
servers.  "Vuvuzela guarantees privacy as long as one of the servers is
uncompromised, so using more servers increases security at the cost of
increased message latency," Lazar notes.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e70bx2d991x066779&

------------------------------

Date: December 20, 2015 at 4:31:57 PM EST
From: Lauren Weinstein <lauren@vortex.com>
Subject: Believe it -- or don't: InterApp: The Gadget That Can Spy on Any
  Smartphone

http://news.softpedia.com/news/interapp-the-gadget-that-can-spy-on-any-smartphone-497864.shtml

  Tel Aviv-based Rayzone Group is selling a nifty little gadget called
  InterApp that [they claim - Lauren] can leverage outdated mobile devices
  and intercept and extract information from nearby smartphones.

------------------------------

Date: Wed, 16 Dec 2015 13:16:52 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: Vulnerability in popular bootloader puts locked-down Linux
  computers at risk (Lucian Constantin)

Lucian Constantin, InfoWorld, 16 Dec 2015
The flaw can allow attackers to modify password-protected boot
entries and deploy malware
http://www.infoworld.com/article/3016098/security/vulnerability-in-popular-bootloader-puts-locked-down-linux-computers-at-risk.html

opening text:

Pressing the backspace key 28 times can bypass the Grub2 bootloader's
password protection and allow a hacker to install malware on a locked-down
Linux system.

  [These are presumably breaking backspaces.  GW]
     [Definitely backbreaking.  The breakback is mountin'.  PGN]

------------------------------

Date: Sat, 19 Dec 2015 11:09:03 -0800
From: Ashish Gehani <gehani@csl.sri.com>
Subject: The Mystery of India's Deadly Exam Scam

This is a disturbing article, a portion of which is of particular relevance
to RISKS:

``Mohindra hooked all of Vyapam's computers to a common office network and
retained all administrator privileges,'' said Tarun Pithode, an energetic
young civil servant who was appointed Vyapam's new director to set things
straight after the scam broke. After the multiple-choice exam sheets were
scanned, Mohindra could access the computer that stored the results, and
alter the answers as he wished.

Once the results had been altered on the computer, Mohindra would approach
the exam observers and ask for the original answer sheet, claiming that the
student had requested a copy under India's Right to Information Act. He
would then sit in Trivedi's office and fill out the originals so that they
tallied with the altered version saved on the computer. [...]

In our review, we found almost every system had been subverted, Pithode
said.  For example, every question paper set has an `answer key' that is put
into a self-sealing envelope before the exam and opened only at the time of
tabulating results.  Trivedi would seal the envelope in the presence of
observers, but later would simply tear open the envelope, make copies of the
key, and put the original document into a new envelope. [...]

And while the investigation drags on, it has been further muddied by an
elaborate and increasingly impenetrable series of allegations and
counter-allegations between the ruling BJP and the opposition Congress over
the veracity of the evidence seized from Mohindra's computer.

http://www.theguardian.com/world/2015/dec/17/the-mystery-of-indias-deadly-exam-scam

------------------------------

Date: Wed, 16 Dec 2015 09:36:59 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Cisco shocker: Some network switches may ELECTROCUTE you

*The Register*, 22 Sep 2015

Oh dear: Cisco is warning that screws in a couple of its compact Catalyst
switches may be poking into wires carrying live voltages.

In this field note, the Borg says the problem occurs when WS-C3560CX or
WS-C2960CX switches are installed without a mounting tray -- for example,
screwed to a desk, shelf, or wall.

Screws not installed to the correct depth, ``coupled with appreciable force
in order to mount the switch, might cause the insulator to be punctured,
which exposes a voltage circuit,'' the note states.

http://www.theregister.co.uk/2015/09/22/cisco_switch_screw_problem/

------------------------------

Date: Wed, 16 Dec 2015 11:25:28 +0000
From: Clive Page <cgp@leicester.ac.uk>
Subject: European Space Agency records leaked

A colleague alerted me to this a few days ago and I had an anxious few
moments before finding that my own email address was not among those leaked.
I was worried because I have been an ESA consultant in the past and am still
involved in some ESA projects.  My experience is that ESA take network
security very seriously where they need to.  For example in order to provide
them with a new version of my software I have to log in to an FTP server
with not just a simple password but with a rather long pass-phrase.

The emails and passwords exposed here are, I think, from people who needed
to post a message on a bulletin board, wiki, or similar.  Such systems very
often force you open an account before you can post, but my guess is that
most people don't take this very seriously, hence the prevalence of very
short and simple passwords like `esa'.  With luck, few users will have used
the same password on anything that matters, so this may not be a very
serious leak, although unfortunate all the same.

The lesson, if there is one, is that operators of bulletin boards etc.
ought to think carefully before forcing their users to choose a password, as
they will choose a simple one if they can, or will be annoyed if they are
forced to choose a strong password for some trivial purpose.  Forcing them
to use a real email address rather than a made up identifier is also
unfortunate, as no doubt some of the addresses exposed here will get more
spam as a result of this leak.

------------------------------

Date: Sun, 20 Dec 2015 17:47:49 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Database leak exposes 3.3-million Hello Kitty fans

http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html

  A database for sanriotown.com, the official online community for Hello
  Kitty and other Sanrio characters, has been discovered online by
  researcher Chris Vickery. The database houses 3.3 million accounts and has
  ties to a number of other Hello Kitty portals.  Vickery contacted Salted
  Hash and Databreaches.net about the leaked data Saturday evening.  The
  records exposed include first and last names, birthday (encoded, but
  easily reversible Vickery said), gender, country of origin, email
  addresses, unsalted SHA-1 password hashes, password hint questions, their
  corresponding answers, and other data points that appear to be website
  related.

Will "My Little Pony" be next?

------------------------------

Date: Thu, 17 Dec 2015 16:16:04 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Idiot naughty word filter strikes again

"Macy's Makes It Difficult For Someone To Give Them Money Because His Last
Name Is Slutsky"

http://consumerist.com/2015/12/11/macys-makes-it-really-difficult-for-me-to-give-them-my-money-because-my-last-name-is-slutsky/

------------------------------

Date: Wed, 16 Dec 2015 11:30:11 -0500
From: Robert Schaefer <rps@haystack.mit.edu>
Subject: New cybercrime thread, forging deeds using online records

http://www.nasdaq.com/article/latest-cyberthreat-stealing-your-house-20151208-01179

``The clues were there for months, but property investor Sybil Patrick didn't
put them together. The locks to a vacant Harlem brownstone she owns were
changed...The case was one of about 30 related incidents in Manhattan in
which a group of people allegedly forged or attempted to forge new deeds
using easily available online records, to sell the homes and collect the
proceeds...''

  [*The New York Times* had articles on this happening particularly in
  Brooklyn a week or so ago.  Definitely not *new*, even then.  PGN]

------------------------------

Date: Wed, 16 Dec 2015 09:31:14 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Super-literate software reads and comprehends better than humans
  (New Scientist)

In a lab next to the river on New York's Upper West Side a computer will
soon start reading. It is part of a cadre of computers that are learning to
read more like humans, helping us digest and understand society's huge
volumes of text on a large scale.

Called the Declassification Engine, it will comb through 4.5 million US
State Department cables from the 1930s to the 1980s -- everything the
department has declassified so far. It's more than any human could read, but
the software will analyze the lot, mapping social connections and looking
for new narratives about the behavior of US diplomats and officials abroad
in the 20th century, says Owen Rambow, a computer scientist at Columbia
University, which runs the Declassification Engine.

https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/

------------------------------

Date: Thu, 17 Dec 2015 10:23:42 +0200
From: "turgut_kalfaoglu" <turgut@kalfaoglu.com>
Subject: Hotmail and how not to block spam

Hotmail, and its aliases like Live.com, Outlook.com, etc, have devised a
special way to prevent spam.  If a user decides they no longer want a
particular newsletter, they can click the "unwanted mail" button, and flag
it as spam.  This cascades into events that lead to the blocking of multiple
IP addresses belonging to the company that's sending the particular
newsletter. Apparently it makes no difference that the customer subscribed
to the newsletter him or herself in the first place.  Therefore, if you wish
to take down a competitor, simply sign up to a newsletter mailing that they
offer using your hotmail address, and then flag it as spam when it arrives.
Then watch them squirm for weeks trying to get their IP addresses unblocked.
It makes no difference if the sender score of the company is very high, nor
that their DNS entries are correct.

I think all users should refrain from using hotmail services for
mission-critical applications.

------------------------------

Date: Tue, 15 Dec 2015 23:50:27 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: President of China calls for the world to cooperate with China
  to censor the entire Internet

China's Xi calls for cooperation on Internet regulation; activists warn
of threat to speech
http://www.usnews.com/news/business/articles/2015-12-16/chinas-xi-calls-for-cooperation-on-internet-regulation

  Chinese President Xi Jinping called Wednesday for governments to cooperate
  in regulating Internet use, stepping up efforts to promote controls that
  activists complain stifle free expression.  Xi's government operates
  extensive Internet monitoring and censorship and has tightened controls
  since he came to power in 2013.

------------------------------

Date: Tue, 15 Dec 2015 15:57:10 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Wish list app from Target springs a major personal data leak

http://arstechnica.com/security/2015/12/wish-list-app-from-target-springs-a-major-personal-data-leak/

  To our surprise, we discovered that the Target app's Application Program
  Interface (API) is easily accessible over the Internet.  An API is a set
  of conditions where if you ask a question it sends the answer. Also, the
  Target API does not require any authentication. The only thing you need in
  order to parse all of the data automatically is to figure out how the user
  ID is generated. Once you have that figured out, all the data is served to
  you on a silver platter in a JSON file.

------------------------------

Date: Wed, 16 Dec 2015 03:22:17 -0600
From: Alister Wm Macintyre <macwheel99@wowway.com>
Subject: Comcast Users Beware (Malwarebytes & Help Net)

If you need to get tech support from your ISP, check their literature, such
as monthly billing, to get the correct phone #, or url, because if some site
supplies that to you, just maybe you are going to a scammer instead of your
ISP.  Try not to have all your security in one vendor basket.  Ask yourself
what will be your situation if the place to supply your security, is itself
compromised.  Will you also be sucked in, or do you have layered security,
using more than one vendor, to reduce probability of all your security being
compromised at the same time?

Comcast is currently the largest home ISP in USA.

Comcast uses Xfinity search.

Some Xfinity search pages get a Google AdWords advertisement for a review
site called SatTvPro.

When people click on the ad, they get to the review site, running an
outdated version of Joomla CMS, and silently loading a series of redirects,
to try to deliver a ransomware malware to the user's computer.

Then it redirects the users to a phishing site which looks just like Comcast
Xfinity portal, displaying a warning that Comcast security has detected that
they may have malware, and supplies a 1-800 # to get Comcast tech support to
fix their PC.  The 1-800 # is really to the scammers., who want money from
the victim, to get their computer clean again.

There is speculation how the crooks got all their pieces, such as the
possibility that SatTvPro was compromised by the recently discovered and
patched flaw (CVE-2015-8562) present in Joomla versions 1.5.0 through 3.4.5,
and is so severe that even though some older versions of the software have
reached end of life and are no longer being developed or supported by the
Joomla project, a patch has been provided for them.
<https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions>

http://www.net-security.org/malware_news.php?id=3179
http://www.net-security.org/secworld.php?id=19233

------------------------------

Date: Tue, 15 Dec 2015 22:57:57 -0600
From: Alister Wm Macintyre <macwheel99@wowway.com>
Subject: US Politics: redirecting URLs (Politico)

In a sign of our modern times, users who visit JebBush.com
are redirected to DonaldJTrump.com, the official campaign site for the
billionaire business mogul, through it's not clear who created the redirect.
JebBush.com is unaffiliated with Bush's campaign ...

I suspect this is aimed at people who use a search engine to find info about
candidates, not knowing their official sites.

http://www.politico.com/story/2015/12/jeb-bush-website-donald-trump-redirect-216501

------------------------------

Date: Wed, 23 Dec 2015 18:33:30 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: British government admits selling Internet addresses to Saudi
  Arabia (RISKS-29.17)

I truly hope that IT managers in these departments were informed of the
sale, and had updated their firewalls!!

------------------------------

Date: December 14, 2015 at 7:00:30 PM EST
From: Karl Auerbach <karl@cavebear.com>
Subject: Re: The Moral Failure of Computer Scientists

In this discussion of ethics and morality I think that the following adds a
twist:

http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement

Apparently the University of California is being pushed to count high school
computer science courses taken by applying students as if those were
mathematics or science courses.

This disturbs me for several reasons.

First is that I have only on occasion found computer science to be a substitute for the kind of intellectual disciple any of the hard sciences.

Second is that what is being called `computer science' at the high school
level is typically simple programming.  There is no doubt that it would be
useful if everyone coming out of high school had at least a thin knowledge
of what programming is.

However, writing code is an aspect of a much larger social issue: As a
society we in the US and much of the rest of the world are not particularly
skilled at solving problems.

I would rather see coding/programming cast as one tool among several tools
that can be used to solve problems.

When cast in that light, i.e., that programming is a tool, then I would
argue that our university educational focus should not be on the tool - that
merely turns universities into trade schools - but rather on the broader
context in which such tools may be applied.

In other words, I am disturbed by those who advocate ever increasing our
educational focus on mechanical trade skills than on teaching students the
social, legal, cultural, and scientific understandings that they are going
to need when they are called upon to be good engineers, good citizens, and
good people.

------------------------------

Date: Wed, 16 Dec 2015 21:55:00 +0000
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: Philips Locks Purchasers ... (RISKS-29.17)

When I was a kid, people looked forward to life in the 21st century with
such delights as a manned colony on the Moon, land transport by
nuclear-powered hovercraft, etc.; I don't recall anybody forecasting
software-controlled light bulbs with security features...  :o)

  [or even light bulbs with features without security ... PGN]

------------------------------

Date: Wed, 16 Dec 2015 01:27:39 +0000
From: Stephen Doig <steve.doig@asu.edu>
Subject: Re: Lie-detecting Software uses Machine Learning to Achieve 75% ...

http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy