precedence: bulk
Subject: Risks Digest 29.66
RISKS-LIST: Risks-Forum Digest Friday 5 August 2016 Volume 29 : Issue 66
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.66.html>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
"Commercial drones: Four looming legal concerns" (Mary Schacklett)
"Robot control: There's an app for that" (Bob Violino)
"NTSB: Tesla in fatal crash was speeding with Autopilot on" (Lucas Mearian)
"Hackers hijack Jeeps once more, your brakes belong to them"
(Charlie Osborne)
Driverless buses in Denmark (CPHPost via Donald B. Wagner)
The Russians and the DNC (PGN)
NSA Fans: Be careful what you wish for (Henry Baker)
FBI took months to warn Democrats of suspected Russian role in hack
(Reuters)
Australian 2016 census to retain identifying information
(William Brodie-Tyrrell)
Interpol arrests Nigerian email scammer who swindled $60M (Michael Kan)
Hack Brief: Hackers Breach the Ultra-Secure Messaging App Telegram in Iran
(WiReD)
User Interfaces *designed* to trick you (Ars Technica)
"Bitfinex bitcoin exchange offline after potentially costly security breach"
(Asha McLean)
Social Security Administration cutting off users who can't receive
text messages (Lauren Weinstein)
Comments on SSA requiring text messaging to access online accounts (LW)
SSA launches text message authentication system that doesn't work
with Verizon Wireless (LW)
Your device's battery status can be used to track you online (TheNextWeb)
Frequent password changes are the enemy of security, FTC technologist says
(Ars Technica)
MS faces two new lawsuits over aggressive Windows 10 upgrade tactics
(Ian Paul)
"Windows 10 upgrade: Don't use Express settings if you value
your privacy" (Jared Newman)
"More forced advertising creeps into Windows 10 Pro" (Woody Leonhard)
"Microsoft won't fix Windows flaw that lets hackers steal your
username and password" (Zach Whittaker)
Re: Self-driving cars, accepting the moral dilemma (Martyn Thomas)
Re: Detecting When a Smartphone Has Been Compromised (Steven Schear)
Re: Pets miss meals after auto-feeding app PetNet glitches (Richard Bos)
Re; Mozilla off-by-one error on the Web anniversary! (Larry Werring)
Re: Billion dollar shave club risk (Craig Burton)
Re: Study: 78% of Resold Drives Still Contain Readable Personal or
Business Data (Dan Jacobson)
How many geeks does it take to change a lightbulb? (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 29 Jul 2016 11:10:00 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Commercial drones: Four looming legal concerns" (Mary Schacklett)
Mary Shacklett, Tech Pro Research, 29 Jul 2016
Licensing of commercial drones has been limited so far, but it won't be long
before usage starts expanding. In them meantime, CXOs need to assess and
plan for possible legal ramifications.
http://www.techproresearch.com/article/commercial-drones-four-looming-legal-concerns/
------------------------------
Date: Fri, 29 Jul 2016 11:29:14 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Robot control: There's an app for that" (Bob Violino)
Bob Violino, ZDNet, 29 Jul 2016
Efforts are underway to build robotics smartphone applications.
http://www.zdnet.com/article/robot-control-theres-an-app-for-that/
selected text:
"Many robots have analog controls on them, which are hard to use and not
very customizable, and you must touch the robot to change anything,"
Moorhead said. "Smartphone control enables control [of robots] away from the
home, and the ability for the manufacturer to more easily provide variables
[to] enhance the experience for the buyer."
The downsides are security issues and the need for the phone. "You don't
want someone hacking in for fun and have your Roomba turn on at 3 am every
morning to wake you up," Moorhead said. "Also, as more vendors move controls
off the robots and onto the smartphone, if you lose it you lost the ability
to control the robot."
[And if you do not have a smart phone at all, you will not be able to use
the item. I have run into this risk in another area. Despite being a
loyal 7-11 customer, I can get free Slurpee every so often, because I do
not have a smart phone. How companies are cutting off business with this
forced linkage?]
------------------------------
Date: Thu, 28 Jul 2016 11:01:53 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "NTSB: Tesla in fatal crash was speeding with Autopilot on"
(Lucas Mearian)
Lucas Mearian, Computerworld, 26 Jul 2016
The Tesla's Autosteer lane-keeping assistance and traffic-aware
cruise control system was engaged
http://www.computerworld.com/article/3100650/car-tech/ntsb-tesla-in-fatal-crash-was-speeding-with-autopilot-on.html
selected text:
The National Transportation Safety Board (NTSB) today released a preliminary
report that details the circumstances of the fatal accident involving a
Tesla Model S driving with its Autopilot engaged.
The 18-wheeler semi truck ... sustained minor damage. [Look at the
picture. The damage looks very minor.]
------------------------------
Date: Tue, 02 Aug 2016 16:50:55 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Hackers hijack Jeeps once more, your brakes belong to them"
(Charlie Osborne)
Researchers have once again proved they can take over your vehicle --
but this time, they can kill your brakes. [Updated]
Charlie Osborne for Zero Day, ZDNet, 2 Aug 2016
http://www.zdnet.com/article/hackers-hijack-jeeps-once-more-your-brakes-belong-to-them/
selected text:
... Miller's tampering resulted in the brakes being yanked out of the
driver's control -- and the attack at 25mph was almost enough to fully tip
over the Jeep.
------------------------------
Date: Fri, 29 Jul 2016 11:16:23 +0200
From: "Donald B. Wagner" <zapkatakonk1943.6.22@gmail.com>
Subject: Driverless buses in Denmark
http://cphpost.dk/news/municipality-in-northern-jutland-to-start-using-self-driving-buses.html
The Danish municipality of Vesthimmerland in northern Jutland is planning to
introduce autonomous, electric shuttle buses for public transport.
Local politicians hope the initiative will help save both time and money.
"We are a large municipality with long transportation times and our
calculations show that we have 30 to 40 full-time employees who are driving
nonstop," Knud Kristensen, the mayor of Vesthimmerland, told the newspaper
Information.
http://cphpost.dk/news/driverless-electric-bus-to-be-tested-in-aalborg.html
An electric, self-driving shuttle bus is being considered for a public
transport route in the north Jutland city of Aalborg. If everything goes to
plan in testing, the completely autonomous bus could transport passengers on
a 1.6 km-long route by 2018.
The Arma bus was designed by French company Navya, which introduced the
innovative unmanned vehicle in October 2015.
Don Wagner http://donwagner.dk
------------------------------
Date: Sun, 31 Jul 2016 16:35:22 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The Russians and the DNC
The FBI is investigating another apparent hack on Democratic Party support
organizations, this time the DCCC (Democratic Congressional Campaign
Committee), which is distinct from the DNC (Democratic National Committee)
whose email hack is also under separate investigation. Once again there is
suspicion that this was a Russian attack.
At the event in Aspen on Saturday afternoon, Mr. Obama's homeland security
adviser Lisa O. Monaco sidestepped specific discussion of the DNC hacking,
but acknowledged that the administration might soon have to consider whether
the United States' electoral system constitutes critical infrastructure,
like the power grid or the cellphone network.
http://www.reuters.com/article/us-usa-cyber-democrats-idUSKCN1091Q4?feedType=RSS&feedName=topNews&utm_source=twitter&utm_medium=Social
See also:
http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0729/Opinion-How-to-make-democracy-harder-to-hack
------------------------------
Date: Tue, 2 Aug 2016 21:43:46 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: FBI took months to warn Democrats of suspected Russian role in hack
http://www.reuters.com/article/us-usa-cyber-democrats-reconstruct-idUSKCN10E09H?feedType=RSS&feedName=technologyNews
One of the anonymous sources who spoke to Reuters claims that "the lack of
full disclosure by the FBI prevented DNC staffers from taking steps that
could have reduced the number of confidential emails and documents
stolen." Last fall, the FBI warned DNC employees to keep an eye out for
"unusual activity on the group's computer network," without letting on the
potential seriousness of the hack. The DNC didn't find any suspicious
activity, but when staffers asked the FBI for more information about the
attack on its system, the agency declined.
------------------------------
Date: Thu, 28 Jul 2016 12:04:38 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: NSA Fans: Be careful what you wish for
What's good for the goose is also good for the gander. Either way, our
privacy is cooked.
http://www.theatlantic.com/politics/archive/2016/07/hacks-and-cyberattacks-in-an-age-of-mass-surveillance/493364/
Trump Shows the Flaws of NSA Surveillance
His call for Russian hackers to break into Hillary Clinton's email validate
the worst suspicions of security-state critics.
Conor Friedersdorf 8:10 AM ET Politics
PHILADELPHIA--On Wednesday, Leon Panetta, the former director of the CIA,
declared on stage at the DNC that the Republican Party's nominee is unfit
for office. He was responding in part to news that Donald Trump "hoped
Russian intelligence services had successfully hacked Hillary Clinton's
email, and encouraged them to publish whatever they may have stolen,
essentially urging a foreign adversary to conduct cyber-espionage against a
former secretary of state."
For Panetta, that was unforgivable.
"Donald Trump today once again took Russia's side," he said. "He asked the
Russians to interfere in American politics. It is inconceivable to me that
any presidential candidate would be that irresponsible. I say this out of a
firm concern for the future of my children and my grandchildren: Donald
Trump cannot become our commander in chief. In an unstable world we cannot
afford unstable leadership."
His outrage is understandable -- once again, Donald Trump showed that he
lacks the judgment and self-discipline necessary to be a good president of
the United States.
But Panetta is rather late in foreseeing the possibility of such a leader.
A few short years ago, when Edward Snowden revealed the extent of NSA
surveillance on American citizens, corporations, and other institutions, NSA
defenders insisted that the national security establishment can be trusted,
and that civil libertarians were overly paranoid to worry that unprincipled
elites would, sooner or later, exploit the era of mass surveillance to
manipulate the political process.
With the Republican nominee for the presidency openly yearning for a foreign
intelligence agency to hack a political rival, Trevor Timm, one of those
civil libertarians, took the opportunity to issue a reminder: If elected to
the presidency, "Trump would head a vast NSA apparatus he could turn on his
political enemies." This was, Timm wrote, "always the overarching concern
about NSA: Even IF it's not being abused now, the system would allow future
leaders to wreak havoc."
And the safeguards that NSA defenders always invoke?
"Hopefully if President Trump ever ordered the NSA to hack into the computer
systems of domestic opponents or critics, NSA leaders would refuse," Tim Lee
noted at Vox. "But the president has the power not only to choose the NSA
director but also to prosecute whistleblowers for leaking classified
information. So we shouldn't be too confident that internal resistance at
the NSA would stop him."
Jennifer Granick set forth a specific accounting of weaknesses in NSA
oversight.
"The president isn't required to inform Congress or the PCLOB if she changes
Executive Order 12333," she explained. "She is not required by law to give
Congress notice of or the opportunity to review new Presidential Policy
Directives affecting surveillance. The FISA Court still has no role in
supervising overseas spying, nor must the president inform Congress when she
initiates new overseas spying programs. When Office of Legal Counsel
opinions justifying surveillance proposals are written, Congress need not be
told nor given a copy. If the DOJ changes minimization procedures or FBI
guidelines, it is not required to inform Congress. Classification continues
to get in the way of oversight. There is no punishment for people who
violate the law at a president's behest. And whistleblowers have less, not
more, reason to believe they will be protected and not prosecuted."
I warned, long before the rise of Donald Trump, that Presidents Bush and
Obama were providing all the infrastructure that a tyrant would need to
perpetrate grave abuses of power. With his rise, I urged elected officials
to tyrant-proof the White House before it's too late. If the prudence of
doing so wasn't evident before, is it now, with knowledge that Trump soon
won't need the Russians to secure information about the private
communications of every legislator and judge in America, but will presumably
still want to hack into the communications of his rivals?
This danger would be lessened with reforms to the NSA, including a mandate
to purge old data from its vast stores. At the same time, Trump's outreach
to the Russians underscores the fact that we're now in a reality where any
candidate for president, or the president herself, can seek data from
foreign-intelligence agencies, data that can almost certainly give them
power relative to political adversaries.
One wonders what the British Government Communication Headquarters knows
about Donald Trump. Might Hillary Clinton ask one day?
So reforming the NSA isn't enough. The prudent course, for the
U.S. government, is reorienting the agency so that it spends fewer resources
spying on Americans and more on helping to protect the private details of
our lives from actors foreign and domestic.
And there is more to protect beyond our privacy. Says Jack Goldsmith of
Harvard Law School, "Does the United States government have a well-worked
out plan to ensure that our highly computerized and highly decentralized
system for electing the president is protected from foreign disruption via
cyber-exploitation or cyber-attack? I have no idea--but I seriously doubt
it."
Better to address these vulnerabilities before they are exploited than to
invite a crisis of democracy even more alarming than a reality-TV star
seeking the presidency.
------------------------------
Date: Mon, 1 Aug 2016 23:18:16 +0930
From: William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Subject: Australian 2016 census to retain identifying information
A Twitter-rant full of citations regarding the security risks willfully
ignored by the Aus Bureau of Statistics in deciding to retain census PII:
https://twitter.com/LiamPomfret/status/760008536713678848
I'm of two minds here. Longitudinal data is incredibly valuable and the
ABS has previously handled PII competently, i.e., offline in the national
archives. It's not clear that that will continue to be the case though.
------------------------------
Date: Mon, 1 Aug 2016 18:32:10 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Interpol arrests Nigerian email scammer who swindled $60M
(Michael Kan)
Michael Kan, PC World, 1 Aug 2016
http://www.pcworld.com/article/3102824/interpol-arrests-nigerian-email-scammer-who-swindled-60-million.html
Interpol has arrested a top Nigerian email scammer who stole more than
US$60 million by tricking businesses into handing over funds by posing as
trusted suppliers. The 40-year-old Nigerian known as Mike is allegedly
the leader of a criminal ring that targeted hundreds of victims across the
world, Interpol said on Monday. He and at least 40 other individuals
pulled off their scheme by allegedly pretending to be CEOs or suppliers
using hacked email accounts of legitimate companies.
The criminals then sent fake emails, asking the victims to wire funds or
send payment to bank accounts under the scammers' control.
The Nigerian at one point conned a victim into paying $15.4 million,
Interpol said. To hack the email accounts, the scammers targeted small and
medium businesses in the U.S., India, and Romania, among other countries.
------------------------------
Date: Tue, 2 Aug 2016 16:20:33 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Hack Brief: Hackers Breach the Ultra-Secure Messaging App Telegram
in Iran (WiReD)
NNSquad
https://www.wired.com/2016/08/hack-brief-hackers-breach-ultra-secure-messaging-app-telegram-iran/
Amnesty International technologist and researcher Claudio Guarnieri and
independent security researcher Collin Anderson traced recent Telegram
account breaches in Iran to the SMS messages Telegram sends to people when
they activate a new device. The texts contain a verification code that
Telegram asks people to enter to complete a new device setup. A hacker
with access to someone's text messages can obtain these codes and enter
them to add their own devices to the person's account, thus gaining access
to their data including chat histories. The researchers think the Iranian
hacking group Rocket Kitten is behind the Telegram breaches, based on
similarities to the infrastructure of past phishing attacks attributed to
the group. There is widespread speculation that Rocket Kitten has ties to
the Iranian government.
Yet more examples of SMS text messaging vulnerabilities.
------------------------------
Date: Sun, 31 Jul 2016 08:34:37 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: User Interfaces *designed* to trick you
Dark Patterns are designed to trick you (and they're all over the Web).
No, it's not only you--some user interfaces today intentionally want
to confuse and enroll.
http://arstechnica.com/security/2016/07/dark-patterns-are-designed-to-trick-you-and-theyre-all-over-the-web/
It happens to the best of us. After looking closely at a bank statement or
cable bill, suddenly a small, unrecognizable charge appears. Fine print
sleuthing soon provides the answer--somehow, you accidentally signed up
for a service. Whether it was an unnoticed pre-marked checkbox or an
offhanded verbal agreement at the end of a long phone call, now a charge
arrives each month because naturally the promotion has ended. If the
possibility of a refund exists, it'll be found at the end of 45 minutes of
holding music or a week's worth of angry e-mails.
------------------------------
Date: Wed, 03 Aug 2016 09:19:53 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Bitfinex bitcoin exchange offline after potentially costly
security breach" (Asha McLean)
Asha McLean, ZDNet, 3 Aug 2016
Bitcoin exchange Bitfinex has taken its trading platform offline,
telling users that it suffered a security breach which resulted in
the loss of potentially millions of dollars.
http://www.zdnet.com/article/bitfinex-bitcoin-exchange-offline-after-potentially-costly-security-breach/
------------------------------
Date: Fri, 29 Jul 2016 09:53:50 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Social Security Administration cutting off users who can't receive
text messages
via NNSquad
https://plus.google.com/+LaurenWeinstein/posts/DuRiEN9X43j
REPORT - NOT FULLY CONFIRMED: If you don't have a cell phone, or some other
means to receive SMS text messages (and have them enabled, and know how to
deal with them), you won't be able to access your Social Security
Administration "My Social Security" account starting next month. There is a
rumor rapidly spreading on the Net, brought to my attention this morning,
claiming that SSA users have been receiving warnings that they MUST receive
an SMS text message with a two-factor authentication code to access their
accounts starting next month. While I cannot find an official SSA statement
regarding this, there is testimony at the House Oversight Committee from
late May that appears to confirm the essence of this report:
"Additionally, to protect citizens' personally identifiable information
further, we continue to improve authentication for our online services. In
compliance with Executive Order 13681 ("Improving the Security of Consumer
Financial Transactions"), we are changing our current multifactor
authentication process for my Social Security from optional to mandatory for
all users. Upon implementation this summer, all customers must enter a
username, password, and a one-time passcode texted to a registered cell
phone in order to access their my Social Security account. In the future, we
expect to offer additional multi-factor options, pursuant to Federal
guidelines. The National Institute of Standards of Technology is working on
a revised guideline, and we are providing input into that process."
While the "expectation" of other two-factor options in the future is
interesting, the move to block users who do not have cell phones, or text
message capable cell phones, or do not have text messaging enabled, or do
not know how to access and read text messages -- IS UNACCEPTABLE, especially
on such short notice.
Two-factor authentication systems are important, but keep in mind that SSA
by definition is dealing mostly with older users who may have only recently
become comfortable with online services at all, and may not make any use of
text messaging. Many do not have cell phones or somebody to receive text
messages for them.
Additionally -- and ironically -- text messaging is considered to be a
substandard means of receiving two-factor authentications. And -- get this
boys and girls -- NIST just a few days ago officially declared that text
messaging based two-factor should no longer be used at all -- it's simply
not safe and secure.
It appears that SSA has really mucked this one up. This isn't secure
two-factor, it's a three-ring circus. And if deployed as reported, it's
going to leave many SSA users out in the cold.
Later from Lauren:
Official Social Security Administration announcement
regarding the required use of text messaging for account access
https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html
------------------------------
Date: Sun, 31 Jul 2016 18:15:29 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Comments on SSA requiring text messaging to access online accounts
NNSquad
If you're interested in following more on the controversy regarding the
Social Security Administration requiring that anyone who wants continued
access to their SSA online account *must* be able to receive text messages,
my Friday post on this topic has now attracted almost 30 comments, many from
SSA users who discovered that the requirement is already in place and have
not been able to make it work.
https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages
Comments on my blog are an experiment with which I'm (so far) fairly
satisfied. All comments are moderated before publication, and all from real
people have been suitable for publication. There is also an increasing
volume of spam comment submissions -- if these get out of hand I may need to
reevaluate, but right now they are tolerable.
------------------------------
Date: Sun, 31 Jul 2016 19:05:12 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: SSA launches text message authentication system that doesn't work
with Verizon Wireless
Social Security Administration launches lamebrain 2-factor authentication
system depending on text messages, with only a couple of days warning, and
without verifying that it even worked with Verizon Wireless!
Reference:
https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages
------------------------------
Date: Tue, 2 Aug 2016 19:07:57 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Your device's battery status can be used to track you online
NNSquad
http://thenextweb.com/mobile/2016/08/02/your-devices-battery-status-can-be-used-to-track-you-online/
There are a myriad of ways you can be tracked online - from supercookies,
to canvas fingerprinting and malware. Now you can add your device's
battery status to the list, according to research by Steve Engelhard and
Arvind Narayanan - two academics from Stanford University. The attack
takes advantage of the HTML5 Battery Status API, which allows servers to
determine when they need to send an energy-efficient version of a
website. It lets them see how much charge a laptop, tablet, or smartphone
has in terms of time remaining until discharge, and as an overall
percentage.
------------------------------
Date: Tue, 2 Aug 2016 16:23:54 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Frequent password changes are the enemy of security, FTC
technologist says (Ars Technica)
http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/
"I saw this tweet and I said, 'Why is it that the FTC is going around
telling everyone to change their passwords?'" she said during a keynote
speech at the BSides security conference in Las Vegas. "I went to the
social media people and asked them that and they said, 'Well, it must be
good advice because at the FTC we change our passwords every 60 days."
Cranor eventually approached the chief information officer and the chief
information security officer for the FTC and told them what a growing
number of security experts have come to believe. Frequent password changes
do little to improve security and very possibly make security worse by
encouraging the use of passwords that are more susceptible to cracking.
The CIO asked for research that supported this contrarian view, and Cranor
was happy to provide it.
------------------------------
Date: Thu, 28 Jul 2016 11:14:30 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: MS faces two new lawsuits over aggressive Windows 10 upgrade tactics
(Ian Paul)
Ian Paul, PCWorld, 28 Jul 2016
http://www.pcworld.com/article/3101396/windows/microsoft-faces-two-new-lawsuits-over-aggressive-windows-10-upgrade-tactics.html
opening text:
Microsoft is facing two more lawsuits over the company's questionable
Windows 10 upgrade tactics. Both suits are seeking class-action status.
The first suit was filed in U.S. District Court in Florida. It alleges that
Microsoft's Windows 10 upgrade prompts "violated laws governing unsolicited
electronic advertisements," as reported by The Seattle Times. The suit also
says Microsoft's tactics are against the Federal Trade Commission's rules on
deceptive and unfair practices.
The second suit was filed in June in Haifa, Israel alleging that Microsoft
installed Windows 10 on users' computers without consent. Microsoft already
paid out a $10,000 award in a previous U.S. suit over similar circumstances.
------------------------------
Date: Fri, 29 Jul 2016 11:45:26 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Windows 10 upgrade: Don't use Express settings if you value
your privacy" (Jared Newman)
Jared Newman, PCWorld, 29 Jul 2016
Take the time to customize typing, browsing, and other settings from the
get-go. At the end of the Windows 10 installation, you could hit Express
Settings to finish up fast, but taking the time to customize could save you
some privacy.
http://www.pcworld.com/article/3095284/windows/windows-10-upgrade-dont-use-express-settings-if-you-value-your-privacy.html
selected text:
... offer to install the operating system with "Express settings."
Although Windows 10 Express settings will get you up and running quickly,
that convenience comes at a cost: By skipping over custom settings, you're
agreeing to all kinds of data collection and behavior tracking, much of
which didn't apply in earlier versions of Windows.
Here's our advice: Instead of blindly enabling Express settings in Windows
10, take some time to understand what you're agreeing to. Click the
Customize settings link (in tiny text at the bottom of the setup screen),
and disable the options you don't want.
------------------------------
Date: Mon, 01 Aug 2016 20:24:33 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "More forced advertising creeps into Windows 10 Pro"
(Woody Leonhard)
[I missed the opportunity to get the free Windows 10 upgrade. I am so
disappointed. Mind you, the disappointment is at Microsoft's behaviour,
not at "missing out" on Windows 10.]
Woody Leonhard, InfoWorld, 29 Jul 2016
Starting 2 Aug, admins will not be able to keep Microsoft from pushing the
likes of Candy Crush Soda Saga onto Win10 Pro PCs on their networks because
certain Group Policies will be deactivated.
http://www.infoworld.com/article/3101947/microsoft-windows/more-forced-advertising-creeps-into-windows-10-pro.html
opening text:
If you were wondering whether Microsoft could inflict even more damage to
Windows' reputation, the answer is yes.
------------------------------
Date: Tue, 02 Aug 2016 17:03:06 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Microsoft won't fix Windows flaw that lets hackers steal your
username and password" (Zach Whittaker)
Zack Whittaker for Zero Day, ZDNet, 2 Aug 2016
The flaw, which allows a malicious website to extract user passwords,
is made worse if a user is logged in with a Microsoft account.
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
selected text:
But now a new proof-of-exploit shows just how easy it is to steal someone's
credentials.
The flaw is widely-known, and it's said to be almost 20 years old. It was
allegedly found in 1997 by Aaron Spangler and was most recently resurfaced
by researchers in 2015 at Black Hat, an annual security and hacking
conference in Las Vegas.
The flaw wasn't considered a major issue until Windows 8 began allowing
users to sign into their Microsoft accounts -- which links their Xbox,
Hotmail and Outlook, Office, and Skype accounts, among others.
Overnight, the attack got larger in scope, and now it allows an attacker to
conduct a full takeover of a Microsoft account.
------------------------------
Date: Fri, 29 Jul 2016 14:24:03 +0100
From: Martyn Thomas <martyn@thomas-associates.co.uk>
Subject: Re: Self-driving cars, accepting the moral dilemma (RISKS-29.64)
>> If the car is really autonomous, then any "fault" belongs to the
>> manufacturer and the mfgr will have to pay the damages.
And who holds the data and expertise to determine whether an accident was
caused by a "fault"?
------------------------------
Date: July 29, 2016 at 1:29:48 AM EDT
From: Steven Schear <steven.schear@googlemail.com>
Subject: Re: Detecting When a Smartphone Has Been Compromised
[via Dewayne Hendricks]
While this device may prevent the phone from disclosing its location in
real-time it will not prevent the device from recording the sound in its
vicinity nor prevent it from using its motion sensors as an inertial
navigation system. Later, once its wireless capability is reactivated, it
can report both. It seems to me that of you are concerned enough to see your
threats at this level you need to acquire good security trade-craft and take
other precautions, such as only using a mobile with a removable battery and
pull it out before you set out for a meeting or leave it on (so it looks
like your are at your home or office) and use a "burner"phone that is never
operated near your normal mobile's locations and is discarded after each
meeting.
> Detecting When a Smartphone Has Been Compromised
> By Bruce Schneier
> Jul 27 2016
> <https://www.schneier.com/blog/archives/2016/07/detecting_when_.html>
------------------------------
Date: Sun, 31 Jul 2016 14:56:06 GMT
From: raltbos@xs4all.nl (Richard Bos)
Subject: Re: Pets miss meals after auto-feeding app PetNet glitches (R 29 65)
Ok, I'm going to be judgmental and potentially controversial here, but:
If you rely on a computerised system to feed your dependents and don't
bother to check in on them yourself, in person, or to have a human pet
sitter do so for you - and that _at least_ once a day - frankly, you are a
horrible person and you shouldn't be allowed to have pets in the first
place.
They're real, live creatures. They're not toys. If you can't take
proper, emotionally invested case of them, get an effing Tamagotchi.
Richard, furious and disdainful
------------------------------
Date: Thu, 28 Jul 2016 17:32:11 -0400
From: "Larry Werring" <larry.werring@cyberunitss.com>
Subject: Re; Mozilla off-by-one error on the Web anniversary! (RISKS-29.65)
2016-07-28 as the 10,001st day of the Web? 1989-03-12 as the start of the
Web? These date seems questionable to me. According to the History of the
Web at http://webfoundation.org/about/vision/history-of-the-web/, Sir Tim
Berners-Lee, a software engineer at CERN, came up with the concept of the
Web in March 1990 (a year later than mentioned in this post) and it wasn't
until 1991 that people outside of CERN were invited to join the new Web
community. So where does the March 1989 date come from?
------------------------------
Date: Fri, 29 Jul 2016 10:06:00 +1000
From: Craig Burton <craig.alexander.burton@gmail.com>
Subject: Re: Billion dollar shave club risk (RISKS-29.65)
http://www.nytimes.com/2016/07/27/business/dealbook/1-billion-for-dollar-shave-club-why-every-company-should-worry.html
This NYT article could have been written by Andrew Keen of the breathy "The
Internet Is Not The Answer". The book cites the death of mighty Kodak as a
tragedy of digitization and nerd billionaires. Kodak was a creaking
monopoly who's time had come, and so is Gillette. Gillette just paid a
billion dollar fine for not performing the very same logistic optimisation
Dollar Shave beat them to. The risk, really, is that Gillette shareholders
might well sack the board for their inertia and short sightedness.
------------------------------
Date: Mon, 01 Aug 2016 20:27:15 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Re: Study: 78% of Resold Drives Still Contain Readable Personal or
Business Data (Risks 29.64)
CB> "dd if=/dev/zero of=/dev/sda bs=1M"
CB> Of course you need to replace sda with the actual device name that connects
CB> to the disk you want to clear.
And if you don't you'll zap your home disk. So I would use 'sdz' in such
examples.
------------------------------
Date: Thu, 28 Jul 2016 14:42:13 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: How many geeks does it take to change a lightbulb?
http://www.pcworld.com/article/3101008/connected-home/osrams-lightify-smart-bulbs-suffer-from-several-serious-security-flaws.html
A salescritter to convince you that something as simple as a lightbulb needs
to be computerized.
A security geek to think that something may possibly be wrong with that
idea.
A whitehat firm to analyse the attack surface.
Someone to look at the network traffic for disclosures.
Someone to look at the user/management interface.
Someone to look at authentication of commands.
Someone to look at social engineering risks involved in lightbulb jokes.
Someone to note that it is better to light a single candle than to curse the IoT.
Someone else to note that the IoT will soon have many more than a million
points of light.
Someone to pontificate that many IoT devices are not built with security in mind.
Someone else to note that, so far, there are very few actual exploits
available, despite the number of vulnerabilities.
A device systems manager to opine that having a device security manager is not
really necessary.
A device security manager to at least change the passwords that the device
systems manager left on default setting.
A bored teenager to sit and play with the lightbulb for hours trying to
force the "cool light" setting to actually make it turn blue.
An exasperated parent to, very strongly, make the point that a lightbulb
that costs over a hundred dollars every time it burns out is *NOT A TOY*!
Someone to create a Burned Out High Tech Lightbulb account on Twitter.
Someone to propose a "Lightbulb security settings" course to SANS.
Someone at (ISC)^2 to call for CBK entries for a CLBSP (Certified Light Bulb
Security Professional) designation.
Someone to drive a Tesla, on autopilot, through the existing crowd.
Someone to note that a Solo would do far less damage.
https://electrameccanica.com ...
------------------------------
Date: Tue, 10 May 2016 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> OFFICIAL ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html --> VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.66
************************