precedence: bulk
Subject: Risks Digest 29.91

RISKS-LIST: Risks-Forum Digest  Sunday 13 November 2016  Volume 29 : Issue 91

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.91>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Why Light Bulbs May Be the Next Hacker Target (John Markoff)
DDoS on a Finnish water distribution system (Gadi Evron)
Researchers just demonstrated how to hack the official vote count
  with a $30 card (geoff goodfellow)
How to block the ultrasonic signals you didn't know were tracking you
  (Lily Hay Newman via Werner U)
Fake shopping apps are invading the iPhone (James Covert)
GCHQ wants Internet providers to rewrite systems to block hackers
  (The Telegraph via Chris Drewe)
Tesco Banks halts online transactions after theft from 20,000 accounts
  (Kelly Fiveash)
Offensive Words Filter Data Blocked By Offensive Words Filter (Chris Drewe)
"Executive dilemma: Approve the cloud, get a pay cut" (David Linthicum)
Browsers nix add-on after Web of Trust is caught selling users'
  browsing histories (The Register)
Department of Chromeland Security to the rescue... (Andy Greenberg via
  Werner U)
How to get Google to come out of their hole and say something
  (Dan Jacobson)
How the Internet Is Loosening Our Grip on the Truth (The New York Times)
Two ambulances speeding toward the same crossroads (Google via
  Dan Jacobson)
This evil office printer hijacks your cellphone connection (Ars Technica)
Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, PINs
  (Bleeping Computer)
Oauth 2.0 hack exposed 1 billion mobile apps to account hijacking
  (Threatpost)
Russian Hackers Launch Targeted Cyberattacks Hours After Trump's Win
  (Motherboard via Suzanne Johnson)
$0.02 due to Daylight Savings Time (Dan Jacobson)
Re: "Your WiFi-connected thermostat can take down the whole Internet...
  (Stanley Chow)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 5 Nov 2016 11:33:48 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Why Light Bulbs May Be the Next Hacker Target (John Markoff)

John Markoff, *The New York Times*, 3 Nov 2016

Researchers report in a paper <http://iotworm.eyalro.net/> that they have
uncovered a flaw in a wireless technology that is often included in smart
home devices like lights, switches, locks, thermostats and many of the
components of the much-ballyhooed "smart home" of the future.  The
researchers focused on the Philips Hue smart light bulb and found that the
wireless flaw could allow hackers to take control of the light bulbs,
according to researchers at the Weizmann Institute of Science near Tel Aviv
and Dalhousie University in Halifax, Canada.
<http://www.nytimes.com/topic/company/koninklijke-philips-electronics-nv?inline=nyt-org>

  [I wonder how many other brand names are at similar risk.]

Imagine thousands or even hundreds of thousands of Internet-connected
devices in close proximity. Malware created by hackers could be spread like
a pathogen among the devices by compromising just one of them.  [There is
video, in the research paper, showing tests.  For example, a drone hovers
next to a high rise building, and you see it taking over control of all the
lights of the building. Before the test, they had switched one light bulb on
ground floor, with one they already could hack.]

The new risk comes from a little-known radio protocol called ZigBee.
<http://www.zigbee.org/what-is-zigbee/>
<http://www.zigbee.org/what-is-zigbee/>
<http://www.zigbee.org/what-is-zigbee/>

The researcher said they had notified Philips of the potential vulnerability
and the company had asked the researchers not to go public with the research
paper until it had been corrected. Philips fixed the vulnerability in a
patch issued on 4 Oct and recommended that customers install it through a
smart phone application.  Still, it played down the significance of the
problem.

[I wonder how many customers learned about this, and implemented the patch.]

http://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-hacker-target.html
http://iotworm.eyalro.net/

The full results technical paper can be downloaded from this link:
IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF, 6.7MB]
<http://iotworm.eyalro.net/iotworm.pdf>

Risks identified by the research:
* Brick the lights so they cannot be fixed vs. whatever nuisance the
  malware has inflicted.
* City-wide wireless jamming.
* Attack electric grid via manipulating power consumption demands.
* Induce epileptic seizures in photosensitive people on a large scale.

[Risks thought about by Al Mac:

* Kill street lights, and stairwell lights, after dark, then set off
  fire alarms, sirens, so people can have a hard time exiting safely.
* Airport runway lights go out, when most needed for safe landing.]
* You know those highway signs, using letters spelling out key words
  for warnings to drivers, where each letter is combination of lights on &
  off?  The phrases could be altered.
* Do emergency responders use the same radio frequencies that can be
  jammed by this hack?]

------------------------------

Date: Tue, 8 Nov 2016 14:25:42 -0800
From: Gadi Evron <gadi@cymmetria.com>
Subject: DDoS on a Finnish water distribution system

In some countries such as Finland, if the underground water pipes freeze,
parts of the country can remain without water until summer.
http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter

------------------------------

Date: Sun, 6 Nov 2016 15:29:30 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Researchers just demonstrated how to hack the official vote count
  with a $30 card

Details: https://twitter.com/Snowden/status/795424579715940352

------------------------------

Date: Thu, 10 Nov 2016 10:28:02 +0100
From: Werner U <werneru@gmail.com>
Subject: How to block the ultrasonic signals you didn't know were tracking you
  (Lily Hay Newman)

Lily Hay Newman, wired.com in Ars Technica, 3 Nov 2016
How to block the ultrasonic signals you didn't know were tracking you: Your
phone can talk to advertisers behind your back, beyond your audible spectrum

<http//arstechnica.com/security/2016/11/how-to-block-the-ultrasonic-signals-you-didnt-know-were-tracking-you/>

Dystopian corporate surveillance threats today come at us from all
directions. Companies offer *always-on* devices
<https://www.wired.com/2015/03/always-listening-tech-isnt-always-creepy/>
that listen for our voice commands, and marketers follow us around the web
<https://www.wired.com/2016/09/ny-cracks-mattel-hasbro-tracking-kids-online/>
to create personalized user profiles so they can (maybe) show us ads we'll
actually click. Now marketers have been experimenting with combining those
web-based and audio approaches to track consumers in another disturbingly
science fictional way: with audio signals your phone can hear, but you
can't. And though you probably have no idea that dog whistle marketing is
going on, researchers are already offering ways to protect yourself.

The technology, called ultrasonic cross-device tracking, embeds
high-frequency tones that are inaudible to humans in advertisements, web
pages, and even physical locations like retail stores. These ultrasound
beacons emit their audio sequences with speakers, and almost any device
microphone -- like those accessed by an app on a smartphone or tablet -- can
detect the signal and start to put together a picture of what ads you've
seen, what sites you've perused, and even where you've been. Now that you're
sufficiently concerned, the good news is that at the Black Hat Europe
security conference on Thursday, a group based at University of California,
Santa Barbara will present an Android patch and a Chrome extension that give
consumers more control over the transmission and receipt of ultrasonic
pitches on their devices.

Beyond the abstract creep factor of ultrasonic tracking, the larger worry
about the technology is that it requires giving an app the ability to listen
to everything around you, says Vasilios Mavroudis, a privacy and security
researcher at University College London who worked on the research being
presented at Black Hat. ``The bad thing is that if you're a company that
wants to provide ultrasound tracking there is no other way to do it
currently, you have to use the microphone.  So you will be what we call
*over-privileged*, because you don't need access to audible sounds but you
have to get them.''

This type of tracking, offered by companies like Tapad and 4Info, has hardly
exploded in adoption. But it's persisted as more third party companies
develop ultrasonic tools for a range of uses, like data transmission without
Wi-Fi or other connectivity. The more the technology evolves, the easier it
is to use in marketing. As a result, the researchers say that their goal is
to help protect users from inadvertently leaking their personal information.
``There are certain serious security shortcomings that need to be addressed
before the technology becomes more widely used, And there is a lack of
transparency. Users are basically clueless about what's going on.''

Currently, when Android or iOS do require apps to request permission to use
a phone's microphone. But most users likely aren't aware that by granting
that permission, apps that use ultrasonic tracking could access their
microphone -- and everything it's picking up, not just ultrasonic
frequencies -- all the time, even while they're running in the background.

The researchers' patch adjusts Android's permission system so that apps have
to make it clear that they're asking for permission to receive inaudible
inputs. It also allows users to choose to block anything the microphone
picks up on the ultrasound spectrum. The patch isn't an official Google
release, but represents the researchers' recommendations for a step mobile
operating systems can take to offer more transparency.

To block the other end of those high-pitched audio communications, the
group's Chrome extension preemptively screens websites' audio components as
they load to keep the ones that emit ultrasounds from executing, thus
blocking pages from emitting them. There are a few old services that the
extension can't screen, like Flash, but overall the extension works much
like an ad-blocker for ultrasonic tracking. The researchers plan to post
their patch and their extension available for download after their Black Hat
presentation.

Ultrasonic tracking has been evolving for the last couple of years, and it
is relatively easy to deploy since it relies on basic speakers and
microphones instead of specialized equipment. But from the start, the
technology has encountered pushback about its privacy and security
limitations. Currently there are no industry standards for legitimizing
beacons or allowing them to interoperate the way there are with a protocol
like Bluetooth. And ultrasonic tracking transmissions are difficult to
secure because they need to happen quickly for the technology to
work. Ideally the beacons would authenticate with the receiving apps each
time they interact to reduce the possibility that a hacker could create
phony beacons by manipulating the tones before sending them. But the beacons
need to complete their transmissions in the time it takes someone to briefly
check a website or pass a store, and it's difficult to fit an authentication
process into those few seconds. The researchers say they've already observed
one type of real-world attack in which hackers replay a beacon over and over
to skew analytics data or alter the reported behavior of a user. The team
also developed other types of theoretical attacks that take advantage of the
lack of encryption and authentication on beacons.  The Federal Trade
Commission evaluated ultrasonic tracking technology at the end of 2015, and
the privacy-focused non-profit Center for Democracy and Technology wrote to
the agency at the time
<https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf> that
``the best solution is increased transparency and a robust and meaningful
opt-out system. If cross-device tracking companies cannot give users these
types of notice and control, they should not engage in cross-device
tracking.''  By March the FTC had drafted a warning letter to developers
<https://www.ftc.gov/system/files/attachments/press-releases/ftc-issues-warning-letters-app-developers-using-silverpush-code/160317samplesilverpushltr.pdf>
about a certain brand of audio beacon that could potentially track all of a
users' television viewing without their knowledge. That company, called
Silverpush, has since ceased working on ultrasonic tracking in the United
States, though the firm said at the time that its decision to drop the tech
wasn't related to the FTC probe.

More recently, two lawsuits filed this fall -- each about the Android app of
an NBA team -- allege that the apps activated user microphones improperly to
listen for beacons, capturing lots of other audio in the process without
user knowledge. Two defendants in those lawsuits, YinzCam and Signal360,
both told WIRED that they aren't beacon developers themselves and don't
collect or store any audio in the spectrum that's audible to humans.

But the researchers presenting at Black Hat argue that controversy over just
how much audio ultrasonic tracking tools collect is all the more reason to
create industry standards, so that consumers don't need to rely on companies
to make privacy-minded choices independently. Mavroudis says, ``I don't
believe that companies are malicious, but currently the way this whole thing
is implemented seems very shady to users.  Once there are standards in
place, the researchers propose that mobile operating systems like Android
and iOS could provide application program interfaces that restrict
microphone access so ultrasonic tracking apps can only receive relevant
data, instead of everything the microphone is picking up.  Then we get rid
of this overprivileged problem where apps need to have access to the
microphone, because they will just need to have access to this API.''

For anyone who's not waiting for companies to rein in what kinds of audio
they collect to track us, however, the UCSB and UCL researchers software
offers a temporary fix.  And that may be more appealing than the notion of
your phone talking to advertisers behind your back -- or beyond your audible
spectrum.

------------------------------

Date: Mon, 7 Nov 2016 12:29:10 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Fake shopping apps are invading the iPhone (James Covert)

James Covert, *New York Post*, October 30, 2016 | 10:37pm

https://nypost.com/2016/10/30/experts-see-giant-increase-in-digital-scammers/

For tech-focused scammers, knocking off sneakers and handbags is so last
decade.

Thieves in the digital age are slamming consumers right in the app.

A slew of knockoff shopping apps have quietly infiltrated Apple's App Store
in recent months, looking to lure unsuspecting iPhone owners with bogus
deals on everything from jewelry to designer duds.

The fake apps mimic the look of legit apps -- and have proliferated since
this summer, experts said.

It didn't help that earlier this month, Apple introduced search ads in its
App Store. The fake apps are buying search terms, it would appear, to
increase their exposure to consumers.

------------------------------

Date: Mon, 07 Nov 2016 22:32:12 +0000
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: GCHQ wants Internet providers to rewrite systems to block hackers

http://www.telegraph.co.uk/technology/2016/11/05/gchq-wants-internet-providers-to-rewrite-systems-to-block-hacker/

*The Telegraph*, Nov 5 2016

GCHQ is urging Internet providers to change long-standing protocols to stop
computers from being used to set off large-scale cyber attacks.  The plan
would involve changes to the Border Gateway Protocol (BGP) and Signalling
System 7 (SS7) standards that have been in place for decades, and are widely
used for routing traffic. GCHQ wants providers to stop the trivial
re-routing of UK traffic and help prevent text message scams.

The announcement followed the launch of the Government's five-year
cybersecurity strategy this week, which includes 1.9bn pounds for bolstering
computer security, including provisions to create a national firewall.

------------------------------

Date: Tue, 8 Nov 2016 18:16:48 +0100
From: Werner U <werneru@gmail.com>
Subject: Tesco Banks halts online transactions after theft from 20,000
  accounts (Kelly Fiveash)

(Nove 7+8, ArsTechnica)

Kelly Fiveash, Ars Technica, 7 Nov 2016
http://arstechnica.com/security/2016/11/tesco-bank-online-fraudsters-attack-40000-current-accounts/

Tesco Banks promises to issue refunds, track down culprits.

Tesco Bank has been forced to suspend its online transactions after
fraudulent criminal activity was spotted on thousands of its customer
accounts over the weekend.  A total of 40,000 current accounts were hit by
suspicious transactions. Money was pinched from 20,000 of the affected
current accounts, Tesco Bank said on Monday morning.......<more>......

Updated, November 8: Tesco Bank customers remain locked out from making
current account transactions, two days after it was revealed that money had
been stolen from 20,000 accounts over the weekend.

On Tuesday morning, the chief exec of the Financial Conduct Authority told
parliamentarians sitting on the treasury committee that "I thought this
looked unprecedented in the UK."
http://parliamentlive.tv/event/index/59eeb5d2-1add-40ec-83c4-ce0dfd5d3cff

Andrew Bailey added that it was "too early to give a comprehensive account
of what the root causes are."

It's now a race against time for Tesco Bank: it has until the end of Tuesday
to reimburse its customers -- some of whom say that hundreds of pounds was
removed from their accounts.

The National Crime Agency is leading a criminal investigation into the
attack on Tesco Bank's systems along with GCHQ's National Cyber Security
Centre, which opened its doors last month.
http://arstechnica.co.uk/security/2016/11/cyber-attacks-uk-vows-1-9-billion-cyber-security-strategy/

Further ReadingCybercrime: 4 million Brits are victims of hacking, viruses,
online fraud

http://arstechnica.co.uk/tech-policy/2016/07/cybercrime-hacking-computer-viruses-online-fraud-ons/

------------------------------

Date: Wed, 09 Nov 2016 22:20:14 +0000
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Offensive Words Filter Data Blocked By Offensive Words Filter

RISKS occasionally features less-serious computing problems, so here's one:
I just went to a talk on the history of platform train describers on the
London Underground railway (subway) system -- those displays showing "next
train to [wherever] in [x] mins".  Historically, these had simple signs on
each platform listing the regular destinations for trains from that
platform, with an indicator light against each one to show where the next
train was going (and "special" or "see front of train" for non-standard
workings).

Nowadays they have conventional LED dot-matrix panels controlled by
software, with the big advantage that station staff can type in custom
messages when needed.  The guy giving the talk commented on the Offensive
Words Filter in the software (don't know if this was found to be necessary
or just enabled as a precaution); he said that there was some discussion
within the management team as to which actual words should be blocked, but
he then found that his e-mail system also had an offensive words filter, so
compiling the list was somewhat difficult...

  [Recursively unsolvable by exchanging e-mail!!?  PGN]

------------------------------

Date: Tue, 08 Nov 2016 10:04:48 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Executive dilemma: Approve the cloud, get a pay cut"
  (David Linthicum)

David Linthicum, InfoWorld, 8 Nov 2016
The common EBITDA metric that financial analysts follow -- and which affects
executive pay -- is biased against operational expenses such as cloud
services.
http://www.infoworld.com/article/3139047/cloud-computing/executive-dilemma-approve-the-cloud-get-a-pay-cut.html

opening text:

EBITDA is defined as a company's earnings before interest, taxes,
depreciation, and amortization. Although you likely have heard the term
before, few people outside the executive suite (other than accountants)
really know what it means. It's widely used as a measurement of a company's
current operating profitability.

But as a company moves to the cloud, your EBITDA numbers could look
worse. That's because EBITDA isn't adjusted for operating expenses like
cloud services -- but is adjusted for the depreciation of capital expenses,
which decreases under the use of the cloud.

The cloud's effect on EBITDA will matter greatly to publicly traded
companies, where senior executives' bonuses and stock grants are determined
by EBITDA performance. In some cases, 50 to 75 percent of their total
compensation is affected.

By moving many workloads to the cloud, your company avoids hardware and
software purchases, saving money, but the EBITDA doesn't credit you for
those savings. Instead, it penalizes you because it comes from an era where
capital-expense depreciation was a common method to boost perceived
profitability.

------------------------------

Date: Tue, 8 Nov 2016 11:43:48 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Browsers nix add-on after Web of Trust is caught selling users'
  browsing histories

  [via NNSquad]
http://www.theregister.co.uk/2016/11/07/browsers_ban_web_of_trust_addon_after_biz_is_caught_selling_its_users_browsing_histories/

  A browser extension which was found to be harvesting users' browsing
  histories and selling them to third parties has had its availability
  pulled from a number of web browsers' add-on repositories.  Last week, an
  investigative report by journalists at the Hamburg-based German television
  broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust
  Services (WoT) had been harvesting netizens' web browsing histories
  through its browser add-on and then selling them to third parties.  While
  WoT claimed it anonymised the data that it sold, the journalists were able
  to identify more than 50 users from the sample data it acquired from an
  intermediary.  The journalists added that the browsing histories they
  obtained also identified information about ongoing police investigations,
  businesses' sensitive financial details and information which suggested
  the sexual orientation of a judge.  NDR quoted the data protection
  commissioner of Hamburg, Johannes Caspar, criticising WoT for not
  adequately establishing whether users consented to the tracking and
  selling of their browsing data.  Those consent issues have resulted in the
  browser add-on being pulled from the add-on repositories of both Mozilla
  Firefox and Google Chrome, although those who have already installed the
  extension in their browsers will need to manually uninstall it to stop
  their browsing being tracked.

------------------------------

Date: Thu, 10 Nov 2016 19:59:27 +0100
From: Werner U <werneru@gmail.com>
Subject: Department of Chromeland Security to the rescue... (Andy Greenberg)

Andy Greenberg, *WiReD*, 3 Nov 2016
Google's Chrome Hackers Are About to Upend Your Idea of Web Security
https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/

------------------------------

Date: Thu, 10 Nov 2016 18:54:58 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: How to get Google to come out of their hole and say something
  (Re: Gene Wirchenko, RISKS-29.90)

GW> I have had the issue of not being able to report a problem in other areas.
GW> Goggle Maps was one.  It was confusing NE (Northeast) and SE (Southeast)
GW> streets in Salmon Arm, British Columbia, Canada.  I could not find a way to
GW> report the problem.  Then, there are full voice mailboxes and the like.

Ah yes, reminds me of "why hasn't Taiwan's cities' imagery been updated
in nine years?" Had to get on national TV to get Google to finally come
out of their hole and say something...
http://www.youtube.com/watch?v=ZlNZ-wrNKaQ&list=PL5F672CDA8BBC6825
http://www.youtube.com/watch?v=nhM8AKDkvAQ&list=PL5F672CDA8BBC6825
And wouldn't you know it now it is ten years...

------------------------------

Date: Wed, 2 Nov 2016 09:49:22 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How the Internet Is Loosening Our Grip on the Truth

http://www.nytimes.com/2016/11/03/technology/how-the-internet-is-loosening-our-grip-on-the-truth.html

A wider variety of news sources was supposed to be the bulwark of a rational
age. Instead, we are roiled by biases, gorging on what confirms our ideas
and shunning what does not.

------------------------------

Date: Thu, 10 Nov 2016 21:09:04 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Two ambulances speeding toward the same crossroads

Will they collide? https://www.google.com/search?q=Intelligent+ambulance

------------------------------

Date: Sat, 5 Nov 2016 03:53:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: This evil office printer hijacks your cellphone connection

http://arstechnica.com/information-technology/2016/11/this-evil-office-printer-hijacks-your-cellphone-connection/

------------------------------

Date: Sun, 13 Nov 2016 07:48:11 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, PINs
  (Bleeping Computer)

NNSquad
http://www.bleepingcomputer.com/news/security/smartphone-wifi-signals-can-leak-your-keystrokes-passwords-and-pins/

  The way users move fingers across a phone's touchscreen alters the WiFi
  signals transmitted by a mobile phone, causing interruptions that an
  attacker can intercept, analyze, and reverse engineer to accurately guess
  what the user has typed on his phone or in password input fields.  This
  type of attack, nicknamed WindTalker, is only possible when the attacker
  controls a rogue WiFi access point to collect WiFi signal disturbances.

------------------------------

Date: Sat, 12 Nov 2016 22:05:09 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Oauth 2.0 hack exposed 1 billion mobile apps to account hijacking
  (Threatpost)

NNSquad
https://threatpost.com/oauth-2-0-hack-exposes-1-billion-mobile-apps-to-account-hijacking/121889/

  Third-party applications that allow single sign-on via Facebook and Google
  and support the OAuth 2.0 protocol, are exposed to account
  hijacking. Three Chinese University of Hong Kong researchers presented at
  Black Hat EU last week a paper called "Signing into One Billion Mobile
  LApp Accounts Effortlessly with OAuth 2.0." The paper describes an attack
  that takes advantage of poor OAuth 2.0 implementations and puts more than
  one billion apps in jeopardy.

------------------------------

Date: November 11, 2016 at 11:09:35 AM EST
From: Suzanne Johnson <fuhn@pobox.com>
Subject: Russian Hackers Launch Targeted Cyberattacks Hours After Trump's Win
  (Motherboard)

  [via Dave Farber.  PGN]

http://motherboard.vice.com/read/russian-hackers-launch-targeted-cyberattacks-hours-after-trumps-win

------------------------------

Date: Wed, 09 Nov 2016 00:41:50 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: $0.02 due to Daylight Savings Time

> Please do not send the user these ($0.02).
> They are due to internal rounding errors.
> They happen about once a year.
> Please fix the errors.

Hello,

I am sorry for the problems! I've gone ahead and zeroed out the 2 cent
charge.

The reason for the charge is because in November, when California ends
Daylight Savings Time, the system registers that there is technically one
extra hour in the billing cycle -- one hour of your VPS costs 2 cents. So
it's technically not an error, just an anomaly due to Daylight Savings
Time.

Hopefully California will get rid of Daylight Savings Time so this extra
hour will not occur in the future. If it does happen again next year, you
can disregard the requests for payment -- or, rather, the notices that
payment has been deferred.

------------------------------

Date: Wed, 9 Nov 2016 03:42:18 -0500
From: Stanley Chow <stanley.chow@pobox.com>
Subject: Re: "Your WiFi-connected thermostat can take down the whole
  Internet.  We need new regulations." (Bruce Schneier, RISKS-29.90)

It seems to me that regulating the IoT is never going to be the complete
solution. Yes, there should be regulation, but the regulations will be slow
and the compliance (if any) will be slower. This means there will be plenty
of time for flaws to be exploited.

It is better for "the network" to defend itself against the easy/common
attacks like DDoS. I refer you to US patent 7331060 (I have no relationship
except I filed a similar idea before it was published.) It has priority date
of Sep 10, 2001 so it should expire in 2021 - around 5 years from now. It
appears to be only patented in the US.
https://www.google.com/patents/US7331060

Stanley Chow, Formerly of Nortel, Alcatel, Bell Labs

------------------------------

Date: Wed, 17 Aug 2016 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.91
************************