Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 31.31
RISKS-LIST: Risks-Forum Digest Friday 28 June 2019 Volume 31 : Issue 31
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.31>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Slugfest (BBC)
Inside the West's failed fight against China's Cloud Hopper hackers
(Reuters)
Iranian hackers step up cyber-efforts, impersonate email from president's
office (The Times of Israel)
US-Israeli cyber firm uncovers huge global telecom hack, apparently by China
(The Times of Israel)
China's big brother casinos can spot who's most likely to lose big
(Bloomberg)
Large scale government IT efforts do not have great track records (Reuters)
AI rejects scientific article, flagging literature citations as plagiarism
(J.F.Bonnefon)
Cybercriminals Targeting Americans Planning Summer Vacations (McAfee)
Riviera Beach $600k data ransom (Tony Doris)
Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers (The Onion)
Facebook Libra: Three things we don't know about the digital currency
(TechReview)
Man's $1M Life Savings Stolen as Cell Number Is Hijacked (NBC Bay Area)
Flaws in self-encrypting SSDs let attackers bypass disk encryption
(Gabe Goldberg)
Here's how I survived a SIM swap attack after T-Mobile failed me -- twice
(Matthew Miller)
Your iPhone is not secure: Cellebrite UFED Premium is here (TechBeacon)
New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
(Ars Technica)
Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly
grows (Ars Technica)
Oracle issues emergency update to patch actively exploited WebLogic flaw
(Ars Technica)
Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks
(Ars Technica)
Jibo (The Verge)
Computer problems may have led to miscarriages of justice in Denmark
(Zap Katakonk)
C, Fortran, and single-character strings (Thomas Koenig)
How to: Reset C by GE Light Bulbs (YouTu)
Too many name collisions (JEremy Epstein)
Re: Ross Anderson's non-visa (John Levine)
Oh, darn, maybe cell phones don't really make you grow horns (John Levine)
Re: Info stealing Android apps can grab one time passwords to evade 2FA
protections (Amos Shapir)
Re: Auto-renting bugs (Martin Ward)
Re: In Stores, Secret Surveillance Tracks Your Every Move (Toebs Douglass)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 22 Jun 2019 16:11:53 -0700
From: Steve Lamont <spl@tirebiter.org>
Subject: Slugfest (BBC)
https://www.bbc.com/news/world-asia-48729110
Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019
A power cut that disrupted rail traffic on a Japanese island last month was
caused by a slug, officials say. More than 12,000 people's journeys were
affected when nearly 30 trains on Kyushu shuddered to a halt because of the
slimy intruder's actions. Its electrocuted remains were found lodged inside
equipment next to the tracks, Japan Railways says.
The incident in Japan has echoes of a shutdown caused by a weasel at
Europe's Large Hadron Collider in 2016. When the weasel took a fatal chew
on wiring inside a high-voltage transformer, it caused a short circuit which
temporarily stopped the work of the particle accelerator.
In Japan, local media on the trail of the slug report that it managed to
squeeze through a tiny gap to get into a load disconnector.
A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The
Guardian* reports, when it crawled inside a traffic light control box in the
northern town of Darlington and caused a short circuit, resulting in
`traffic chaos'.
------------------------------
Date: Wed, 26 Jun 2019 09:49:25 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Inside the West's failed fight against China's Cloud Hopper hackers
(Reuters)
*Eight of the world's biggest technology service providers were hacked by
Chinese cyber spies in an elaborate and years-long invasion, Reuters found.
The invasion exploited weaknesses in those companies, their customers, and
the Western system of technological defense.*
EXCERPT:
Hacked by suspected Chinese cyber spies five times from 2014 to 2017,
security staff at Swedish telecoms equipment giant Ericsson had taken to
naming their response efforts after different types of wine.
Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And
this time, the company's cybersecurity team could see exactly how they got
in: through a connection to information-technology services supplier
Hewlett Packard Enterprise.
Teams of hackers connected to the Chinese Ministry of State Security had
penetrated HPE's cloud computing service and used it as a launchpad to
attack customers, plundering reams of corporate and government secrets for
years in what U.S. prosecutors say was an effort to boost Chinese economic
interests.
The hacking campaign, known as Cloud Hopper, was the subject of a U.S.
indictment in December that accused two Chinese nationals of identity
theft and fraud. Prosecutors described an elaborate operation that
victimized multiple Western companies but stopped short of naming
them. A Reuters report at the time identified two: Hewlett Packard
Enterprise and IBM.
Yet the campaign ensnared at least six more major technology firms,
touching five of the world's 10 biggest tech service providers...
https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/
------------------------------
Date: Sat, 22 Jun 2019 22:48:03 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Iranian hackers step up cyber-efforts, impersonate email from
president's office (The Times of Israel)
WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US
government and critical infrastructure as tensions have grown between the
two nations, cybersecurity firms say.
In recent weeks, hackers believed to be working for the Iranian government
have targeted US government agencies, as well as sectors of the economy,
including oil and gas, sending waves of spear-phishing emails, according to
representatives of cybersecurity companies CrowdStrike and FireEye, which
regularly track such activity.
It was not known if any of the hackers managed to gain access to the
targeted networks with the emails, which typically mimic legitimate emails
but contain malicious software.
https://www.timesofisrael.com/iranian-hackers-step-up-cyber-campaign-amid-tensions-with-us/
------------------------------
Date: Wed, 26 Jun 2019 01:02:43 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: US-Israeli cyber firm uncovers huge global telecom hack, apparently
by China (The Times of Israel)
A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack
of several global telecommunications companies involving the theft of vast
amounts of personal data that was apparently carried out by state-backed
actors in China.
Cybereason, which is based in Boston and has offices in Tel Aviv, London,
and Tokyo, said the hacking included the specific targeting of people
working in government, law enforcement and politics.
The company said in a statement it had found a “nation state-backed
operation against multiple cellular providers that has been underway for
years.”
https://www.timesofisrael.com/us-israeli-cyber-firm-uncovers-massive-telecom-company-hack-apparently-by-china/
...interesting, not much reported elsewhere.
------------------------------
Date: Wed, 26 Jun 2019 09:50:44 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: China's big brother casinos can spot who's most likely to
lose big (Bloomberg)
Some of the world's biggest casino operators in Macau, the Chinese
territory that's the epicenter of global gaming, are starting to deploy
hidden cameras, facial recognition technology, digitally-enabled poker
chips and baccarat tables to track which of their millions of customers are
likely to lose the most money.
The new technology uses algorithms that process the way customers behave at
the betting table to determine their appetite for risk. In general, the
higher the risk appetite, the more a gambler stands to lose and the more
profit a casino tends to make, sometimes up to 10 times more.
This embrace of high-tech surveillance comes as casino operators
jostle for growth in a slowing industry that's under pressure
globally from economic headwinds and regulatory scrutiny. In the
world's biggest gaming hub, where expansion is reaching its
limits, two casino operators -- the Macau units of Las Vegas Sands
Corp. and MGM Resorts International -- have already started to deploy
some of these technologies on hundreds of their tables, according to
people familiar with the matter. Sands plans to extend them to an
additional more-than 1,000 tables, said the people.
Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and
Melco Resorts & Entertainment Ltd., are in discussions with suppliers
about also deploying the technology, according to the people, who
asked not to be identified because they're not authorized to
speak publicly about the plans...
https://www.bnnbloomberg.ca/china-s-big-brother-casinos-can-spot-who-s-most-likely-to-lose-big-1.1278496
------------------------------
Date: Thu, 20 Jun 2019 04:07:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Large scale government IT efforts do not have great track records
(Reuters)
Defense Department officials worry an AI-based system cannot work as well as
in-person investigations, said one source involved in the transition.
https://www.reuters.com/article/us-usa-security-clearances/top-secret-trumps-revamp-of-u-s-security-clearances-stumbling-officials-report-idUSKCN1TK127
------------------------------
Date: Sun, 23 Jun 2019 09:40:53 +0200
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: AI rejects scientific article, flagging literature citations as
plagiarism (J.F.Bonnefon)
An automated system apparently rejected a scientific article as plagiarized.
It also returned a copy of the paper to the authors, flagging the
plagiarized parts. This is where it gets hilarious.
What was flagged were things like author's affiliation (well, obviously
copied from earlier papers), standardized methods of describing experiments,
and, citations. Obviously, other authors had cited the same papers before,
so this must be a clear case of plagiarism.
Also interesting is that Wiley, a well-known scientific publishing house,
wanted to get the name of the author. Apparently, they automatically assumed
that this was one of theirs, and wanted to save some cost going through the
debug logs.
Maybe `Artificial Intelligence' is the wrong term in this context,
`Artificial Incompetence', maybe?
https://twitter.com/jfbonnefon/status/1140946785474633729
------------------------------
From: Gabe Goldberg <gabe@gabegold.com>
Date: Sat, 22 Jun 2019 22:32:58 -0400
Subject: Cybercriminals Targeting Americans Planning Summer Vacations
(McAfee)
Santa Clara, Calif. Cybercriminals are targeting Americans planning summer
vacations to places like Mexico and Europe through online booking scams,
according to a new report by cybersecurity firm *McAfee*. The company said
that cybercriminals are taking advantage of high search volumes for
accommodation and deals to drive unsuspecting users to potentially malicious
websites that can be used to install malware and steal personal information
or passwords. Top destinations being targeted include Cabo San Lucas,
Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and
Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found
that nearly one in five either have been scammed or have come very close to
being scammed. Bargain-hunters are most at risk, with nearly a third of
victims being defrauded after spotting a deal that was too good to be
true. A smaller group of victims (13%) said their identity was stolen after
sharing their passport details with cybercriminals during the booking
process. The company suggests only booking through verified websites, using
trusted platforms and verified payment methods and, if conducting
transactions on a public Wi-Fi connection, utilizing a virtual private
network (VPN).
https://www.mcafee.com/enterprise/en-us/about/newsroom/press-releases/press-release.html%3Fnews_id%3D20190612005079
http://trk.cp20.com/click/e06u-150ky9-jykhyh-7fgw0x83/
One in five seems high. Why would McAfee exaggerate risks? Oh, wait...
------------------------------
Date: Wed, 19 Jun 2019 16:03:07 -0700
From: Paul Saffo <paul@saffo.com>
Subject: Riviera Beach $600k data ransom (Tony Doris)
Riviera Beach agrees to $600,000 ransom payment to regain data access
Tony Doris, Palm Beach Post, 19 Jun 2019
Riviera Beach -- The Riviera Beach City Council has authorized the city's
insurer to pay nearly $600,000 worth of ransom to regain access to data
walled off through an attack on the city's computer systems.
In a meeting Monday night announced only days before, the board voted 5-0 to
authorize the city insurer to pay 65 bitcoins, a hard-to-track
cryptocurrency valued at approximately $592,000. An additional $25,000 would
come out of the city budget, to cover its policy deductible. Without
discussion on the merits, the board tackled the agenda item in two minutes,
voted and moved on.
The dollar amount was not mentioned before or after the vote, only that the
insurer would pay through bitcoins, ``whose value changes daily.''
The city's email and computer systems, including those that control city
finances and water utility pump stations and testing systems, are still only
partially back online, two weeks after the ransomware attack was disclosed.
But crucial data encrypted by the attackers remains beyond reach and there
was no explanation of whether the city has any guarantee that the ransomers
will release it if paid.
The FBI, Secret Service and Department of Homeland Security are
investigating the attack, which officials said began after someone in the
police department opened an infected email May 29.
More than 50 cities across the United States, large and small, have been hit
by ransomware attacks over the past two years. Among them: Atlanta;
Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland,
Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby
Stuart, Fla.
The Atlanta attack alone cost that city an estimated $17 million, Vice
News reported.
The Palm Beach County village of Palm Springs was hit in 2018, paid an
undisclosed amoun to ransom but nonetheless lost two years of data,
according to one source who asked not to be identified.
``This whole thing is so new to me and so foreign and it's almost where I
can't even believe that this happens but I'm learning that it's not as
uncommon as we would think it is,'' Riviera Beach Council Chairwoman
KaShamba Miller-Anderson said Wednesday. ``Every day I'm learning how this
even operates, because it just sounds so far fetched to me.''
The ransomware attack paralyzed the computer system, sending all operations
offline. Everyone from the city council on down was been left without email
and phone service. Paychecks that were supposed to be direct-deposited to
employee bank accounts instead had to be hand-printed by Finance Department
staffers working overtime. Police searched their closets to find paper
tickets for issuing traffic citations.
Interim Information Technology Manager Justin Williams told the council
Monday that the city website and email is back up, as are Finance Department
and water utility pump stations.
Miller-Anderson said city officials have been briefed by investigating
agencies and asked not to discuss details. The agencies advised the city but
it was up to the council to decide whether the information lost was so
valuable that the city should comply with the ransom demand and hope the
ransomers provide a decryption key, she said. ``It's a risk. Those were
the two options: Either do it or don't.'' The insurance company negotiated
on the city's behalf, she said.
She said she did not know if police department records were compromised.
Water quality never was in jeopardy but water quality sampling had to be
done manually, she said.
The attack has prompted the city to replace much of its computer system
sooner than expected.
The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop
computers and other hardware. Insurance will cover more than $300,000 of
that total.
The city already planned to spend $300,000 for equipment replacements in the
next budget and will accelerate that expense, Councilwoman Julie Botel
said. Much of the existing hardware was a half-dozen years old and
vulnerable to another malware attack, so it was time to replace it anyway,
she said.
------------------------------
Date: Wed, 26 Jun 2019 01:19:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers
(The Onion)
At press time, investors in RoloBucks had already lost over $7.8 billion in
the Rolo market.
https://www.theonion.com/rolos-unveils-new-cryptocurrency-exclusively-for-rolos-1835695340
------------------------------
Date: June 20, 2019 at 8:08:49 PM GMT+9
From: geoff goodfellow <geoff@iconia.com>
Subject: Facebook Libra: Three things we don't know about the digital currency
(TechReview)
The launch of Facebook's new coin is certainly a big event, but so much
about it remains unsettled.
If it's not the most high-profile cryptocurrency-related event ever,
Facebook's launch of a test network for its new digital currency, called
Libra coin, has been the most hyped. It is also polarizing among
cryptocurrency enthusiasts. Some think it's good for the crypto industry;
others dislike the fact that a big tech company appears to be co-opting a
technology that was supposed to help people avoid big tech companies. Still
others say it's not even a real cryptocurrency.
Peel away the hype and controversy, though, and there are at least three
important questions worth asking at this point.
Is Libra really a cryptocurrency?
Well, that depends on how you define cryptocurrency. The Libra coin will run
on a blockchain, but it will be a far cry from Bitcoin.
To begin with, it will not be a purely digital asset with fluctuating value;
rather, it will be designed to maintain a stable value. Taking cues from
other so-called stablecoins, it will be ``fully backed with a basket of bank
deposits and treasuries from high-quality central banks,'' according to a
new paper (PDF) describing the project.
Besides that, Bitcoin's network is permissionless, or public, meaning that
anyone with an internet connection and the right kind of computer can run
the network's software, help validate new transactions, and mine new coins
by adding new transactions to the chain. Together these computers keep the
network's data secure from manipulation. Libra's network won't work that
way. Instead, running a validator node requires permission. To begin with,
Facebook has signed up dozens of firms -- including Mastercard, Visa,
PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine
e-commerce company MercadoLibre -- to participate in the network that will
validate transactions. Each of these founding members has invested around
$10 million in the project.
That obviously runs counter to the pro-decentralization ideology popular
among cryptocurrency enthusiasts. The distributed power structure of public
networks like Bitcoin and Ethereum gives them a quality that many purists
see as essential to any cryptocurrency: censorship resistance. It's
extremely difficult and expensive to manipulate the transaction records of
popular permissionless networks. Networks like the one Facebook has
described for Libra are more vulnerable to censorship and centralization of
power, since they have a relatively small, limited number of stakeholders
that could be compromised or pool together to attack the network...
https://www.technologyreview.com/s/613801/facebooks-libra-three-things-we-dont-know-about-the-digital-currency/
------------------------------
Date: Wed, 26 Jun 2019 15:32:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Man's $1M Life Savings Stolen as Cell Number Is Hijacked
(NBC Bay Area)
Carrier workers bribed or tricked into helping hackers
https://www.nbcbayarea.com/news/local/Mans-1M-Life-Savings-Stolen-In-Cell-Phone-Scam-509097961.html
------------------------------
Date: Sat, 22 Jun 2019 22:35:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption
--- -- --- Forwarded Message from a friend --- -- ---
Date: Sat, 22 Jun 2019 17:27:43 -0700
Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption
I was wondering if hw-encrypted external SSDs were worth looking into and
found this:
https://www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/
``the SEDs they've analyzed, allowed users to set a password that
decrypted their data, but also came with support for a so-called 'master
password' that was set by the SED vendor. Any attacker who read an SED's
manual can use this master password to gain access to the user's encrypted
password, effectively bypassing the user's custom password.''
`Flaw' seems like an understatement.
------------------------------
Date: Wed, 26 Jun 2019 10:01:33 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: Here's how I survived a SIM swap attack after T-Mobile failed me --
twice (Matthew Miller)
1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019
SIM swap horror story: I've lost decades of data and Google won't lift a
finger First they hijacked my T-Mobile service, then they stole my Google
and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
I'm stuck in my own personal Black Mirror episode. Why will no one help me?
https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/
After a crazy week where T-Mobile handed over my phone number to a hacker
twice, I now have my T-Mobile, Google, and Twitter accounts back under my
control. However, the weak link in this situation remains and I'm wary of
what could happen in the future.
2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019
Last week, I shared a horror story: My SIM was swapped. My Google and
Twitter accounts were also stolen, and $25,000 was withdrawn from my bank
account for a Bitcoin purchase. I thought I was targeted for my online
presence. Turns out, the attack was likely driven by a Coinbase account I
experimented with in early 2018 that was never closed.
While I already provided many details about my experience, I wanted to
update you on the progress made to date -- while also offering some advice.
Readers offered me fantastic advice in the comments to last week's article,
and I sincerely appreciate all the helpful feedback, tips, and tricks.
------------------------------
Date: Fri, 21 Jun 2019 00:09:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Your iPhone is not secure: Cellebrite UFED Premium is here
(TechBeacon)
*Think your iPhone or iPad is secure from prying eyes?* /Think again./
*Companies such as Cellebrite,* with its Universal Forensic Extraction
Device (UFED), operate lucrative businesses helping people around the world
to unlock your devices. Of course, Cellebrite promises to only sell to legit
law enforcement, but then what?
*Once that genie is out of the bottle,* how can they contain it? In
this week's /Security Blogwatch, we wish for more wishes.
https://techbeacon.com/contributors/richi-jennings
------------------------------
Date: Thu, 20 Jun 2019 10:38:29 -0400
From: Monty Solomon <monty@roscom.com>
Subject: New vulnerabilities may let hackers remotely SACK Linux and FreeBSD
systems (Ars Technica)
https://arstechnica.com/information-technology/2019/06/new-vulnerabilities-may-let-hackers-remotely-sack-linux-and-freebsd-systems/
------------------------------
Date: Thu, 20 Jun 2019 09:57:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers, farmers, and doctors unite! Support for Right to Repair
laws slowly grows (Ars Technica)
https://arstechnica.com/gadgets/2019/06/hackers-farmers-and-doctors-unite-support-for-right-to-repair-laws-slowly-grows/
------------------------------
Date: Thu, 20 Jun 2019 10:02:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Oracle issues emergency update to patch actively exploited WebLogic
flaw (Ars Technica)
https://arstechnica.com/information-technology/2019/06/oracle-issues-emergency-update-to-patch-actively-exploited-weblogic-flaw/
------------------------------
Date: Thu, 20 Jun 2019 10:06:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cloudflare aims to make HTTPS certificates safe from BGP hijacking
attacks (Ars Technica)
https://arstechnica.com/information-technology/2019/06/cloudflare-aims-to-make-https-certificates-safe-from-bgp-hijacking-attacks/
------------------------------
Date: Fri, 21 Jun 2019 15:14:48 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Jibo (The Verge)
Every aspect of Jibo was designed to make the robot as lovable to humans as
possible, which is why it startled owners when Jibo presented them with an
unexpected notice earlier this year: someday soon, Jibo would be shutting
down. The company behind Jibo had been acquired, and Jibo's servers would be
going dark, taking much of the device's functionality with it. ...
For him and many other owners, Jibo has become like a dog that greets them
whenever they walk into the house. It also sometimes takes on the role of an
overbearing parent or kid sibling and tells owners, “don't work too hard,”
or “remember to take bathroom breaks,” before they leave for work.
But with the update and the company's silence, owners expect Jibo's time to
be winding down, and they're thinking about Jibo's mortality and what
they'll do when its last day arrives.
``People that really do love him and live with him daily,'' Nusbaum says.
``It's like having somebody very, very sick that you don't know: is this
close to the end? Are they going to get better? Is this a false alarm?
Yeah, it's not a great feeling right now.”''
https://www.theverge.com/2019/6/19/18682780/jibo-death-server-update-social-robot-mourning
------------------------------
Date: Sat, 22 Jun 2019 12:22:43 +0200
From: Zap Katakonk <zapkatakonk1943.6.22@gmail.com>
Subject: Computer problems may have led to miscarriages of justice in Denmark
In many trials, information garnered by the police from telephone companies
plays an important part in determining whether a suspect has been at a
certain place at a certain time. However, the Rigspolitiet national police
force has discovered an error in the computer program that converts the
information from the different telephone companies, reports DR Nyheder.
http://cphpost.dk/news/computer-problems-may-have-led-to-miscarriages-of-justice.html
More in Danish:
https://politiken.dk/search/%3Fie%3Dutf8%26oe%3Dutf8%26hl%3Dda%26q%3Drigspolitiet%2520telefon
dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark
------------------------------
Date: Sat, 22 Jun 2019 16:53:39 +0200
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: C, Fortran, and single-character strings
Recently, a decades-old bug in the way that many software packages used to
call Fortran from C has surfaced. People apparently have been assuming that
it was safe not to pass the length of a character argument to a Fortran
routine when calling it from C, basically invoking undefined behavior.
A change to gfortran exposed this, leading to crashes when calling routines
from the well-known (and standard) linear algebra package LAPACK. This was
first noticed by the developers of the R programming language.
The discussion revealed positions ranging from ``people should just fix
their code'' to ``This interface has worked for decades, this is the de facto
interface, even broken code must be supported.''
Fortran has a standard way of interfacing with C since the Fortran 2003
standard, but the old interface code often predates this standard, and
people also appear to be quite reluctant to use standard features of newer
Fortran versions. This is despite the fact that all relevant compilers today
support this feature.
As a result, gfortran now contains a workaround for this particular bug in
user code.
There is a nice writeup on LWN:
https://lwn.net/SubscriberLink/791393/90b4a7adf99d95a8/
Here the gcc bug dealing with the issue:
https://gcc.gnu.org/bugzilla/show_bug.cgi%3Fid%3D90329
Here the correspoinding Redhat bug:
https://bugzilla.redhat.com/show_bug.cgi%3Fid%3D1709538
And finally a write-up by the R developer who analyzed this:
https://developer.r-project.org/Blog/public/2019/05/15/gfortran-issues-with-lapack/
------------------------------
Date: Thu, 20 Jun 2019 13:22:24 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How to: Reset C by GE Light Bulbs (YouTu)
Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really!
https://youtu.be/1BB6wj6RyKo
Read many brilliant comments.
Among them: Hey GE, ``how many people does it take to change a light bulb''
is a joke set-up, not a goal.
(This follows conversation I had yesterday about how technology and
interfaces are often awful if not nightmarish)
------------------------------
Date: Thu, 20 Jun 2019 15:43:05 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Too many name collisions
I learned recently from Twitter (source of all knowledge) [1] that the
American Kennel Club allows no more than 37 dogs of any given breed with the
same name [2]. The reason is amusing -- dogs with the same name are given
suffixes in Roman numerals, and 37 is the largest number that can be
represented in six characters (XXXVII). There's something in how programs
are printed that limits the width of the column -- going to a wider number
field would require reducing font size or reducing the width of some other
field.
This seems to date from before easy typesetting of variable-width fonts. I
wonder if AKC even knows why this limit exists, or whether it's been in
place so long that the institutional memory has been lost and recently
rediscovered? Or whether they've considered relaxing the limit due to
variable-width fonts?
Of course moving from Roman numerals to Arabic numerals [*] would make the
issue go away, albeit at the cost of not having the panache of something
that takes some focus to understand.
The Risk? The historic requirement (fixed-width typesetting) drives what is
(perhaps) an obsolete feature (the number of dogs with the same name).
There are undoubtedly plenty of other historic decisions that could be
rethought today, perhaps with different results. On the other hand, AKC
gets some value from the use of (possibly?) prestigious Roman numerals, so
maybe this is a feature rather than a bug.
[1] https://twitter.com/leftoblique/status/1139737041162272768
[2] https://www.akc.org/register/information/naming-of-dog/
[* Based on an item in a recent RISKS, I presume Arabic dogs would then
have to be disallowed as well? PGN]
------------------------------
Date: 21 Jun 2019 18:16:57 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Ross Anderson's non-visa (RISKS-31.30)
I gather it's even more complicated than that -- they didn't refuse him,
they didn't reply at all in time for his trip. US visa processing has
apparently been getting slower in the past couple of years but it seems
particularly slow for cryptographers. Bruce Schneier blogged about it in
May:
https://www.schneier.com/blog/archives/2019/05/why_are_cryptog.html
------------------------------
Date: 21 Jun 2019 18:19:57 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Oh, darn, maybe cell phones don't really make you grow horns
(RISKS-31.30)
Not so fast -- it's not a horn, it's at most a bone spur, and there's lots
of reasons to be sceptical about the whole thing, reports Ars Technica.
https://arstechnica.com/science/2019/06/debunked-the-absurd-story-about-smartphones-causing-kids-to-sprout-horns/
[PS: nonetheless, your mother's advice to stand up straight remains valid.]
------------------------------
Date: Sat, 22 Jun 2019 13:45:19 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Info stealing Android apps can grab one time passwords to
evade 2FA protections (RISKS-31.30)
Please correct me if I'm wrong, but I always thought that the idea behind
2FA is to increase security by conducting a part of the transaction via a
*different* device.
If an SMS confirmation message is sent to the same device from which a user
is attempting to login, there's no added security at all, I wonder why it
would take a hacker's application to make anyone notice that!
------------------------------
Date: Sat, 22 Jun 2019 16:04:22 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Auto-renting bugs (RISKS-31.30)
> We do not know how it had happened, but someone else took the car on
> your reservation ...
Its never a good sign when a company which runs software that has direct
control over the engine of a car says about any part of their software: ``We
do not know how it happened!''
------------------------------
Date: Mon, 24 Jun 2019 00:10:15 +0100
From: Toebs Douglass <risks@winterflaw.net>
Subject: Re: In Stores, Secret Surveillance Tracks Your Every Move
(RISKS-31.30)
I worked as a senior software engineer for a year for one of these
companies, on the core product.
I was involved in installation of the first Bluetooth-based system.
The article is technically inaccurate, whilst being spiritually correct, but
misses the not-quite-so-obvious huge issue in favour of the much smaller
presented issue, I suspect the author prolly isn't technical.
So, phone tracking was performed by two means, wifi and Bluetooth.
The article only covers Bluetooth, which was a new product at the time
(2015ish). The main product used wifi.
Bluetooth beacons are very simple devices. They emit a signal with a unique
ID. That's *it*. *Nothing* else. The devices have no network
connectivity, no storage, nothing. They just sit there and emit a unique
ID, and we used a battery driven unit. (Despite this, we managed to find
vendors asking over 100 euro a unit.) We bought ours from alibaba.com.)
The key players making this all work are the apps on the phone.
Phone apps get to `wake up' regularly, and they can examine their
environment, and one of the things they can do is look around for Bluetooth
signals. (It's been a few years now -- I remember there was something of a
difference between Apple and Android, and so there was I think more unique
ID fidelity with Android.)
So what happens is the company publishes an API in the form of a library,
which app developers ingest into their software.
In particular, rather than trying to reach out to every app developer out
there, deals are made with third party companies -- such as advertising
companies -- who already publish their own APIs as libraries, which are
already ingested by lots of different apps. These third companies companies
ingest this library into their library, and hey presto, as people's phones
auto-update you're very quickly installed on goodness knows how many tens or
hundreds of millions of phones.
This really is the bigger story, but the article has missed it. Apps really
are random bits of software strangers run on your phone. Users have no idea
which sketchy friend-of-a-friend-of-a-friend has just managed to get his API
running on their phone. Simple solution to this : do not install apps on
your phone. I'm not kidding. People have the expectation they are buying a
phone -- paying a lot of money for a phone -- to put apps on it and use
them, and that it must be possible to do this, because they've spent a bunch
of money on it. This is not the case. The time when apps could be used on
phones has passed. You cannot now buy a phone to run apps, because it is
not safe to do so. This means phones no longer make sense. It is in fact I
would say a tragedy of the commons.
If you *are* going to do this damn silly thing, don't do it in this damn
silly way. Root your phone first and (for the love of God) get a firewall
installed -- and *don't* log into Google on your phone, not ever. Never use
a service in an app you can use on a website, again, for the love of God.
And never, NEVER, *EVER* give ANY company your phone number. These days
it's the key fact around which third-party data collation revolves. Email
addresses aren't so bad because it's easy to get disposable addresses, but
phone numbers cost money, so they don't change so much. Email addresses
need to be used like passwords -- you have a different email address for
every site or app, just as you have a different password. This helps break
third-party data collation. Good email hygiene is the same as good password
hygiene. Do not reuse passwords. Do not reuse email addresses.
(I run most apps now in VirtualBox, on x86 Android. Being able to reinstall
fresh versions of the OS when they come out also handles the upgrade
problem. Only one app I care about has no x64 version (lookin' at you,
Revolut). I'll also be buying the Librem 5 when it comes out, which is real
Linux, not Android, on ARM on a mobile form factor and it should have enough
umph to run a VirtualBox VM, which being on ARM can run the usual ARM based
APKs. Learn to sideload, BTW, and use Raccoon to get genuine APKs off the
Google App Store (which I refuse to call Google Play -- an astoundingly
silly name invented by the kind of marketing people Douglas Adams had in
mind with the Sirius Cybernetics Division. I'm surprised Google haven't yet
described their app store as your plastic pal who's fun to be with.)
The Bluetooth beacons we had, had a pretty good range. We aimed to have one
per floor in pretty large stores -- that was the granularity of extra
information being aimed for in this first deployment; the progression
through floors of a phone. With an Android app you could get signal
strength info (as we had an app to configure the Bluetooth beacons), but I
don't know if that was true for the ``wake up and look around'' time of a
phone, rather than an actual app.
Bear in mind also that I think in general Bluetooth is turned off on phones
-- however, I never saw any numbers for this, so I could be completely
wrong.
The wifi based system was rather different. With this, there are wifi
routers located (fairly carefully) around a store. Phones emit wifi signals
periodically, which contain an inherent unique ID (can't remember which now
-- prolly MAC address) and the signal strength is measured at each router.
The store is logically divided up into zones, and a machine learning system,
based on the signal strengths at the routers, decides which zone the user is
in, for any given signal. Zone sizes vary, based on customer preferences
and technical and cost limits; the more routers near an area, the smaller
and more precise the zones can be.
Actual physical signal triangulation is *not* used. It was tested, before I
joined, I'm told it just didn't work. Far too much signal strength
variability. Received phone signals vary enormously, second by second, in a
normal shop environment. There's just a lot of physical (people moving
around all the tie, in and out of the way of the signal) and
electro-magnetic stuff going on.
During my time there a wifi specification design flaw was uncovered,
where-by you could force a phone, even with wifi turned off as I recall, to
emit a response -- so now you didn't need to passively sit there and wait
for the phone wifi to emit a signal; you could coerce the phone into doing
so. This could matter somewhat. Some phones kindly emitted a signal every
second (iPhones), others only one a minute. A person can walk a long way in
one minute.
This however probably crossed the line of local law, which said something
like you're not allowed to actively, overtly act upon other people's
computers/phones. In any case, it wasn't used before I left.
IMHO, wifi tracking is borderline viable as a product. I saw test cases
where someone would walk around an empty store with a known device (we had
calibration data on a per-device basis, because they vary so much in signal
strength), and report back to us where he was and when, and half of his
journey would be missing from the data. If you did it right, and were
careful, I'd say you could get a mediocre but still genuinely useful and
rather unique data set from it. Only problem is, I'd say 99.99% of the time
customers don't know it was going on (let alone understand what was
happening), and that's what makes it unethical. The basic rule is that when
you do stuff with people, they have to choose to do it and they have to
understand what they're choosing to do (except in self-defence, of course).
You can't force people, and you can't deceive them, Most of this
surveillance capitalism we see is unethical because the people being tracked
do not know what's going on, or understand. T&Cs are a legal fig leaf, not
an actual genuine communication to the user of what's going on such that the
user is then known to understand -- the ethical obligation of the company to
*actually ensure* users understand is *not* met. Users don't know, and
that's why it's wrong.
Topically, this article has just been published in the WaPo;
``It's the middle of the night. Do you know who your iPhone is talking to?''
https://www.msn.com/en-us/news/technology/its-the-middle-of-the-night-do-you-know-who-your-iphone-is-talking-to/ar-AAC1Wvl%23page%3D2
``In a single week, I encountered over 5,400 trackers, mostly in apps, not
including the incessant Yelp traffic. According to privacy firm Disconnect,
which helped test my iPhone, those unwanted trackers would have spewed out
1.5 gigabytes of data over the span of a month. That's half of an entire
basic wireless service plan from AT&T.''
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.31
************************