RISKS-LIST: Risks-Forum Digest Tuesday 29 November 2011 Volume 26 : Issue 65 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.65.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Investigation into ICT enabled projects (Andrew Pam) Cybersecurity Requires Patches, Not a Vast Bill (Susan Crawford via Lauren Weinstein) Internet Amorality, and Cutting Thailand Off From the Internet (Lauren Weinstein) Another mass takedown of domains by U.S. authorities + discussion (Lauren Weinstein) Hackers target IPv6: Why you must address IPv6 security concerns now (Susan Perschke via Gene Wirchenko) "Face Unlock feature in Galaxy Nexus poses security risk" (Matt Hamblen via Gene Wirchenko) Google protects its current HTTPS traffic against future attacks (Lucian Constantin via Gene Wirchenko) Columbia U. researchers claim widespread security problems with laser printers (Lauren Weinstein) "Doomed by default passwords" (Roger A. Grimes via Gene Wirchenko) "When mobile apps go bad" (Galen Gruman via Gene Wirchenko) Facebook Settles With F.T.C. Over Deception Charges (Lauren Weinstein) Re: purported water plant attack (SMiller) Re: If You Can't Trust Caller ID ... (Paul Wallich) Re: Missing the point of the Internet (Amos Shapir) Complexity (Bob Frankston) Re: LaTeX as an example of ... best practices (Bob Frankston) Re: "Facebook bans at work linked to increased security breaches" (Carlos G Mendioroz) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 28 Nov 2011 18:12:52 +1100 From: Andrew Pam <andrew_at_private> Subject: Investigation into ICT enabled projects Very interesting report from the Victorian state government (in Australia) about troubles with public-sector IT projects: <http://www.ombudsman.vic.gov.au/resources/documents/Investigation_into_ICT_enabled_projects_Nov_2011.pdf> Extracts from the Executive summary: 11. National and international research has concluded that ICT-enabled projects are poorly managed and failures are common. Research also indicates that the private sector and overseas institutions have their share of ICT project disasters with reports of cost overruns of 200 per cent, schedule overruns of 70 per cent and some 80-90 per cent failing to meet performance objectives. 12. Despite the research and Ombudsman and Auditor-General reports, there are few signs that any lessons have been learnt in the public sector. ------------------------------ Date: Mon, 28 Nov 2011 18:43:14 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Cybersecurity Requires Patches, Not a Vast Bill (Susan Crawford) http://j.mp/so4rJu (Bloomberg) [from NNSquad] "When cybersecurity problems arise, the best response is to adopt a patch as soon as it's available. You don't want to wait for an entirely new operating system to be created, and you really don't want to use such a system until it has been debugged. That second approach, though, is what the Obama administration lately has been recommending. Driven by the National Security Agency and the Department of Homeland Security, the administration has been pushing the Senate to ram through an enormous omnibus bill on cybersecurity that hasn't yet won agreement from legislative working groups." ... Luckily, the administration's approach may collapse under its own weight. In October, a House Republican cybersecurity plan that focused on targeted voluntary efforts -- rather than the construction of a novel superstructure for the dictation of security standards -- grabbed the attention of legislators. This month, Senate Majority Leader Harry Reid wrote to Senate Minority Leader Mitch McConnell saying that the House plan was consistent with his own cybersecurity vision, while noting that bipartisan working groups in the Senate hadn't been able to agree on a comprehensive legislative draft. Four Republican Senators (Kay Bailey Hutchison, Saxby Chambliss, Charles Grassley, and Lisa Murkowski) wrote to President Barack Obama supporting the targeted House approach. ------------------------------ Date: Sun, 27 Nov 2011 11:43:10 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Internet Amorality, and Cutting Thailand Off From the Internet Internet Amorality, and Cutting Thailand Off From the Internet http://j.mp/trJTJn (This message on Google+) [From NNSquad] - - - In a recent posting ( http://j.mp/vuU7RO [Google+] ), I chastised Thailand for demanding the censorship/removal of 10K Facebook links deemed "offensive" to their royal family, Thailand's decree that merely pressing the "like" or "share" button on particular articles is being criminalized, and I noted their new case of a 61-year-old man sentenced to 20 years in prison for text messages deemed "insulting" to their royals. And I added: "How about this for a way to prod these Neanderthals into the 21st century? Cut them off the Net totally until these practices cease." Observant readers realized that I was writing somewhat tongue-in-cheek, but to be honest not totally so. And in fact, I've now received a couple of notes from people horrified by my saying such a thing. How can I support "censorship" of such regimes, no matter how backwards, repressive, and abusive of their own populations? After all, I'm known to be an anti-censorship advocate. This brings up an important question. Are we, as technologists, required to provide the fruits of our labors to the entire world equally, even when those facilities are used for evil purposes? Is it "censorship" to draw some lines in the sand in this regard? The amoral view is obvious enough, both historically and contemporaneously. IBM's support of 1930s Germany (via its subsidiary Deutsche Hollerith Maschinen GmbH) has been long condemned. Various major U.S.-based firms today are currently embroiled in controversies regarding their provision of Internet and other communications technologies to countries where it has been used to battle dissidents, and the U.S. (disingenuously to a significant extent, given SOPA , PIPA, and other legislation here) has condemned such suppression. Export controls have long been a tool of national policy -- sometimes in logical manners, sometimes in utterly ridiculous, crazy ways. In any case, I found it disturbing that a least a couple of readers felt comfortable with a stance (amoral at best, more reasonably termed unethical) that no matter how oppressive a regime might be, the global Internet community should be obligated to continue providing equal services to such players as if freedom and slavery were simply equivalent "domestic policies" of no concern to the outside world. I cannot accept such an assertion. And I would add that an analysis of these concerns should extend to repressive U.S. actions as well, of course. These issues come into play not only when a country's demands affect the entire world (e.g., demanding that YouTube videos be removed so nobody can see them anywhere, due to their being deemed to be offensive to the rulers of a single country), but also when "compartmented" domestic repression is involved. If we do not apply basic standards of freedom and civil rights to the Internet and its technologies, if we treat evil as a form of normalcy not subject to sanctions, our wonderful Net will be increasingly morphed into a weapon aimed not only at our global neighbors, but at ourselves as well. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org People For Internet Responsibility: http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com ------------------------------ Date: Sat, 26 Nov 2011 11:48:51 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Another mass takedown of domains by U.S. authorities + discussion Another mass takedown of domains by U.S. authorities + discussion http://j.mp/tE2Xtu (TorrentFreak) [from NNSquad] "TorrentFreak has identified more than 130 domains taken over by the government during the last 24 hours, which makes this the largest seizure round to date. The authorities have yet to comment via official channels, but we assume that they will use the same justification for the domain seizures as they did last year." - - - The authors of the above referenced article ask why there's the big push for SOPA/PIPA when authorities seem able to seize domains on demand even today. I would assert a key factor is wanting to censor sites that provide information that could circumvent those seizures, and that's not limited to search engines like Google. Historical IP address data for the seized sites is widely available, meaning that with a bit of effort, virtually anyone can still connect to those sites (either manually or through automated means). So clearly, the focus of U.S. SOPA/PIPA efforts is an attempt to censor any and all sites that can provide that historical data or other workarounds, which is an ever expanding circle of sites that carry all manner of search results and Internet retrospective data. This has very much an Orwellian feel to it, as the U.S. government wants to delete all references to these sites regardless, it seems, of likely collateral damage. And this is why SOPA and PIPA will not be effective at cutting off access to sites around the world targeted by U.S. authorities, but do carry the potential of creating a vast censorship regime and accompanying "Darknet" workarounds, pushing more and more legitimate Internet activity protectively underground. ------------------------------ Date: Mon, 28 Nov 2011 11:34:49 -0800 From: Gene Wirchenko <genew_at_private> Subject: Hackers target IPv6: Why you must address IPv6 security concerns now (Susan Perschke} [Source: Susan Perschke, *IT Business*, 28 Nov 2011 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65117 selected text: The biggest looming security threat lies in the fact that enterprise networks already have tons of IPv6 enabled devices, including every device running Windows Vista or Windows 7, Mac OS/X, all Linux devices and BSD. Vyncke says the threat is real. "We have observed worldwide that bots are increasing their use of IPv6 as a covert channel to communicate with their botmaster." Among its many disguises, IPv6-enabled malware can take the form of a malicious payload encapsulated in one or more IPv4 messages. Without IPv6-specific security measures such as deep packet inspection, this type of payload may pass through the IPv4 perimeter and DMZ defenses undetected. Security threats aside, there is a growing business case for IPv6 that is getting harder to sweep under the rug. Banks and online brokerages already face the challenge of losing communication with international customers whose networks no longer support IPv4. ------------------------------ Date: Tue, 29 Nov 2011 12:05:31 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Face Unlock feature in Galaxy Nexus poses security risk" (Matt Hamblen) Matt Hamblen, *Computerworld*, 22 NMov 2011 Analysts suggest a PIN or password is a more secure alternative than Google's facial recognition software for unlocking smartphones http://www.infoworld.com/d/security/face-unlock-feature-in-galaxy-nexus-poses-security-risk-179813 opening text: Face Unlock, the facial recognition software offered in Android 4.0 on the Galaxy Nexus, is being promoted by Google as an alternative to using a PIN to unlock a phone. But early reviewers have noticed that Face Unlock sometimes can be spoofed by a photograph of the owner of the phone, posing a security risk. ------------------------------ Date: Tue, 29 Nov 2011 11:55:06 -0800 From: Gene Wirchenko <genew_at_private> Subject: Google protects its current HTTPS traffic against future attacks (Lucian Constantin) Lucian Constantin, *InfoWorld*, 23 Nov 2011 HTTPS-enabled Google services now implement a special encryption technique to mitigate future key recovery attacks https://www.infoworld.com/d/security/google-protects-its-current-https-traffic-against-future-attacks-179934 selected text: Google has modified the encryption method used by its HTTPS-enabled services including Gmail, Docs, and Google+, in order to prevent current traffic from being decrypted in the future when technological advances make this possible. This approach exposes the connections to so-called retrospective decryption attacks. "In 10 years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today's email traffic," explained Adam Langley, a member of Google's security team, in a blog post. ------------------------------ Date: Tue, 29 Nov 2011 09:27:46 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Columbia U. researchers claim widespread security problems with laser printers http://j.mp/vYfGoJ (MSNBC) [From NNSquad] "Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?" I sense that there may be a bit of grandstanding in the referenced article. ------------------------------ Date: Tue, 29 Nov 2011 10:18:29 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Doomed by default passwords" (Roger A. Grimes) Roger A. Grimes, *InfoWorld*, 29 nov 2011, Recent hacks reveal that admins and vendors have fallen behind on protecting legacy systems http://www.infoworld.com/d/security/doomed-default-passwords-180214 opening text: Many years ago, I was hired to penetration-test a customer's IBM AS/400 system, and the system administrator admonished me for even trying. "AS/400s aren't like cheap and insecure little PC systems," he argued. "They're built from the ground up to be secure." As he completed his last sentence, I logged into his system and took complete control of it. He had not changed the default account password. It had been left as is for almost 20 years. His system was contactable over the Internet, so I had to wonder, as his mouth dropped open, if I'd been the first to try the obvious. The author also mentions doing a password check against default passwords and lists three such sites that he uses. ------------------------------ Date: Tue, 29 Nov 2011 10:09:04 -0800 From: Gene Wirchenko <genew_at_private> Subject: "When mobile apps go bad" (Galen Gruman) Galen Gruman, *InfoWorld*, 29 Nov 2011 When mobile apps go bad Mobile apps get frequent updates -- whether you want them or not -- and sometimes the result is an inferior product http://www.infoworld.com/d/mobile-technology/when-mobile-apps-go-bad-178063 This article deals with mobile apps, but the situation occurs with other apps, too. Years ago, I downloaded Netscape 6, installed it, saw that it was really bad, and bailed. The risk is losing an app that really works well for you. Even if you can keep your old version, you may be out of luck for support. ------------------------------ Date: Tue, 29 Nov 2011 10:45:48 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Facebook Settles With F.T.C. Over Deception Charges http://j.mp/uAzFMh (FTC) [From NNSquad] The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. ------------------------------ Date: Mon, 28 Nov 2011 12:08:18 -0500 From: SMiller_at_private Subject: Re: purported water plant attack (RISKS-26.64) The FBI/DHS analysis has been challenged by many, Joe Weiss among them. While I am not in a position to confirm or deny many of the items in dispute, I can confirm Weiss' allegation that many PLC/SCADA systems do not keep the kind of log that is amenable to intrusion analysis. It also seems odd that the Illinois fusion center would release such a report only to be directly contradicted by DHS Central - aren't those centers designed, sponsored and implemented by that very outfit? Seems equally likely that the "nothing to see here, move along" response is the result of reluctance to confirm the breach of a common, critical system that it is presently infeasible to adequately protect. If this is indeed an attempt at obscurity, I think we already know the story-line. ------------------------------ Date: Sat, 26 Nov 2011 22:56:23 -0500 From: Paul Wallich <pw_at_private> Subject: Re: If You Can't Trust Caller ID ... (RISKS-26.64) > Telemarketers increasingly are disguising their real identities and > phone numbers... Caller ID [properly, Calling Number ID] is becoming > Fake ID. New FCC rules have been instituted to combat this practice, > but are apparently very limited in their effectiveness... [Source: Matt > Richtel,*The New York Times* front page, 23 Nov 2011; PGN-ed] It is perhaps telling in a political-systems sense (if not a computer-systems one, since the technical hurdles are stacked the other way) that congress is considering making it a federal crime to falsify even a part of the personal information demanded by online services, while deliberately fraudulent provision of identifying information via phone system carries only civil penalties, and even then only at the discretion of an overworked regulatory agency. Perhaps the relative pocket depth of the respective perps has something to do with it. ------------------------------ Date: Sun, 27 Nov 2011 18:09:48 +0200 From: Amos Shapir <amos083_at_private> Subject: Re: Missing the point of the Internet (Frankston, RISKS-26.64) In Risks 26.64 Bob Frankston says: > As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not > fundamental. This means that the Internet is not easier to control once > there is a funding model that doesn't require controlling the path. While Frankston's ideas may keep the Internet free, in the sense that we would not have to pay for it (not for each bit individually anyway), IMHO they would not help to keep it free of central control. Public ownership of the infrastructure would necessarily mean public control; which in turns means that the rules would be made by politicians rather than businessmen -- is that any better? Like in the auto industry, the complexity of the devices involved results in most of the devices being made by a few large companies; the requirement that all devices work together on the same infrastructure mandates rules and regulations, which have to be coordinated by a central entity (or a few of those, at most). This leaves a relatively small number of control points, which might not be difficult to be taken over by a ruling body. Surely we can avoid driving licenses by walking or riding bicycles, but we would not get very far... ------------------------------ Date: Sat, 26 Nov 2011 23:16:34 -0500 From: "Bob Frankston" <bob2-39_at_private> Subject: Complexity (Re: LaTeX ..., RISKS-26.64) "Complex systems are intrinsically complex." This is a topic in its own right as I argue that complexity is about point of view and framing. My standard example is Ptolemy vs. Copernicus in the difference that a shift frame makes. Complexity is also relative to purpose or context. One risk is in accepting complexity as intrinsic rather than trying to find the simplicity. What makes this tricky is that we often need to change the question we are asking. The Internet provides us with many examples as when we assume that quality is a property of the network and thus we build a rigid transport rather than defining quality outside the network. But this requires accepting that there isn't a single measure of quality. I go into some of this in essays such as http://rmf.vc/PurposeVsDiscovery and http://rmf.vc/WrongStuff. [PGN notes: I was rather lazy in writing the line that Bob quotes. I should have written something more like this: "Systems that must satisfy inherently complex requirements (e.g., for trustworthiness in its multidimensional manifestations) are likely to be inherently difficult to build and maintain -- even if they are extremely carefully designed, implemented, and operated." In the research community, some of us believe in modular encapsulation, predictable composability, least privilege, formal analyses, and so on. But all that is still generally not enough. PGN] ------------------------------ Date: Sat, 26 Nov 2011 23:23:29 -0500 From: "Bob Frankston" <bob2-39_at_private> Subject: Re: LaTeX as an example of ... best practices (Thorson, RISKS-26.64) I do need to react to the dig at Microsoft. Sure there is a lot of code that has hung around for 20 to 30 years and it captive to promises made long ago. But I also see Microsoft at the forefront of research in programming practices as with F# feeding into C#. These prejudices have real consequences as people limit their choice of tools and languages including the use of C. ------------------------------ Date: Sun, 27 Nov 2011 08:01:19 -0300 From: Carlos G Mendioroz <tron_at_private> Subject: Re: "Facebook bans at work linked to increased security breaches" It's been long known in research that you can "discover" a cause-effect relations and even have "proof" by analysing correlations. If you analyse some variables and get strong correlation between A, B (and C?), it's easy to say that A causes B when in fact it could be that C causes A and B. (Even easier when C is unknown!) In this case, it could be that companies that have sensitive material (C) have stronger security measures (A) but even so get higher breaches (B). Risk? Use correlations (undirected) to find cause-effect (directed) relations. Carlos G Mendioroz <tron_at_private> LW7 EQI Argentina ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.65 ************************Received on Tue Nov 29 2011 - 13:31:07 PST
This archive was generated by hypermail 2.2.0 : Tue Nov 29 2011 - 18:56:19 PST