RISKS-LIST: Risks-Forum Digest Monday 4 June 2012 Volume 26 : Issue 88 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.88.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Malicious E-Mail Attachment on Olympics Making Internet Rounds (Nicole Perlroth via Monty Solomon) Cyber search engine Shodan exposes industrial control systems to new risks (Robert O'Harrow Jr. via Lauren Weinstein) Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame" (Johannes Ullrich via Lauren Weinstein) Online Courses Can Offer Easy A's via High-Tech Cheating (Jeffrey R. Young via Dave Farber) Facebook takes baby steps toward kids' social network (Robert X. Cringely via Gene Wirchenko) Fighting Sign Pollution in Florida With Robocalls (Robbie Brown via Monty Solomon) Re: Future Internet Architecture: Content-Centric Networking ... (Scott Brim) Re: iCloud user tracks down iPhone thief using photo stream (Geoff Kuenning) Re: "Siri *ab*use (Dag-Erling Smorgrav) Re: Telemarketing Calls Keep Mounting Up, Along With Consumer Irritation (Geoff Kuenning, John Stanley) Re: Yet another Leap Year issue (John Stanley) Re: "Court warns on jurors' Web use" (George Ross) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 2 Jun 2012 21:24:30 -0400 From: Monty Solomon <monty_at_private> Subject: Malicious E-Mail Attachment on Olympics Making Internet Rounds (Nicole Perlroth) Nicole Perlroth, *The New York Times*, 30 May 2012 Olympics enthusiasts: You may want to think twice before opening that PDF e-mail attachment of the 2012 Olympics schedule. On Tuesday, researchers at F-Secure, a Helsinki, Finland-based security firm, discovered a malicious PDF file has been making the rounds on the Internet. The file, which purports to be a schedule of the 2012 London Olympics, is actually a decoy file which creates a backdoor between the user's computer to a Web site registered to "student travel" in Baotou, China. ... http://bits.blogs.nytimes.com/2012/05/30/olympics-themed-threat-makes-rounds-on-the-internet/ ------------------------------ Date: Sun, 3 Jun 2012 21:03:17 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Cyber search engine Shodan exposes industrial control systems to new risks (Robert O'Harrow Jr.) "Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers." [Robert O'Harrow Jr., *The Washington Post*, via NNSquad] http://j.mp/KZTZvg Let's get this straight. Search Engines don't expose industrial control systems to risks. The poorly secured control systems do that *to themselves*. Don't blame the messenger! ------------------------------ Date: Sun, 3 Jun 2012 19:11:52 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame" (Johannes Ullrich) "Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware." http://j.mp/KZG1to [Johannes Ullrich, SANS via NNSquad] ------------------------------ Date: Sun, 3 Jun 2012 15:46:45 -0400 From: Dave Farber <farber_at_private> Subject: Online Courses Can Offer Easy A's via High-Tech Cheating (Jeffrey R. Young) Technology - The Chronicle of Higher Education, 3 Jun 2012 http://chronicle.com/article/Online-Courses-Can-Offer-Easy/132093/ Easy A's may be even easier to score these days, with the growing popularity of online courses. Tech-savvy students are finding ways to cheat that let them ace online courses with minimal effort, in ways that are difficult to detect. Take Bob Smith, a student at a public university in the United States. This past semester, he spent just 25 to 30 minutes each week on an online science course, the time it took him to take the weekly test. He never read the online materials for the course and never cracked open a textbook. He learned almost nothing. He got an A. His secret was to cheat, and he's proud of the method he came up with -- though he asked that his real name and college not be used, because he doesn't want to get caught. It involved four friends and a shared Google Doc, an online word-processing file that all five of them could read and add to at the same time during the test. More on his method in a minute. You've probably already heard of plenty of clever ways students cheat, and this might simply add one more to the list. But the issue of online cheating may rise in prominence, as more and more institutions embrace online courses, and as reformers try new systems of educational badges, certifying skills and abilities learned online. The promise of such systems is that education can be delivered cheaply and conveniently online. Yet as access improves, so will the number of people gaming the system, unless courses are designed carefully. ... IP Archives: https://www.listbox.com/member/archive/247/=3Dnow RSS Feed: https://www.listbox.com/member/archive/rss/247/126123-51093ba0 ------------------------------ Date: Mon, 04 Jun 2012 14:18:52 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Facebook takes baby steps toward kids' social network" (Robert X. Cringely) Robert X. Cringely, *InfoWorld*, 4 Jun 2012 Facebook's real goal: selling games to tweens and teens, but the move could make Facebook safer and better overall, if done right http://www.infoworld.com/t/cringely/facebook-takes-baby-steps-toward-kids-social-network-194782 "Cringely" covers some of the obvious risks. ------------------------------ Date: Sat, 2 Jun 2012 22:56:14 -0400 From: Monty Solomon <monty_at_private> Subject: Fighting Sign Pollution in Florida With Robocalls (Robbie Brown) Robbie Brown, *The New York Times*, 2 Jun 2012 In Florida, they are as much a part of the landscape as palm trees and oceanfront hotels: plastic signs cluttering roadsides with messages like "We Buy Houses!" "Junk Cars!" and "Avoid Foreclosure!" But now, worried about the impact on tourism and the state's natural beauty, some coastal communities have begun aggressive campaigns against the signs - by robocalling the advertisers' phone numbers. "It's the only crime I know of where a person deliberately leaves their phone number behind," said Mayor Peter Bober of Hollywood, which uses computer software to call the phone numbers, up to 20 times per day, until offenders pay a $75 fine. "They want us to call. So let's call. And keep calling." Think of it as fighting one nuisance with another. The advertisements, known as snipe signs, are illegal in many Florida communities on public property like highway medians or telephone poles. But they are also cheap to print and hard to eradicate. After years of removing the signs by hand, officials in Hollywood, Oakland Park and St. Johns County recently turned to robocalling. Other cities say they are considering the option. ... http://www.nytimes.com/2012/06/03/us/in-florida-fighting-sign-pollution-with-robocalls.html ------------------------------ Date: Jun 2, 2012 7:21 PM From: "Scott Brim" <scott.brim_at_private> Subject: Re: Future Internet Architecture: Content-Centric Networking ... (MacFie, RISKS-26.87) [From Dave Farber's IP distribution. PGN] > Don't bittorrent magnet links do this already? There are several levels and times at which you can do this sort of thing. For example: - DNS: the name is mapped to an IP address - early binding to a location. - Magnet links, if I understand correctly: like DNS, but with just in time binding to where they direct you. - Directors of various sorts: the IP address is essentially virtualized, referring to one of several possible servers. Early binding to the server group, late binding to the actual server. - Layers 4 and above deal only with a "service id". An IP option is inserted in the packets, to be read by special middleboxes that guide the packet in the right direction (how they determine the right direction, and cache such information, is orthogonal) - medium to late binding. - Layers 4 and above deal only with a service id. A shim below Layer 4 maps the service id to an IP address of the next smart middlebox. Late binding. - IP addresses are eliminated entirely, and packets are routed only on "interest" names. There is never a binding to an IP address. It seems to me that people's preferences for different layers and binding times depend on the time frame of deployment they are interested in. ------------------------------ Date: Sun, 03 Jun 2012 21:40:27 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Re: iCloud user tracks down iPhone thief using photo stream (26.86) [Geoff and Andrew Douglass thought this private reply to Geoff from Andrew might be RISKS-worthy, so I am including it here. PGN] Here's what Andrew said: I erred by including too many hypotheticals, distracting from the central issues of (1) can you spy and (2) if so, with what scope? Does it matter whether the target is the thief? What if the thief is innocent (maybe you mistakenly accuse them of having bought the thing with a bad check). I think you could very well get in civil and criminal trouble for violating their privacy under existing law, but I've seen no mention of this. Certainly it would be a 4th amendment issue if law enforcement did it. Even if you have a privilege to poke around (self-help or whatever) obviously it should be a minimal intrusion. Caveat snoop. You're right about good-faith purchasers -- they take no title. That doesn't open them to privacy rape. I was just trying to get readers away from the vapid criminals-have-no-rights perspective. ------------------------------ Date: Mon, 04 Jun 2012 12:00:48 +0200 From: Dag-Erling Smorgrav <des_at_private> Subject: Re: "Siri *ab*use (Solomon and Wirchenko, RISKS-26.86) Peter Houppermans <peter_at_private> writes: > Siri has been on my "list of things to avoid" pretty much from before > I obtained the new iPhone. [...] An iPhone doesn't have the local > power to process voice commands, so it sends them to a US hosted service. The same goes for Android's voice search feature, which is annoyingly easy to trigger by accident. Luckily, it is also easy to disable: Settings -> Apps -> All -> Google Search -> Disable ------------------------------ Date: Sun, 03 Jun 2012 20:55:22 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Re: Telemarketing Calls Keep Mounting Up, Along With Consumer Irritation (Alina Tugend) For many years now, my outgoing answering-machine message has begun with the Service Interruption Tone: the three rising beeps that you get when you dial a seriously bogus number. For obvious reasons, most telemarketing autodialers are programmed to delete a number from their database when they encounter that tone. The result is that we get fewer than one telemarketing call per week; the primary offenders are local construction companies who appear to be dialing by hand. (The rate goes up during election season, but even then it's not too bad.) The only downside is that a *very* few legitimate callers will hang up at the tone rather than waiting long enough to hear our familiar voice say "Hello, you've reached the Kuennings." But it hasn't really been a problem. Google for "sit.wav" (with or without quotes) to download the tone so you can add it to your own answering machine. Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Mon, 4 Jun 2012 12:11:30 -0700 (PDT) From: John Stanley <stanley+risks_at_private> Subject: Re: Telemarketing Calls Keep Mounting Up, Along With Consumer Irritation (Solomon, RISKS-26.87) > Readers told me that the Do Not Call Registry seemed to work just fine at > blocking calls when it began in 2003 and for several years after that. It is a misconception that the DNC list blocks anything. The DNC list is nothing more than that: a list. Marketers are required to search the list at least every 31 days and drop from their own calling lists any number they find on the federal list, after considering any of the multitude of barn-door-wide exceptions. The system worked well for awhile because the phone service providers and telespammers had not yet deployed the systems that allow a phone spammer to display any information they want to via caller ID. Now that a crook hawking his "cheaper credit card rates" can pretend to be calling from "Illinois" or "Florida" (two of the recent caller ID 'ids' I've seen from these people) and display a completely fictitious number, there is very little that a consumer can use to make a complaint to the FTC. ------------------------------ Date: Mon, 4 Jun 2012 11:57:26 -0700 (PDT) From: John Stanley <stanley+risks_at_private> Subject: Re: Yet another Leap Year issue (Duncan, RISKS-26.87) This is not a leap-year issue; it is putting off a mission-critical operation until the very last minute. That is a human failure, not a computer failure. There was a 180-day window for filing; the decision was made to wait until day 180, which turned out to be day 181. There are any number of reasons why paperwork can be delayed by a day, so anyone who waits until the very last day is inviting failure. Blaming it on a day planner, either computerized or manual, is ridiculous. Failure to plan is planning to fail, I think the saying goes. ------------------------------ Date: Mon, 04 Jun 2012 13:29:20 +0100 From: George Ross <gdmr_at_private> Subject: Re "Court warns on jurors' Web use" (Valencia, RISKS-26.87) That's not new. For example http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16676871 ("Juror Theodora Dallas jailed for contempt of court") http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16742365 ("Juror who researched defendant refused leave to appeal" -- same case) http://www.bbc.co.uk/news/uk-15939922 ("Juror faces contempt proceedings over 'case research'" -- same case) http://www.bbc.co.uk/news/uk-16101533 ("Lord Chief Justice warns juries over Internet research") http://www.bbc.co.uk/news/uk-13792080 ("Facebook juror sentenced to eight months for contempt") http://www.bbc.co.uk/news/uk-england-south-yorkshire-12632587 ("Sun and Daily Mail in contempt over online gun photos") http://news.bbc.co.uk/1/hi/england/kent/4270957.stm ("Retrial after jury web page found") http://news.bbc.co.uk/1/hi/scotland/1628431.stm ("Judge details Beggs 'Internet ruling'") the last of these being from 2001. George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB 0131 650 5147 ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.88 ************************Received on Mon Jun 04 2012 - 16:02:09 PDT
This archive was generated by hypermail 2.2.0 : Mon Jun 04 2012 - 16:38:09 PDT