[RISKS] Risks Digest 26.88

From: RISKS List Owner <risko_at_private>
Date: Mon, 4 Jun 2012 16:02:09 PDT
RISKS-LIST: Risks-Forum Digest  Monday 4 June 2012  Volume 26 : Issue 88

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.88.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Malicious E-Mail Attachment on Olympics Making Internet Rounds
  (Nicole Perlroth via Monty Solomon)
Cyber search engine Shodan exposes industrial control systems to new risks
  (Robert O'Harrow Jr. via Lauren Weinstein)
Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame"
  (Johannes Ullrich via Lauren Weinstein)
Online Courses Can Offer Easy A's via High-Tech Cheating (Jeffrey R. Young
  via Dave Farber)
Facebook takes baby steps toward kids' social network (Robert X. Cringely
  via Gene Wirchenko)
Fighting Sign Pollution in Florida With Robocalls (Robbie Brown via
  Monty Solomon)
Re: Future Internet Architecture: Content-Centric Networking ... (Scott Brim)
Re: iCloud user tracks down iPhone thief using photo stream (Geoff Kuenning)
Re: "Siri *ab*use (Dag-Erling Smorgrav)
Re: Telemarketing Calls Keep Mounting Up, Along With Consumer
  Irritation (Geoff Kuenning, John Stanley)
Re: Yet another Leap Year issue (John Stanley)
Re: "Court warns on jurors' Web use" (George Ross)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 2 Jun 2012 21:24:30 -0400
From: Monty Solomon <monty_at_private>
Subject: Malicious E-Mail Attachment on Olympics Making Internet Rounds
  (Nicole Perlroth)

Nicole Perlroth, *The New York Times*, 30 May 2012

Olympics enthusiasts: You may want to think twice before opening that PDF
e-mail attachment of the 2012 Olympics schedule.  On Tuesday, researchers at
F-Secure, a Helsinki, Finland-based security firm, discovered a malicious
PDF file has been making the rounds on the Internet. The file, which
purports to be a schedule of the 2012 London Olympics, is actually a decoy
file which creates a backdoor between the user's computer to a Web site
registered to "student travel" in Baotou, China. ...

http://bits.blogs.nytimes.com/2012/05/30/olympics-themed-threat-makes-rounds-on-the-internet/

------------------------------

Date: Sun, 3 Jun 2012 21:03:17 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Cyber search engine Shodan exposes industrial control systems
  to new risks (Robert O'Harrow Jr.)

  "Matherly and other Shodan users quickly realized they were revealing an
  astonishing fact: Uncounted numbers of industrial control computers, the
  systems that automate such things as water plants and power grids, were
  linked in, and in some cases they were wide open to exploitation by even
  moderately talented hackers."  [Robert O'Harrow Jr., *The Washington
  Post*, via NNSquad] http://j.mp/KZTZvg

Let's get this straight.  Search Engines don't expose industrial control
systems to risks.  The poorly secured control systems do that *to
themselves*.  Don't blame the messenger!

------------------------------

Date: Sun, 3 Jun 2012 19:11:52 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame"
  (Johannes Ullrich)

  "Microsoft just released an emergency bulletin, and an associated patch,
  notifying users of Windows that a "unauthorized digital certificates
  derived from a Microsoft Certificate Authority" was used to sign
  components of the "Flame" malware."  http://j.mp/KZG1to [Johannes Ullrich,
  SANS via NNSquad]

------------------------------

Date: Sun, 3 Jun 2012 15:46:45 -0400
From: Dave Farber <farber_at_private>
Subject: Online Courses Can Offer Easy A's via High-Tech Cheating
  (Jeffrey R. Young)

Technology - The Chronicle of Higher Education, 3 Jun 2012
http://chronicle.com/article/Online-Courses-Can-Offer-Easy/132093/

Easy A's may be even easier to score these days, with the growing popularity
of online courses. Tech-savvy students are finding ways to cheat that let
them ace online courses with minimal effort, in ways that are difficult to
detect.

Take Bob Smith, a student at a public university in the United States. This
past semester, he spent just 25 to 30 minutes each week on an online science
course, the time it took him to take the weekly test. He never read the
online materials for the course and never cracked open a textbook. He
learned almost nothing. He got an A.

His secret was to cheat, and he's proud of the method he came up with --
though he asked that his real name and college not be used, because he
doesn't want to get caught. It involved four friends and a shared Google
Doc, an online word-processing file that all five of them could read and add
to at the same time during the test.

More on his method in a minute. You've probably already heard of plenty of
clever ways students cheat, and this might simply add one more to the list.
But the issue of online cheating may rise in prominence, as more and more
institutions embrace online courses, and as reformers try new systems of
educational badges, certifying skills and abilities learned online. The
promise of such systems is that education can be delivered cheaply and
conveniently online. Yet as access improves, so will the number of people
gaming the system, unless courses are designed carefully. ...

IP Archives: https://www.listbox.com/member/archive/247/=3Dnow
RSS Feed: https://www.listbox.com/member/archive/rss/247/126123-51093ba0

------------------------------

Date: Mon, 04 Jun 2012 14:18:52 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Facebook takes baby steps toward kids' social network"
  (Robert X. Cringely)

Robert X. Cringely, *InfoWorld*, 4 Jun 2012
Facebook's real goal: selling games to tweens and teens, but the move
could make Facebook safer and better overall, if done right
http://www.infoworld.com/t/cringely/facebook-takes-baby-steps-toward-kids-social-network-194782

"Cringely" covers some of the obvious risks.

------------------------------

Date: Sat, 2 Jun 2012 22:56:14 -0400
From: Monty Solomon <monty_at_private>
Subject: Fighting Sign Pollution in Florida With Robocalls (Robbie Brown)

Robbie Brown, *The New York Times*, 2 Jun 2012

In Florida, they are as much a part of the landscape as palm trees and
oceanfront hotels: plastic signs cluttering roadsides with messages like "We
Buy Houses!" "Junk Cars!" and "Avoid Foreclosure!"  But now, worried about
the impact on tourism and the state's natural beauty, some coastal
communities have begun aggressive campaigns against the signs - by
robocalling the advertisers' phone numbers.

"It's the only crime I know of where a person deliberately leaves their
phone number behind," said Mayor Peter Bober of Hollywood, which uses
computer software to call the phone numbers, up to 20 times per day, until
offenders pay a $75 fine. "They want us to call.  So let's call. And keep
calling."

Think of it as fighting one nuisance with another. The advertisements, known
as snipe signs, are illegal in many Florida communities on public property
like highway medians or telephone poles. But they are also cheap to print
and hard to eradicate.  After years of removing the signs by hand, officials
in Hollywood, Oakland Park and St. Johns County recently turned to
robocalling.  Other cities say they are considering the option. ...

http://www.nytimes.com/2012/06/03/us/in-florida-fighting-sign-pollution-with-robocalls.html

------------------------------

Date: Jun 2, 2012 7:21 PM
From: "Scott Brim" <scott.brim_at_private>
Subject: Re: Future Internet Architecture: Content-Centric Networking ...
   (MacFie, RISKS-26.87)

  [From Dave Farber's IP distribution.  PGN]

> Don't bittorrent magnet links do this already?

There are several levels and times at which you can do this sort of thing.
For example:

- DNS: the name is mapped to an IP address - early binding to a location.

- Magnet links, if I understand correctly: like DNS, but with just in time
  binding to where they direct you.

- Directors of various sorts: the IP address is essentially virtualized,
  referring to one of several possible servers.  Early binding to the server
  group, late binding to the actual server.

- Layers 4 and above deal only with a "service id". An IP option is inserted
  in the packets, to be read by special middleboxes that guide the packet in
  the right direction (how they determine the right direction, and cache
  such information, is orthogonal) - medium to late binding.

- Layers 4 and above deal only with a service id.  A shim below Layer 4 maps
  the service id to an IP address of the next smart middlebox.  Late
  binding.

- IP addresses are eliminated entirely, and packets are routed only on
  "interest" names.  There is never a binding to an IP address.

It seems to me that people's preferences for different layers and binding
times depend on the time frame of deployment they are interested in.

------------------------------

Date: Sun, 03 Jun 2012 21:40:27 -0700
From: Geoff Kuenning <geoff_at_private>
Subject: Re: iCloud user tracks down iPhone thief using photo stream (26.86)

  [Geoff and Andrew Douglass thought this private reply to Geoff from
  Andrew might be RISKS-worthy, so I am including it here.  PGN]

Here's what Andrew said:

I erred by including too many hypotheticals, distracting from the central
issues of (1) can you spy and (2) if so, with what scope? Does it matter
whether the target is the thief? What if the thief is innocent (maybe you
mistakenly accuse them of having bought the thing with a bad check).

I think you could very well get in civil and criminal trouble for violating
their privacy under existing law, but I've seen no mention of
this. Certainly it would be a 4th amendment issue if law enforcement did
it. Even if you have a privilege to poke around (self-help or whatever)
obviously it should be a minimal intrusion. Caveat snoop.

You're right about good-faith purchasers -- they take no title. That doesn't
open them to privacy rape. I was just trying to get readers away from the
vapid criminals-have-no-rights perspective.

------------------------------

Date: Mon, 04 Jun 2012 12:00:48 +0200
From: Dag-Erling Smorgrav <des_at_private>
Subject: Re: "Siri *ab*use (Solomon and Wirchenko, RISKS-26.86)

Peter Houppermans <peter_at_private> writes:
> Siri has been on my "list of things to avoid" pretty much from before
> I obtained the new iPhone.  [...]  An iPhone doesn't have the local
> power to process voice commands, so it sends them to a US hosted service.

The same goes for Android's voice search feature, which is annoyingly
easy to trigger by accident.  Luckily, it is also easy to disable:
Settings -> Apps -> All -> Google Search -> Disable

------------------------------

Date: Sun, 03 Jun 2012 20:55:22 -0700
From: Geoff Kuenning <geoff_at_private>
Subject: Re: Telemarketing Calls Keep Mounting Up, Along With Consumer
  Irritation (Alina Tugend)

For many years now, my outgoing answering-machine message has begun with the
Service Interruption Tone: the three rising beeps that you get when you dial
a seriously bogus number.  For obvious reasons, most telemarketing
autodialers are programmed to delete a number from their database when they
encounter that tone.

The result is that we get fewer than one telemarketing call per week; the
primary offenders are local construction companies who appear to be dialing
by hand.  (The rate goes up during election season, but even then it's not
too bad.)

The only downside is that a *very* few legitimate callers will hang up at
the tone rather than waiting long enough to hear our familiar voice say
"Hello, you've reached the Kuennings."  But it hasn't really been a problem.

Google for "sit.wav" (with or without quotes) to download the tone so you
can add it to your own answering machine.

Geoff Kuenning   geoff@private   http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Mon, 4 Jun 2012 12:11:30 -0700 (PDT)
From: John Stanley <stanley+risks_at_private>
Subject: Re: Telemarketing Calls Keep Mounting Up, Along With Consumer
   Irritation (Solomon, RISKS-26.87)

> Readers told me that the Do Not Call Registry seemed to work just fine at
> blocking calls when it began in 2003 and for several years after that.

It is a misconception that the DNC list blocks anything. The DNC list is
nothing more than that: a list. Marketers are required to search the list at
least every 31 days and drop from their own calling lists any number they
find on the federal list, after considering any of the multitude of
barn-door-wide exceptions.

The system worked well for awhile because the phone service providers and
telespammers had not yet deployed the systems that allow a phone spammer to
display any information they want to via caller ID. Now that a crook hawking
his "cheaper credit card rates" can pretend to be calling from "Illinois" or
"Florida" (two of the recent caller ID 'ids' I've seen from these people)
and display a completely fictitious number, there is very little that a
consumer can use to make a complaint to the FTC.

------------------------------

Date: Mon, 4 Jun 2012 11:57:26 -0700 (PDT)
From: John Stanley <stanley+risks_at_private>
Subject: Re: Yet another Leap Year issue (Duncan, RISKS-26.87)

This is not a leap-year issue; it is putting off a mission-critical
operation until the very last minute.  That is a human failure, not a
computer failure.

There was a 180-day window for filing; the decision was made to wait until
day 180, which turned out to be day 181. There are any number of reasons why
paperwork can be delayed by a day, so anyone who waits until the very last
day is inviting failure. Blaming it on a day planner, either computerized or
manual, is ridiculous.

Failure to plan is planning to fail, I think the saying goes.

------------------------------

Date: Mon, 04 Jun 2012 13:29:20 +0100
From: George Ross <gdmr_at_private>
Subject: Re "Court warns on jurors' Web use" (Valencia, RISKS-26.87)

That's not new.  For example

   http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16676871
   ("Juror Theodora Dallas jailed for contempt of court")

   http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16742365
   ("Juror who researched defendant refused leave to appeal" -- same case)

   http://www.bbc.co.uk/news/uk-15939922
   ("Juror faces contempt proceedings over 'case research'" -- same case)

   http://www.bbc.co.uk/news/uk-16101533
   ("Lord Chief Justice warns juries over Internet research")

   http://www.bbc.co.uk/news/uk-13792080
   ("Facebook juror sentenced to eight months for contempt")

   http://www.bbc.co.uk/news/uk-england-south-yorkshire-12632587
   ("Sun and Daily Mail in contempt over online gun photos")

   http://news.bbc.co.uk/1/hi/england/kent/4270957.stm
   ("Retrial after jury web page found")

   http://news.bbc.co.uk/1/hi/scotland/1628431.stm
   ("Judge details Beggs 'Internet ruling'")

the last of these being from 2001.

George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh,
Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB  0131 650 5147

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.88
************************
Received on Mon Jun 04 2012 - 16:02:09 PDT

This archive was generated by hypermail 2.2.0 : Mon Jun 04 2012 - 16:38:09 PDT