ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 30 Issue 33
Wednesday 14 June 2017
- Russian cyberhacks on the U.S. electoral system far wider than previously known
- Michael Riley on Bloomberg
- “Supreme Court to look at mobile privacy. Uh-oh.”
- Evan Schuman
- Microsoft warns of ‘destructive cyberattacks, issues new Windows XP patches
- Four Ways Your Location Is Being Tracked Everywhere You Go
- Hackers Hijacking Verified Accounts to Spread Fake News
- Algo stock trading on “fake news”?
- John Carney via Henry Baker
- WSJ ends Google users’ free ride, then falls 44% in search results
- Turks Click Away, but Wikipedia Is Gone
- The New York Times
- The tech world is rallying around a young developer who made a huge embarrassing mistake
- Healthcare ransomware and how we can climb out of this mess
- Kevin Fu
- Re: Software is forever
- Arthur T.
- Precise Documentation
- David Parnas via PGN
- Info on RISKS (comp.risks)
Russian cyberhacks on the U.S. electoral system far wider than previously known (Michael Riley on Bloomberg)Peter G. Neumann <[email protected]>
Tue, 13 Jun 2017 15:05:02 -0700
https://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections Russia's cyberattack on the U.S. electoral system before Donald Trump's election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said. The scope and sophistication so concerned Obama administration officials that they took an unprecedented step—complaining directly to Moscow over a modern-day red phone. In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia's role in election meddling and to warn that the attacks risked setting off a broader conflict. Unwinding the Twists, Turns in Trump-Russia Probe: QuickTake Q&A <https://www.bloomberg.com/politics/articles/2017-05-09/unwinding-the-twists-turns-in-trump-russia-probe-quicktake-q-a> The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinizing as they look into whether Trump campaign officials may have colluded in the efforts. But they also paint a worrisome picture for future elections: The newest portrayal of potentially deep vulnerabilities in the U.S.'s patchwork of voting technologies comes less than a week after former FBI Director James Comey warned Congress that Moscow isn't done meddling. “They're coming after America. They will be back.'' Kremlin Denials Russian officials have publicly denied any role in cyberattacks connected to the U.S. elections, including a massive spear-phishing effort that compromised Hillary Clinton's campaign and the Democratic National Committee, among hundreds of other groups. President Vladimir Putin said in recent comments to reporters that criminals inside the country could have been involved without having been sanctioned by the Russian government. [...] [Truncated for RISKS. PGN]
“Supreme Court to look at mobile privacy. Uh-oh.” (Evan Schuman)Gene Wirchenko <[email protected]>
Tue, 13 Jun 2017 10:36:07 -0700
Evan Schuman, Computerworld, 13 Jun 2017 A criminal-case ruling favoring law enforcement would have implications for companies facing civil complaints http://www.computerworld.com/article/3200199/mobile-wireless/supreme-court-to-look-at-mobile-privacy-uh-oh.html opening text: Does the prospect of your company's worst enemies getting access to full tracking information on your employees' mobile phones freak you out? If so, you'll want to track something yourself: a case the U.S. Supreme Court just agreed to consider. Although the case involves criminal law and the question of whether police need a court-issued search warrant for intimate mobile records, one former federal prosecutor points out that the Court's ruling could open the door to civil discovery and subpoena access. In other words, the ruling could make such mobile data available to anyone who chooses to sue your company, for any reason, whether the claim is legitimate or not.
Microsoft warns of ‘destructive cyberattacks, issues new Windows XP patches (ZDNet)Lauren Weinstein <[email protected]>
Tue, 13 Jun 2017 11:03:12 -0700
via NNSquad http://www.zdnet.com/article/microsoft-warns-of-destructive-cyberattacks-issues-new-windows-xp-patches/ Citing an "elevated risk for destructive cyberattacks," Microsoft today released an assortment of security updates designed to block attacks similar to those responsible for the devastating WannaCry/WannaCrypt ransomware outbreak last month. Today's critical security updates are in addition to the normal Patch Tuesday releases, Microsoft said. They'll be delivered automatically through Windows Update to devices running supported versions, including Windows 10, Windows 8.1, Windows 7, and post-2008 Windows Server releases. But in an unprecedented move, Microsoft announced that it was also making the patches available simultaneously for manual download and installation on unsupported versions, including Windows XP and Windows Server 2003. Both of those operating systems are still deployed by significant numbers of business customers years after their official support lifecycles ended.
Four Ways Your Location Is Being Tracked Everywhere You GoGabe Goldberg <[email protected]>
Tue, 13 Jun 2017 19:06:11 -0400
These days, it's common knowledge that your phone and computer are tracking your location. Most people don't appear to care. They think the benefits of location tracking outweigh the security and privacy implications. You can make the argument they're right. Services such as Cortana and Google Search are not as powerful if they can't monitor your movements. However, you might be less aware of other ways some companies are tracking your location. Often, they use underhand tactics and collate information without you knowing. They are tracking you purely for self-interest. Here are a few ways you probably don't realize your whereabouts are being tracked. http://www.makeuseof.com/tag/location-tracking/
Hackers Hijacking Verified Accounts to Spread Fake News (Gizmodo)Lauren Weinstein <[email protected]>
Sun, 11 Jun 2017 10:13:45 -0700
NNSquad http://gizmodo.com/hackers-hijacking-verified-accounts-to-spread-fake-news-1795997941 https://www.accessnow.org/doubleswitch-attack/ Security research group Access Now has discovered a clever attack being used against influential social media users as a means of disseminating fake news. The "Doubleswitch" not only involves hijacking verified accounts but makes it extremely difficult for the legitimate owner to regain control of their handle.
Algo stock trading on “fake news”?Henry Baker <[email protected]>
Wed, 14 Jun 2017 07:12:38 -0700
Lemme see. Computer algorithms read company SEC reports, company press releases, etc., and automatically generate "human"-readable news stories. Other computer algorithms read company SEC reports, twitter feeds, company press releases, and "human-readable" news stories and—before any human interaction -- near-instantaneously execute trades on various exchanges as a result. If some news story really is "news"—i.e., it contains new information that could affect the price of one or more stocks—then whichever algorithmic trader can process it fastest and place trades earliest can reap enormous rewards. What could possibly go wrong? "A lie can travel halfway round the world while the truth is putting on its shoes."—attributed to Mark Twain "Buy the rumor, sell the news" If someone can manufacture a fake news story and get it onto some social media—e.g., Twitter—these "AI" traders will have traded tens of millions of dollars worth of stock on this fake information during the milliseconds, seconds, minutes or hours it will take for the truth to catch up. What are the chances that this sort of thing is going on right now? What are the chances that some measurable fraction of the trading volume is generated in this manner? To cheat is human; to commit major fraud requires a fast computer. -- apologies to Bill Vaughan http://www.cnbc.com/2017/06/13/death-of-the-human-investor-just-10-percent-of-trading-is-regular-stock-picking-jpmorgan-estimates.html Just 10% of trading is regular stock picking, JPMorgan estimates 'Quantitative investing based on computer formulas and trading by machines directly are leaving the traditional stock picker in the dust and now dominating the equity markets, according to a new report from JPMorgan.' 'Kolanovic [global head of quantitative and derivatives research at JPMorgan] estimates "fundamental discretionary traders" account for only about 10 percent of trading volume in stocks. Passive and quantitative investing accounts for about 60 percent, more than double the share a decade ago, he said.' 'A subset of quantitative trading known as high-frequency trading accounted for 52 percent of May's average daily trading volume of about 6.73 billion shares, Tabb said. During the peak levels of high-frequency trading in 2009, about 61 percent of 9.8 billion of average daily shares traded were executed by high-frequency traders.' John Carney, CNBC, 23 Apr 2013 The Trading Robots Really Are Reading Twitter http://www.cnbc.com/id/100666302 Let's call it the Twitter Skitter. When the market briefly skidded after a hacked AP Twitter account reported explosions at the White House, we saw the first real-time demonstration of robo-trading riding on the back of social media. The plunge in the market was so quick that it obviously was not the result of individuals reading the phony news and deciding what action to take. Computers were making the tradesor, more precisely, ending the trades. ... The Twitter data stream has been available to high frequency traders since at least 2009. https://en.wikipedia.org/wiki/Algorithmic_trading '"Computers are now being used to generate news stories about company earnings results or economic statistics as they are released. And this almost instantaneous information forms a direct feed into other computers which trade on the news."' '"Increasingly, people are looking at all forms of news and building their own indicators around it in a semi-structured way," as they constantly seek out new trading advantages said Rob Passarella, global director of strategy at Dow Jones Enterprise Media Group. His firm provides both a low latency news feed and news analytics for traders. Passarella also pointed to new academic research being conducted on the degree to which frequent Google searches on various stocks can serve as trading indicators, the potential impact of various phrases and words that may appear in Securities and Exchange Commission statements and the latest wave of online communities devoted to stock trading topics.'
WSJ ends Google users’ free ride, then falls 44% in search results (Columbian)Lauren Weinstein <[email protected]>
Wed, 14 Jun 2017 09:53:38 -0700
http://www.columbian.com/news/2017/jun/11/wsj-ends-google-users-free-ride-then-falls-44-in-search-results/ After blocking Google users from reading free articles in February, the Wall Street Journal's subscription business soared, with a fourfold increase in the rate of visitors converting into paying customers. But there was a trade-off: Traffic from Google plummeted 44 percent. The reason: Google search results are based on an algorithm that scans the Internet for free content. After the Journal's free articles went behind a paywall, Google's bot only saw the first few paragraphs and started ranking them lower, limiting the Journal's viewership. Executives at the Journal, owned by Rupert Murdoch's News Corp., argue that Google's policy is unfairly punishing them for trying to attract more digital subscribers. They want Google to treat their articles equally in search rankings, despite being behind a paywall. The ranking change is exactly what should have happened. A paywalled article is less useful to the average Google search user than a free article, so it's completely reasonable that this differential is reflected in search results rankings. Sorry, WSJ, I'm playing the world's tiniest violin for you.
Turks Click Away, but Wikipedia Is Gone (The New York Times)Lauren Weinstein <[email protected]>
Sat, 10 Jun 2017 16:50:24 -0700
NNSquad https://www.nytimes.com/2017/06/10/world/europe/turkey-wikipedia-ban-recep-tayyip-erdogan.html?partner=rss&emc=rss But beyond the problems it has created for the curious, Turkey's Wikipedia ban is a reminder of something darker, government critics say: a wholesale crackdown on free expression and access to information, amid wider oppression of most forms of opposition. Wikipedia is just one of 127,000 websites blocked in Turkey, estimated Professor Akdeniz, who has led legal challenges against the Wikipedia ban and other web restrictions. An additional 95,000 pages, like social media accounts, blog posts and articles, are blocked on websites that are not otherwise restricted, Mr. Akdeniz said. Some of these sites are pornographic. But many contain information and reporting that the government finds embarrassing. Sendika, an independent news outlet, is now on the 45th iteration of its website. The previous 44 were blocked.
The tech world is rallying around a young developer who made a huge embarrassing mistakeGabe Goldberg <[email protected]>
Sun, 11 Jun 2017 12:29:15 -0400
“How screwed am I?'' asked a recent user on Reddit, before sharing a mortifying story. On the first day as a junior software developer at a first salaried job out of college, his or her copy-and-paste error inadvertently erased all data from the company's production database. https://qz.com/999495/the-tech-world-is-rallying-around-a-young-developer-who-made-a-huge-embarrassing-mistake/ [Even more embarrassing for the company if there were no backups! PGN]
Healthcare ransomware and how we can climb out of this messKevin Fu <[email protected]>
Mon, 12 Jun 2017 15:39:52 -0400
Prof. Thimbleby and I shared our thoughts on how hospitals can climb out of the ransomware mess. Ransomware is just a symptom. Resolve the key root causes within the healthcare delivery supply chain: manufacturing, procurement, regulation, training, and governance. http://www.healthcareitnews.com/blog/ransomware%E2%80%A8-how-we-can-climb-out-mess Kevin Fu, Associate Professor, EECS Department, The University of Michigan [email protected] web.eecs.umich.edu/~kevinfu/ Twitter @DrKevinFu
Re: Software is forever (Paul Edwards, Risks 30.32)“Arthur T.” <[email protected]>
Sun, 11 Jun 2017 01:34:21 -0400
> It's scary how many applications will not work on anything more modern > than Windows XP, or rely on appallingly out-of-date and deprecated > versions of Java. The problem is not the application software. There are programs written, compiled, and linked in the 1960s which can still be run on the most modern of IBM's mainframes with the most current operating system and program products installed. The problem is that, unlike IBM mainframes, operating systems and important products for PCs are not upwards compatible. This problem is not limited to Windows. I find the fact that some programs required "appallingly out-of-date" versions of Java to be a condemnation of current versions of Java.
Precise Documentation (David Parnas)“Peter G. Neumann” <[email protected]>
Mon, 12 Jun 2017 10:57:26 PDT
[Dave Parnas has long been an advocate of better software. This article makes a strong case for the role of precise documentation in trying to attain better software. I consider this mandatory reading for designers and implementers. PGN] David L. Parnas, Precise Documentation: The Key to Better Software, in *The Future of Software Engineering*, S. Nanz, (ed), Springer Berlin Heidelberg, 2010, pp. 125--148, DOI: 10.1007/978-3-642-15187-3_8 ISBN 978-3-642-15186-6 (Print) ISBN 978-3-642-15187-3 (Online) Abstract. The prime cause of the sorry `state of the art' in software development is our failure to produce good design documentation. Poor documentation is the cause of many errors and reduces efficiency in every phase of a software product's development and use. Most software developers believe that `documentation' refers to a collection of wordy, unstructured, introductory descriptions, thousands of pages that nobody wanted to write and nobody trusts. In contrast, Engineers in more traditional disciplines think of precise blueprints, circuit diagrams, and mathematical specifications of component properties. Software developers do not know how to produce precise documents for software. Software developments also think that documentation is something written after the software has been developed. In other fields of Engineering much of the documentation is written before and during the development. It represents forethought not afterthought. Among the benefits of better documentation would be: easier reuse of old designs, better communication about requirements, more useful design reviews, easier integration of separately written modules, more effective code inspection, more effective testing, and more efficient corrections and improvements. This paper explains how to produce and use precise software documentation and illustrate the methods with several examples. Here's another useful reference as well: Carl Landwehr, J. Ludewig, R. Meersman, D.L. Parnas, P, Shoval, Y. Wand, D. Weiss, and E. Weyuker, Software Systems Engineering programmes: a capability approach, in Journal of Systems and Software, Vol. 125, March 2017, pp. 354--364, Article: JSS9898. DOI: 10.1016/j.jss.2016.12.016
Please report problems with the web pages to the maintainer