Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Liam Stack, *The New York Times*, 16 Feb 2017 [PGN-ed] At least five fake news sites were set up (such as the Houston Leader and the Salt Lake City Guardian), providing lots of partisan fake news headlines such as * LEAKED: Lady Gaga Half-time Performance to Feature Muslim Tribute * BOMBSHELL: Trump and Putin spotted at Swiss Resort prior to election * California Legislature to Consider Tax Rebates for Women Who Get Abortions * Texas Doctor Charged with Multiple Counts of Human Experimentation and lots more similarly false stuff on similar topics. The intent was to promote a new film—A Cure for Wellness—about a fake cure that makes people even sicker. “As part of this campaign, a 'fake' wellness site, healthandwellness.com, was created and we partnered with a fake news creator to publish fake news.''—according to a statement by Regency Enterprises and 20th Century Fox acknowledging their roles in the ad campaign for the film. There apparently was considerable outrage within the film industry, because the very next day, 20th Century Fox apologized for this movie ad campaign: Sapna Maheshwari, *The New York Times*, 17 Feb 2017 The News Was Fake. The Regret? That's Real. The *Times* article quotes Susan Credle (global chief creative officer of the FBC ad agency): “Fake news is not a cute or silly subject. When you start to tear down media and question what's real and what's not real, our democracy is threatened. I think this is a hot enough subject that most marketers would understand that taking advantage of a vulnerable public is dangerous.'' [One might wonder how many people will foolishly take such blatantly fake news as genuine. Based on our experience with past April Fools items, I suspect there would be quite a few with some of the cleverer spoofs that really seem semi-plausible. However, just one item quoted out of context can spread around the Internet and be accepted! In the early days of my collecting RISKS cases beginning in the mid-1970s, there was the notorious *Weekly World News* tabloid, with its utterly fantastic headlines. Here are two examples from our archives: * 2 dead, 1 brain-dead from Chilean bank terminal (noted in ACM SIGSOFT Software Engineering Notes 12 2, April 1987) * First cybersex pregnancy (RISKS-19.60) Apparently this kind of outrageous nonsense brings in customers. PGN]
NNSquad http://www.telegraph.co.uk/technology/2017/02/10/fake-news-killing-peoples-minds-says-apple-boss-tim-cook/ Tim Cook, the boss of Apple, is calling for governments to launch a public information campaign to fight the scourge of fake news, which is "killing people's minds". In an impassioned plea, Mr Cook, boss of the world's largest company, says that the epidemic of false reports "is a big problem in a lot of the world" and necessitates a crackdown by the authorities and technology firms.
Netherlands reverts to paper ballots and hand counting to thwart hackers. https://www.theguardian.com/world/2017/feb/02/dutch-will-count-all-election-ballots-by-hand-to-thwart-cyber-hacking
NNSquad http://abcnews.go.com/Technology/wireStory/forged-racist-emails-stir-university-michigan-45352248 Someone sent racist and anti-Semitic emails to University of Michigan students and made it look like they were from a computer science professor who pushed for presidential election recounts in several states. The emails were sent mostly to engineering students Tuesday with subject lines such as "African American Student Diversity" and "Jewish Student Diversity." Two messages included the phrase "Heil Trump." A school spokesman, Rick Fitzgerald, said it wasn't a hack and that campus police are investigating. It's not known if the emails were connected to Alex Halderman's activism after the election.
http://appleinsider.com/articles/17/02/08/new-mac-malware-from-iran-targets-us-defense-industry-human-rights-advocates-with-fake-flash-updates
Can foreign governments spy on Americans in America with impunity? That was the question in front of the U.S. Court of Appeals for the District of Columbia Circuit Thursday, when EFF, human rights lawyer Scott Gilmore, and the law firms of Jones Day and Robins Kaplan went to court in /Kidane v. Ethiopia/ <https://www.eff.org/cases/kidane-v-ethiopia>. Jones Day partner Richard Martinez <http://www.jonesday.com/rmartinez/> argued before a three-judge panel that an American should be allowed to continue his suit against the Ethiopian government for infecting his computer with custom spyware and monitoring his communications for weeks on end. The judges questioned both sides for just over a half hour. Despite the numerous issues on appeal, the argument focused on whether U.S. courts have jurisdiction to hear a case brought by an American citizen for wiretapping and invasion of his privacy that occurred in his living room in suburban Maryland. The question is relevant because, under the Foreign Sovereign Immunities Act, foreign governments are only liable for torts they commit within the United States. ... Ethiopia's lawyer argued next, taking the position that it should be able to do anything to Americans in America, even set off a car bomb, as long as Ethiopia didn't have a human agent in the United States. One judge asked what would happen if Ethiopia mailed a letter bomb into the United States to assassinate an opponent, or hacked an American's self-driving car, causing it to crash. Ethiopia didn't hesitate: their counsel said that they could not be sued for any of those. https://www.eff.org/deeplinks/2017/02/can-foreign-governments-launch-malware-attacks-americans-without-consequences
Yesterday I received a text message, claiming to be from the Co-op Bank stating: "This is the Co-op bank. Some services will be unavailable this weekend due to essential maintenance. For more details, visit:" followed by a link to "CoopBank.dyn.co" The ".co" top level domain is the country code for Columbia. I sent an email to the Co-op Bank to warn them of this phishing attempt and received a reply stating that the text was genuine! How can we persuade people not to click on dodgy links in emails and text messages when legitimate companies send out genuine messages with links that are indistiguishable from phishing attempts?
Andrew Krok, Road Show by CNET, February 16, 2017 11:19 AM PST Toyota issued a recall for every single Mirai hydrogen fuel cell vehicle sold around the world. That may seem like a ton, but bear in mind it's a niche vehicle utilizing an infrastructure that isn't fully fleshed out. Thus, only about 2,840 vehicles are affected. The issue relates to the car's powertrain. A unique set of driving conditions—for example, jamming the accelerator to the floor after driving on a long descent under cruise control—might cause the fuel cell's boost converter to output voltage higher than the maximum. If that happens, a warning light will come on and the fuel cell system will stop running. Toyota will fix the issue with a simple software reflash. https://www.cnet.com/roadshow/news/toyota-recalls-all-the-mirais-for-software-bug/
https://arstechnica.com/security/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/ Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all.
Agam Shah, Info World, 6 Feb 2017 Intel is 'implementing and validating a minor silicon fix' to resolve the issue http://www.infoworld.com/article/3167205/storage/flaw-in-intel-atom-chip-could-crash-servers-networking-gear.html [selected text] A flaw in an old Intel chip could crash servers and networking equipment, and the chipmaker is working to fix the issue. The issue is in the Atom C2000 chips, which started shipping in 2013. [Four years old is old in a chip still in production? Risks of short-term thinking?] The usual server refresh cycle is three to five years, but networking and storage equipment—which the C2000 is targeted toward—is often used for five to 10 years. Intel continuously finds flaws in its chips, and it fixes them over time. But one that may crash a system is serious and could put data at risk. [I am curious about chip flaws being more common than I thought. Is anyone is a position to knowledgeably comment about this?] The chipmaker has given up making Atom chips for servers, ... Intel is now dedicating Atom chips to drones, robots, gateways, smart devices, and Internet of things products. [IDIOT* strikes again? *Insecurely-Designed Internet of Things]
John Ribeiro, InfoWorld, 6 Feb 2017 A government agency agreed with Samsung's view that faulty batteries caused the Note 7 to overheat http://www.infoworld.com/article/3165952/smartphones/south-korea-plans-to-tighten-battery-regulations-post-note7-crisis.html [selected text] In the wake of the Note 7 debacle, South Korea is introducing new tests and regulations to ensure battery and smartphone safety, the Ministry of Trade, Industry, and Energy said. The announcement Monday by MOTIE also agrees with the analysis by Samsung Electronics and some experts on the cause of the overheating and even explosions of some Galaxy Note 7 smartphones. Samsung, backed by experts from Exponent, TUV Rheinland, and UL, said in January that the overheating of some Note 7 phones was likely caused by the faulty design and manufacturing of batteries by two suppliers, rather than by the design of the smartphone itself.
A Russian hacking group accused of interfering with last year's presidential election has evolved its Xagent malware package, known for its ability to infiltrate Windows, iOS, Android and Linux devices, to target Macs, according to a report on Tuesday. Uncovered by security research firm and antivirus builder Bitdefender, the Mac strain of Xagent is similar to its predecessors in that it acts as a modular backdoor for intruders, reports *Ars Technica*. <https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/> <https://arstechnica.com/security/2017/02/new-mac-malware-pinned-on-same-russian-group-blamed-for-election-hacks/> Once the malware is installed, likely through the Komplex downloader, it checks for the presence of a debugger. If none is found, Xagent waits for an Internet connection to reach out to command and control servers, which in turn activate specific payload modules, Bitdefender explains. As a Mac malware, most C&C URLs impersonate Apple domains. The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. More troubling is the malware's ability to grab desktop screenshots, steal web browser passwords and offload iPhone backups. The latter capability is perhaps most important from an intelligence-gathering standpoint, Bitdefender says. While an exact lineage has yet to be determined, the security firm believes APT28 is behind the Mac form of Xagent... http://appleinsider.com/articles/17/02/14/xagent-malware-arrives-on-mac-steals-passwords-screenshots-iphone-backups
via NNSquad http://www.chicagotribune.com/bluesky/technology/ct-yahoo-new-security-warning-20170215-story.html Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016, the latest development in the Internet company's investigation of a mega-breach that exposed 1 billion users' data several years ago. Yahoo confirmed Wednesday that it was notifying users that their accounts had potentially been compromised but declined to say how many people were affected. Unavoidable reference: https://www.youtube.com/watch?v=vUi1PdYn5nk
Given the following and other Microsoft Windows 10 shenanigans, I have not done a Windows Update in quite some time now. I am more worried about Microsoft doing something nefarious to my system than anyone else. Woody Leonhard, InfoWorld, 9 Feb 2017 Earlier versions of the Win7 and 8.1 patches kicked off enhanced snooping routines, and there's no indication what's changed in these versions http://www.infoworld.com/article/3168397/microsoft-windows/microsoft-re-releases-snooping-patches-kb-2952664-kb-2976978.html selected text: We don't know what KB 2952664 (for Windows 7) and KB 2976978 (for Windows 8.1) actually do. But both patches have been shown in the past to trigger a new Windows task called DoScheduledTelemetryRun. But I do know that earlier versions of these patches triggered new snooping scans, whether the Customer Experience Improvement Program is enabled or not. And I do know that Microsoft hasn't documented much at all.
When is a date not a date? (I wonder if anyone has had problems because of supposedly outdated drivers.) Matthew Humphries, PC Mag, 9 Feb 2017 http://www.pcmag.com/news/351668/microsoft-explains-why-windows-drivers-are-dated-june-21-20 selected text: The drivers are regularly updated, but that timestamp never changes. Why? Microsoft drivers in a lot of cases are the fallback option. We all run hardware in our desktop PCs and laptops that's supplied by third-party companies, and they produce drivers for those components. These drivers are preferable to Microsoft's own, but if every time Microsoft released an updated driver it changed the timestamp to be current, Windows would view it as newer than the custom driver and replace it. You probably don't want this to happen as manufacturer's driver are more suited than Microsoft's. So to avoid this, Microsoft timestamps all drivers with the Windows Vista Release To Manufacturing (RTM) date, which is June 21, 2006. The Vista RTM was chosen because, "since only drivers as far back as Vista are compatible with new versions of Windows, every driver should have a date newer than Vista RTM, preserving the driver you installed as the best ranked driver."
http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html [Thanks to Ray Perrault for spotting this one. PGN]
As wireless devices flourish, network security pros break into cold sweats Tim Johnson, McClatchy, 13 Feb 2017 http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html Washington Sure, your office may seem clean. But it's probably not. Invisible network pollution contaminates the space, and it may open a door to evildoers. The pollution comes from the growing list of Internet-connected devices: cellphones, security cameras, thermostats, door locks, printers, speakerphones, even coffeemakers. Not all of them have up-to-date security patches or strong password protection. All of them are potential foot soldiers for hackers. <https://www.pwnieexpress.com/hubfs/2017InternetOfEvilThings.pdf?utm_campaign=IoET+2017&utm_source=hs_automation&utm_medium=email&utm_content=42452447> In a report titled The Internet of Evil Things, to be released Monday, a Boston-based company says the connected devices that surround us at home and work give indigestion to technology security experts, who see the rise of a menacing new force. “Our devices live in an open and free world. They connect to anything. They connect to good things and bad things. They don't know the difference,'' said Paul Paget, chief executive of Pwnie Express, the Boston cyber threat detection firm. The problem, Paget said, is that much of the Internet-connected world is contaminated with malicious code, or malware, and your devices swim in that pollution. Increasingly, employees carry their own devices to work, perhaps unwittingly bringing cyber infections and malware into contact with an office network, or bringing devices with weak defenses that can be forcibly recruited into in a hostile robotic network, or botnet, for attacks elsewhere. The first major alarm about these zombie botnets arose on Oct. 21 when hackers used malware, which security professionals dubbed Mirai <http://www.mcclatchydc.com/news/nation-world/national/national-security/article105894272.html>, to harness an army of enslaved connected devices, mainly security cameras, to overwhelm a New Hampshire firm, Dyn, that is a backbone of the Internet. The massive attack, the largest of its kind ever, took down Internet access in some metropolitan areas of the East Coast. Rather suddenly, the risk of connected devices became a hot topic. Even the most mundane home or office device could seem, well, potentially virulent. [...] http://www.mcclatchydc.com/news/nation-world/national/national-security/article132065839.html
[Bruce has written a long article that augments much of what we have noted here in the past, including the article Ulf Lindqvist and I have written for the February 2017 CACM Inside Risks series (item 240): http://www.csl.sri.com/neumann/insiderisks.html PGN] CRYPTO-GRAM February 15, 2017 <https://www.schneier.com/crypto-gram/archives/2017/0215.html>. by Bruce Schneier CTO, Resilient Systems, Inc. schneier@schneier.com https://www.schneier.com <https://www.schneier.com/crypto-gram.html>. Security and the Internet of Things [This essay previously appeared in "New York Magazine."] http://nymag.com/selectall/2017/01/the-Internet-of-things-dangerous-future-bruce-schneier.html ]
https://citizenlab.org/2017/02/bittersweet nso mexico spyware/ Key Findings * A prominent scientist at the Mexican National Institute for Public Health (INSP) and two directors of Mexican NGOs working on obesity and soda consumption were targeted with government exclusive spyware. * All of the targets have been active supporters of Mexico's soda tax, a public health measure to reduce the consumption of sugary drinks. * The targets received messages with malicious links that would have installed NSO Group's Pegasus spyware on their phones. NSO Group is an Israeli cyber-warfare company. * NSO's government surveillance tool may have been misused on behalf of special commercial interests, not for fighting crime or terrorism.
There has been a problem I was having that, even though I have over 35 years of experience as a computer programmer, I had no idea why it was happening, and, explaining how I figured out what caused it. Right now I am using a web form to type in this message. Sometimes I will go on various web sites where you're allowed to post messages or comments in forums, and on rare occasions, I'd be typing something in and the message would simply vanish. It wasn't posted, it wasn't saved, it was if I had asked the website to cancel my message. This can be very irritating to express a complicated explanation or idea and have it vanish in the middle of what you're typing. So let me show you how this happens, and why it bodes large for more than just someone typing a comment on a web page. Tools Needed: * A computer with Windows * Running Firefox browser * Having an Internet connection The process: * Log on to your favorite message boards or the compose page if you use Web mail. * Choose to reply or create a new message. This opens a text box, sets "focus" to it, and places the cursor in the box, allowing you to type in text. * Type in some material and make a mistake and proceed to press the backspace key to correct the mistake. * Accidentally hit F12, which is directly above the backspace. This opens a debug window so you can analyze the objects and DOM layout of the web page. * Realize that (unless you are a web designer or programmer who wants to analyze this page) you did not want that, and press F12 again to release the debug window and go back to the "ordinary" web page. * Unless you are very attentive, you might not notice that the "focus" - the place where the system sends keystroke messages - is not on the input area of the page, but on the whole page. This means the "mode" of the application has silently changed, and keystroke messages are sent to the application, not to the text box. * Proceed to correct the message by pressing the backspace key. Since you're not in the text area, the web browser does not treat the backspace as a command to "delete the previous typed in key" it is now the *back* button, which means to back up one web page from the stack of pages you've surfed through. * This causes the web browser to return to the previous page before you wanted to enter a reply, destroys the current web page and discards everything you typed in. It's gone forever and you can't get it back. Using the "forward" button on the toolbar returns you to the posting page, but is cleared out as when you start a new post. Now, the worst thing about this is given the number of functions available from the keyboard this is not the only way for the focus to change, there are other possible keystrokes you can made that can take the focus off the input box and move it to the app, and thus potentially cause a mode change that you do not even know has happened. Now, this presents a big possibility of error "writ large" onto any application or system where any button or key used by an application is modal, in which the button's functionality is different according to the current mode you are in. Obviously having a mode change the behavior of an application without the user being aware of it could have substantial risks that are clearly obvious.
https://www.wired.com/2017/02/spanner-google-database-harnessed-time-now-open-everyone/#a-6159ef6b-4043-4271-89e3-b3c5108d72a8 Google can change company data in one part of this database--running an ad, say, or debiting an advertiser's account--without contradicting changes made on the other side of the planet. What's more, it can readily and reliably replicate data across multiple data centers in multiple parts of the world--and seamlessly retrieve these copies if any one data center goes down. For a truly global business like Google, such transcontinental consistency is enormously powerful.
https://www.wired.com/2017/02/ai-threat-isnt-skynet-end-middle-class/
I stopped by our local wilderness park today to take a photo of some wildflowers with my Android phone. Imagine my shock an hour or so later when the phone's notifications screen offered me a chance to "Be a part of Google Maps! Share your pictures of Claremont Hills Wilderness Park" complete with thumbnails of the photos I took. Now to be fair, the thumbnails could have been assembled into the message on my phone without ever being sent to Google. But the only way they could have known that I took a picture near (not in) the park was if the GPS data and the fact of the photo were sent to them, without my knowledge or permission, when I hit the shutter button. To make matters worse, I wasn't even using the phone's built-in camera app; I was using an alternative, Camera FV-5, which as far as I can tell only uses your GPS location internally. So the conclusion is that every time my camera's shutter operates, the location (and maybe a thumbnail) is sent to Google. Most of the time they might discard it, but it's still creepy. And IMHO it certainly violates their motto of "Don't be evil." One more reason to use a real camera...
This is all documented. If memory serves the specific option is in: maps>settings>notifications ("add photos" or some such) Also, a similar effect would likely be achieved by turning off location sharing. - - - Add Photos to Multiple Places No more digging through photos and searching for the right now we automagically match them for you with Google Photos. On your Android phone, simply turn on the back up and location features in Google Photos to have your photos of places appear in the Contribute tab of Google Maps, ready for you to share and score points.
I'm going to be a bit gauche and toot my own horn here, hopefully while putting some context on the three quantum-related items in the last couple of issues of RISKS. I am one of the few classically-trained computer architects whose research is full time quantum, and has been since 2003. Apologies for the collective length, but since I'm addressing several prior posts I hope you'll allow them. First, D-Wave: the Wired article says, "D-Wave's computers can't tackle all algorithms yet,"—no kidding! It's a special-purpose machine that solves optimization problems mapped to Ising spin problems, a type of graph problem. It's a one-trick pony, although it's a really good trick, if it works. "[T]hird-party research didn't consistently confirm hype about D-Wave machines' speed gains versus classical computing." *Really* no kidding! The only person I trust unreservedly about this is Matthias Troyer (ETH Zurich & Microsoft Research). Turns out that characterizing performance of algorithms with many parameters including probability of being within some distance of optimal is tricky stuff. A great place to start is http://www.sciencemag.org/content/345/6195/420.abstract The slides by John Seymour, linked to from the Wired article, are an excellent account of one adventure using the machine. Designing algorithms for somewhat more general-purpose quantum computers is nothing like designing classical algorithms. The entire goal is to use entanglement and the wave nature of quantum states to drive the machine toward a state where non-answers to your problem destructively interfere, and answers to your problem constructively interfere. For discussion of the state of machines and our attempts to design them, see (ahem) A blueprint for building a quantum computer: http://dl.acm.org/citation.cfm?id=2494568 Quantum computing's classical problem, classical computing's quantum problem: https://arxiv.org/abs/1310.2040 The path to scalable distributed quantum computing http://ieeexplore.ieee.org/abstract/document/7562346/ or https://arxiv.org/abs/1605.06951 and I love Dave Bacon's review of quantum algorithms, though it's getting a bit long in the tooth now: http://dl.acm.org/citation.cfm?doid=1646353.1646375
Apologies for the length, I didn't set out to write something this long... RISKS 30.13 had a note about the Jennewein team capturing single photons from an airplane on the ground. It's prepartory work to doing the same thing from a satellite, and it's great stuff. Note that Makarov is a coauthor, and Makarov is the best "red team" QKD person on the planet, known for his work hacking QKD systems. And, in case you haven't heard, China already *has* a satellite in orbit for essentially the same experiments: https://www.rt.com/news/374167-china-quantum-satellite-operational/ They haven't yet published data from the satellite (launched last August), but they're now saying it's performing "much better than expected". The basic idea is to generate pairs of entangled photons in space, and capture them at two different locations on the ground. The current experiments, as far as I know, involve only capturing and measuring the photons directly, which means they are good for only quantum key distribution (QKD), creating a guaranteed-secret stream of classical bits shared with exactly one partner. Doing this via satellite has a lot of security advantages, including how hard it is to intercept and resend signals. This form of QKD (so-called Ekert-style, known as E91, using entangled pairs of photons rather than single photons from a sender to a receiver) is not subject to worries about e.g. the quality of the RNG on the satellite. Even if you could fly a high-altitude aircraft that spoofed the satellite, proper operation of the checks on the ground would _still_ keep the key secure. A combination of spoofing the satellite with a known vulnerability in the RNG at the ground stations could result in a compromised key, I believe, by judiciously avoiding the checks. Or, rather than directly spoofing the entangled pairs, other recent work has shown how, with some receiver setups, you can force any outcome you like (see DOI:10.1126/sciadv.1500793). n.b.: Some of this is speculative, given that I haven't seen details of the experiments they are doing with the actual satellite, but I have read many of their preparatory papers. Of course, there are a lot of limitations, including weather and satellite orbit. And if you have failures in orbit, fixing them is hard! Jian-Wei Pan's group is the best in the world at this kind of optical experiment. He was in Zeilinger's group in Vienna, which is the only other real contender for best at this kind of thing. Jian-Wei is also chief architect of the fiber-based QKD network they are now building out in eastern China. My viewpoint is limited, but from where I sit, he is probably China's most famous and most politically powerful researcher, in any field, and with good reason. I've already gone on long here, but I want to note that QKD, which involves early, direct measurement of the quantum states as photons, is only the beginning of quantum networking. If we can build quantum repeater networks that create entanglement over long distances, we can do many more things: sensor networks and interferometers with better-than-classical precision; high-precision distributed clocks (although whether they can be built without supporting classical infrastructure that already exceeds the quantum portion is an open question); other security functions such as stronger byzantine agreement; and distributed quantum computation (such as blind computation). See (again, ahem) https://www.verisign.com/en_US/company-information/verisign-labs/speakers-series/quantum-networks/index.xhtml and (final ahem) my book, _Quantum Networking_ http://as.wiley.com/WileyCDA/WileyTitle/productCd-1848215371.html (Apologies for the price. I get a couple of bucks, the publisher gets the rest.) Happy to talk at more length with any RISKers who are interested in either quantum computing or quantum networking. Prof. Rodney Van Meter, Faculty of Environment and Information Studies, Keio University, Japan rdv@sfc.wide.ad.jp http://web.sfc.keio.ac.jp/~rdv/
I'm really thrilled to see someone of Rob's firepower thinking seriously about what quantum computing means to a particular community (in this case, the security community). And I hadn't seen his articles before, so I'm reading them and sharing with my students. Re: security of the quantum computers themselves: yes, their operations are very easily disrupted (a bigger problem, actually, for quantum networks, see my next message). But as to verifying the answers they produce, that should be straightforward. Anything like an NP-complete problem, or math problems like factoring, it's pretty easy to check. Other applications, such as quantum chemistry (popularly touted as an important class of apps) are harder. Re: security of results: One of my favorite ideas of the last decade is blind quantum computation, by Broadbent, Fitzsimons and Kashefi. Like Gentry's homomorphic encryption, it allows a computer to run an algorithm with no access to the input or output data. Blind QC goes a step further and keeps even the algorithm hidden. You can run the algorithm on a remote server, and the server, its operators and hackers can learn nothing at all except an upper bound on the size of the computation you have done. https://arxiv.org/abs/0807.4154 The penalty for using BQC is substantial, but tolerable, even when accounting for quantum error correction. However, the network demands to use it remotely in full form are unrealistically high for the foreseeable future, see (again, ahem) https://arxiv.org/abs/1306.3664 and papers by others that I don't have handy at the moment. Re: applications for QCs: Rob suggests a number of things that are "hard" problems. Unfortunately, due to very limited memory capacity and inconceivably low I/O rates, no "big data" applications are in the offing, so e.g. climate modeling is right out. Problems involving modeling of other quantum systems, such as quantum chemistry of fertilizers (the favorite example problem of the Microsoft Research folks) are good candidates. Small-data problems with high branching factors, like solving chess or go without a massive library, are good candidates. Re: "superposition will allow for the processing of vast numbers of possibilities simultaneously": Scott Aaronson, one of the premiere theorists and quantum's most visible and funniest blogger, really hates that description. See my last message for a short discussion of algorithm design via interference, or Scott's blog at http://www.scottaaronson.com/blog/?p=2026 or his book _Quantum Computing Since Democritus_, if you want the hard thinking without the math. (That book is amazingly deep given the dearth of equations.) Enough for now, a note about networking later...
Re: stealing a quantum key (Feb 2 in WiReD)) On Mon, 6 Feb 2017 Werner U <werneru@gmail.com> wrote "... it's physically *impossible* for a hacker to steal a key encoded using quantum particles." It is physically impossible for a hacker to steal such a key *without being detected*. This is clearly communicated in the rest of the paragraph. Paul E. Black 100 Bureau Drive, Stop 8970 paul.black@nist.gov Gaithersburg, Maryland 20899-8970 voice: +1 301 975-4794 fax: +1 301 975-6097 http://hissa.nist.gov/~black/ KC7PKT
Having been on an observation ship during a failed missile test back in the 80's I can tell you this is much ado about nothing. All missile launches...including subs...have a missile safety officer Their sole job is to have their finger on the detonate button if something goes wrong. We were about 10km as I recall from a Trident launch and the missile started to roll...took probably 2 seconds before the safety officer destroyed it. The idea that a missile might "veer" towards the U.S. is just one of the obviously many directions a bad missile might go.As soon as it goes off course it will be destroyed. The extremely poor scientific reporting that goes on in the media leaves a lot of people with bad and/or incomplete information....just like the current scare mongering from Fukushima with news agencies reporting "record radiation levels"....of an area that had never been meaured before....and who woulda thunk a nuclear reactor core might actually be dangerous?
What most respondents seem to ignore is that the difference between indentation-oriented syntax and enclosing-delimiter-oriented one is not a matter of the behavior or availability of automatic indenting applications. The main issue is that with the latter syntax (e.g. Python's) there's no way to know where an "if" or a "while" statement ends, except by indentation; messing indentation on even a single line can result in a program which is syntactically valid, but wrong. In a language like C, one would have to lose at least two opposing braces to get this result, and it's even harder with languages which use syntax like if...fi and do...od .
Don Norman wrote: "More facts: I never used a DEC (Digital) PDP-10, although I did use (and own) many every other DEC machine: PDP 1, 4, 7, 8, 9, 11 and Vax. I managed to skip the 10, which was replaced by the Vax." To set the record straight, the Decsystem 20 replaced the PDP 10, both of which were 36-bit architecture. Then DEC deprecated the 20. Then the only mainframe option to a (now former) Decsystem 20 customer was either an IBM 370 series or a DEC VAX. But the VAX, like the 370, is a 32-bit machine, is not compatible in terms of operating system or architecture with the 10 or the 20, and was the replacement for the 16-bit PDP-11, with which its machine instruction set was compatible.
A couple of articles have mentioned the wired.com site; please be aware that they run an ad-blocker-blocker, which means you either disable your blocker (which I won't do) or risk (no pun intended) your privacy by signing up; I won't trust any site that demands I either view adverts, or pay what amounts to a ransom. [Let's hope someone at EFF is reading RISKS. PGN]
Joel Achenbach, *The Washington Post*, 9 Feb 2017 https://www.washingtonpost.com/news/speaking-of-science/wp/2017/02/09/the-march-for-science-is-gaining-mainstream-momentum/ Many scientists are reluctant to leap into politically charged territory, but these are not normal times, and even the most mainstream science organizations say there may be no choice but to take to the streets. The much-discussed March for Science, organized via social media and scheduled for April 22 in Washington, has been gaining momentum. Christine McEntee, executive director and chief executive of the American Geophysical Union, said Thursday that her organization has been talking in recent days with march organizers and looking for ways to support the effort. “We are pleased to see the growing support for the value of science and scientific integrity. AGU has begun discussions with the organizers of the march and we are exploring how we can best support their efforts. Democracy is based on active participation. We fully support the efforts of scientists to speak out on these important issues.'' [...]
"The History of Cybercrime (1976-2016)" was published in January 2017 in Germany by the Cybercrime Research Institute, Cologne. It contains new information from United Nations organizations, INTERPOL, a new chapter on Public-Private Partnerships, new information on Internet of Things (IoT), the encryption problems for law enforcements, and much more. The book is now available on Amazon Kindle and book editions.
Please report problems with the web pages to the maintainer