The RISKS Digest
Volume 26 Issue 36

Saturday, 5th March 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Swiss Officials Order Citizens to Wear Masks in Public—Ban Tourists Posting Photos on Web
Lauren Weinstein
An Outbreak Of Out Of Order Moles Whac-a-moles
Hans Polzer
Matt Blaze: "Shaking Down Science"
Raining on cloud computing: Gmail outage
Mark Thorson
500,000 Gmail accounts go offline, some users lose all their data
David Farber
Restoration of Gmail accounts from tape almost completed
Lauren Weinstein
Mac OS X backdoor Trojan, now in beta?
Chester Wisniewski via Monty Solomon
Risks in health records
NY Assembly candidate's law shoots him in the foot
Celeste Katz
SSD Erasure Unreliable
Gene Wirchenko
"Can You Frisk a Hard Drive?"
David K. Shipler
Facebook To Share Users' Home Addresses, Phone Numbers With External Sites
Huffington Post
Vulnerable social networking platforms
Re: Kill Switch, Anyone?
Jonathan Kamens
Re: Tree octopus exposes Internet illiteracy
Daniel A Graifer
Susan Landau: Surveillance or Security?
Info on RISKS (comp.risks)

Swiss Officials Order Citizens to Wear Masks in Public --

<Lauren Weinstein>
Thu, 24 Feb 2011 14:04:22 -0800
   Ban Tourists Posting Photos on Web

BERNE (ZAP)—In a bold move to demonstrate that the Swiss government is as
serious about privacy for its citizens as it has historically been regarding
the protection of illicit foreign assets in Swiss bank accounts, the head of
the newly created Switzerland Federal Department of Facial Anonymity,
Nicolas J. Biellmann, today issued a preliminary order requiring that all
Swiss citizens wear "full head coverage" masks at all times when outside
their homes or places of business within the borders of Switzerland.

This groundbreaking move, being enthusiastically supported by radical
pro-privacy groups in Switzerland and around the world, comes on the heels
of previous Swiss orders that search giant Google must obscure every single
human face—even if this must be done manually—that appears in their
"Street View" images, or else potentially terminate Street View services for
Switzerland ( [Lauren's Blog] ).

"Upon due reflection," said Biellmann, "we realized that Google Street View
was only the tip of the iceberg.  After all, Street View imagery is usually
only updated after months or even years.  But there are lots of other people
out there taking photos of Swiss faces every day—whom we must protect our
citizens against as well."

The "mask order" comes in conjunction with other new regulations banning
tourists in Switzerland from posting to the Internet any photos of Swiss
citizens, even taken in public places and gatherings.  Under this new law,
any such photos that are subsequently posted to the Web, will bring about
swift action by Swiss authorities.  This may involve Web site shutdown
orders, extradition of the tourist photographers back to Switzerland if they
have already left the country, and in extreme cases the so-called Swiss
"doomsday" option—the remote and permanent shutdown of any and all cuckoo
clocks associated with the photos' perpetrators.

At a press conference in downtown Berne today, reporters were provided with
examples of the government-approved masks that would be required under the
new order [editors, see photo DS0393-A3 - (Lauren's
Blog)].  Officials noted that approved masks would be available in a wide
range of styles, and would include characteristics of popular Swiss folk
heroes, characters from major films, and even a wide range of cute animals.

In answer to a reporter's question, Biellmann explained that approved masks
would be constructed from special materials that are essentially transparent
to government real-time surveillance closed-circuit television (CCTV)
cameras.  "We want to assure everyone that the government will still be able
to track your every move via our CCTV systems.  Our goal here is simply to
make sure that firms like Google, and individual tourists, are blocked from
citizen photography.  You can be confident that law enforcement and other
aspects of the government will have full access to your actual faces at all
times, everywhere you go in public.  Your ugliness will not be seen by
anyone else," said Biellmann.

After a brief comment period, the new masking and anti-tourist photography
regulations are expected to become law on April 1, 2011.

 - - -

Update (February 25, 2011): Yes, except for the part about Switzerland
demanding that Google obscure every single Swiss face in Street View—even
if it has to be done manually—the rest of the story described in this
posting is of course a satire. But you already knew that.

Lauren Weinstein (
People For Internet Responsibility:
Network Neutrality Squad:  Tel: +1 (818) 225-2800

An Outbreak Of Out Of Order Moles Whac-a-moles (Hans Polzer)

"Peter G. Neumann" <>
Mon, 28 Feb 2011 12:59:47 PST

  [From Hans Polzer via Will Tracz (Editor of the ACM SIGSOFT Software
  Engineering Notes, and General Chair ACM SIGSOFT 2012 - FSE 20; +1 607 741-2666).  PGN]

An Outbreak of Out-of-Order Moles [OoOoOMs!]

What happens when your Whac-A-Moles stop popping up? Well, the game gets
slapped with an out of order sign and no longer generates any
just takes up space.  So when an unusual outbreak of Whac-A-Mole
malfunctions forced amusement park operators to start making service
requests, did anyone think much of it? Well, yes, and no.

Matt Blaze: "Shaking Down Science"

"Peter G. Neumann" <>
Mon, 28 Feb 2011 12:59:47 PST

  Some time in January, the IEEE apparently quietly revised its copyright
  policy to explicitly forbid us authors from sharing the "final" versions
  of our papers on the web, now reserving that privilege to themselves
  (available to all comers, for the right price).

  [This item by Matt is very important for you all to read.  I am inclined
  to openly include Matt's entire text here, but it is even more important
  for RISKS readers to go to the source and see how this item fits in to the
  rest of what Matt has available.  Organizations such as ACM and IEEE are
  clearly having difficulties adapting to the non-print world of the
  Internet.  But preventing authors who believe in the importance of
  openness in research from distributing their own publications is a
  horrendous step backwards.  PGN]

Raining on cloud computing: Gmail outage

Mark Thorson <>
Mon, 28 Feb 2011 14:02:47 -0800

Yesterday, Google wiped out the e-mail for an unknown number of users.
Early estimates were as high as 150,000, but later estimates have pared
that down to a number still in the tens of thousands.

Google predicts being able to restore all accounts by the end of today

I've been skeptical about the whole concept of cloud computing since I first
heard about it.  You're taking your most important stuff—your data and
applications—and placing it out of your control in the cloud.  How many
more incidents like this will it take to completely discredit cloud
computing?  When will cloud computing have its Hindenburg disaster?

500,000 Gmail accounts go offline, some users lose all their data

David Farber <>
Mon, 28 Feb 2011 10:30:15 -0500

Restoration of Gmail accounts from tape almost completed

Lauren Weinstein <>
Tue, 1 Mar 2011 13:11:50 -0800

A number of people have asked me about this incident, especially the "how
could multiple copies of data be damaged/lost?" question.

While I wouldn't assert that this example is strictly relevant in this
particular case, RAID may provide a useful example.

I've been warning folks for years that even the higher levels of RAID
(Redundant Array of Independent Disks) protection do not necessarily
mean that data won't be lost, especially when those disks all share
a single controller.

If the controller in such a situation fails in a particularly nasty
way, it could potentially corrupt enough of the data across the entire
array of RAID disks to cause unrecoverable data loss.

Even when your redundant data is stored at different locations, it is
possible for failure (in this case, likely a software-related problem) to
cause data loss or corruption that may not be detected until it has been
copied across to other replicated versions of the files.  Even if you kept
multiple copies of an e-mail index, it's possible to have failure modes
where problems in one copy spread to the other copies prior to detection.

That's why having completely isolated backups—such as tape in Google's
case—makes excellent sense.

And for those of you attempting to use this case as an argument against
cloud computing, I would simply note that only a relatively small number of
Google's users were affected, it appears that their data will be
successfully recovered, and when most people's home or business PC disks
fail, they probably haven't been backed up at all.  Technical term for that:
S.O.L.  (Official Gmail Blog)

Lauren Weinstein (
People For Internet Responsibility:
Network Neutrality Squad:  +1 (818) 225-2800

Mac OS X backdoor Trojan, now in beta? (Chester Wisniewski)

Monty Solomon <>
Mon, 28 Feb 2011 09:19:53 -0500

Chester Wisniewski. *Sophos*, 26 Feb 2011

It appears there is a new backdoor Trojan in town and it targets users of
Mac OS X. As even the malware itself admits, it is not yet finished, but it
could be indicative of more underground programmers taking note of Apple's
increasing market share.

SophosLabs analyzed the sample we received and determined that it is a
variant of a well-known Remote Access Trojan (RAT) for Windows known as
darkComet. The author of the Trojan refers to it as the 'BlackHole RAT', as
you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or
'MusMinim' for short.

The name 'Black Hole' is already used by a legitimate application which
actually aims to increase security on your Mac by helping you get rid of
potentially sensitive information such as recently-used file lists, data
left in the clipboard, and more.

MusMinim is very basic and there appears to be a mix of German and English
in the user interface. Its functions include:

* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to
click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target...

Risks in health records

"Peter G. Neumann" <>
Mon, 28 Feb 2011 14:48:53 PST

  [Thanks to dkross]

"... What's more, some health-care experts say the number of errors could
jump in coming years. That's because the 2009 economic-stimulus legislation
included $19 billion in spending to encourage the use of electronic health
records—a major source of billing mistakes, says Ross Koppel, a sociology
professor at University of Pennsylvania's Center for Clinical Epidemiology
and Biostatistics who has studied electronic records extensively. The
U.S. Department of Health and Human Services estimates that 80% of hospitals
will use electronic records by 2014, up from 16% now.

... But those bills are sometimes inaccurate—often as a result of
electronic billing snafus. Among their benefits, electronic records can
reduce the risk of duplicate testing by enabling doctors to track patients'
care. David Blumenthal, national coordinator for electronic health records
at the U.S. Department of Health and Human Services, says the technology
helps prevent potentially fatal errors such as prescribing medication that a
patient is allergic to. Electronic health records will "improve care for
patients and bring about greater cost-effectiveness in our health sector,"
he says...."

NY Assembly candidate's law shoots him in the foot (Celeste Katz)

"Peter G. Neumann" <>
Wed, 23 Feb 2011 16:12:21 PST

Celeste Katz,
Dem Frank Skartados doomed by vague election law crafted by his own lawyer,
*New York Daily News*, 21 Feb 2011

Assembly Speaker Sheldon Silver's former adviser wrote the state law that
may have cost him his powerful, veto-proof, Democratic supermajority.
Democrat Frank Skartados was forced to concede the seat for the 100th
Assembly District last week when he was a mere 15 votes behind.  In his
heart of hearts, he believes he won.

But in a double whammy of irony, Skartados was seemingly doomed by a vague
election law that was crafted by his own lawyer, Kathleen O'Keefe, while she
worked as Silver's chief election counsel. O'Keefe's strict interpretation
of her own law walled off one of Skartados' last hopes of fighting for the
seat.  "I couldn't do anything with the way the law was written," said
Skartados, who conceded to Republican Tom Kirwan after one of the most
drawn-out contests in state history. "But I feel that justice was not served
because the voices of everyone were silenced by the courts."

A Brooklyn appeals court ruled unanimously in favor of Kirwan when it tossed
out about 60 contested affidavit ballots. That left Skartados just 15 votes
behind. In New York City, Board of Elections rules automatically require a
hand inspection of the paper trail from voting machines in any election
where the margin is 0.5% or less.  State election law doesn't - and in races
as close as the one for this Hudson Valley seat, it could make all the
difference. "New York law offers very little guidance as to when a full
recount is required," elections law expert Jerry Goldfeder said. "The law
needs to be clarified."

SSD Erasure Unreliable

Gene Wirchenko <>
Tue, 22 Feb 2011 12:48:24 -0800

InfoWorld Home / InfoWorld Tech Watch
Woody Leonhard, *InfoWorld*, 22 Feb 2011

Flash-based solid-state drives nearly impossible to erase
Think you got rid of that confidential information on your SSD?
The results of a new study will come as a rude awakening

selected text:

Researchers from the University of California at San Diego delivered a paper
at the FAST-11 Conference in San Jose, Calif., last week that shows it's
almost impossible to reliably erase data from a solid state drive.

The tome, "Reliably Erasing Data from Flash-Based Solid State Drives" (PDF),
goes through all of the known techniques for erasing data and comes up short
in every case. The study's method is straightforward: They put repeating
data on an SSD or USB drive, tried using various erasing techniques, took
the SSD or USB drive apart, and pulled raw data off the chips. If any of the
original data remained, erasing didn't work.

The culprit? SSD's so-called Flash Translation Layer, a firmware interface
that makes an SSD appear to the PC like a big fat, uh, FAT device. Operating
systems want to work with file allocation tables and clusters. SSDs have to
deal with the vagaries of Flash media, which are quite different from
rotating magnetic layers. For example, SSD blocks have to be erased before
they can be written, and erasing takes a lot of time. FTL figures out how to
erase unused blocks of memory when the SSD isn't doing anything else. SSD
devices wear out faster if the same blocks are written and rewritten, so FTL
balances the write load across all of the available memory.

You might imagine with all of these delayed erases running around and blocks
of data being intentionally scattered to remote corners, there's some
potential for error. Ends up, there's more than just a potential.

  Perhaps some day we'll see the recommendations applied to an SSD
  device. In the meantime, the only sure way to erase the data on an SSD or
  USB drive requires a very large hammer.

 - - -

  [PGN adds: Lauren Weinstein commented in his various distributions on
  this quote:

     "Our results show that naively applying techniques designed for
      sanitizing hard drives on SSDs, such as overwriting and using
      built-in secure erase commands is unreliable and sometimes
      results in all the data remaining intact. Furthermore, our
      results also show that sanitizing single files on an SSD is much
      more difficult than on a traditional hard drive."

  With the rise of SSD memory as a replacement for traditional hard disks,
  the security and privacy aspects of this situation seem quite noteworthy,
  to say the least.  You can bet that those parties (legit or not) who wish
  to extract data from laptops, iPads, smartphones, or other SSD-based
  devices will already be ahead of the curve.  Ya' think you really deleted
  that cleartext before sending out the encrypted version?  You sure you
  actually deleted that company confidential material (or that porn!) before
  you head back through U.S. Customs?  Lauren]

"Can You Frisk a Hard Drive?" (David K. Shipler)

Lauren Weinstein <>
Sun, 20 Feb 2011 20:12:09 -0800

David K. Shipler), Can You Frisk a Hard Drive? *The New York Times*,
19 Feb 2011

My comments:

Anyone who travels internationally with a laptop containing anything
significant beyond the bare necessities for accessing cloud-based data under
password and/or other security controls, is unfortunately simply asking for

This holds especially true for the vast majority of travelers—who have
done nothing wrong—but may still have their devices' (laptops,
smartphones, etc.) data copied and searched in detail without a warrant or
any indication that they are criminals, terrorists, or even overdue library
book villains.

A laptop similar to Google's CR-48 and a good SSH program (e.g. in a Java
applet), can be an enormous help in this regard.

In the long run, a more formal approach, as I outlined in:

"Urgent Call for Privacy-Enhanced Mobile Data Storage and
Self-Destruct Mechanisms -  (Lauren's Blog)
would seem useful at least for consideration.

Lauren Weinstein (
People For Internet Responsibility: +1 (818) 225-2800
Network Neutrality Squad:

Facebook To Share Users' Home Addresses, Phone Numbers With

David Farber <>
Tue, 1 Mar 2011 05:29:39 -0500
 External Sites

Vulnerable social networking platforms

Tue, 01 Mar 2011 09:40:40 +0800
01           600,000,000
02                 135,000,000
03               130,000,000
04              110,000,000
05              74,000,000...

This website was launched with the goal to publish security related
vulnerabilities found on any social networking platform. In the past the
authors of this website have found lots of security related issues on well
known social networking platform and tried to contact the responsible owners
to provide detailed information on the found issues.  During this we got
really frustrated because often there is no secur[e] e-mail available on the
social networking platform which means that we had to try to contact the
website providers via their "normal" help desk or ticketing system. This had
the consequence that in most case we got no answer or it took weeks till we
got any answers. When you initially contacted the vendors and asked for a
public PGP key or s/mime so that we can send the information encrypted, we
often got an answer saying that they don't use PGP or s/mime in their
company and that we should provide them the information via clear-text email
protocol. Some of them even asked us what is a PGP key or even worse - they
sent us their private PGP key (for their luck without the needed password).

Re: Kill Switch, Anyone? (Wirchenko, RISKS-26.35)

Jonathan Kamens <>
Tue, 22 Feb 2011 10:04:02 -0500

I think it's actually pretty clear how came to be seized along with
other child porn domains. There must have been trafficking happening on some
of the subdomains created by users underneath, and the people
assembling the list of domains to seize categorized the entire second-level
domain, rather than the individual subdomains within it, as a trafficking

This is not a terribly surprising error. I would imagine that the percentage
of Internet .com domains where subdomains are owned and completely
controlled by different people than the second-level domain is minuscule,
and the community that utilizes such domains tends to be somewhat
self-contained and not familiar to people who aren't part of it.

Perhaps I'm wrong, but I don't think FreeDNS is particularly mainstream.

Note: I'm not trying to excuse the error; I'm just trying to explain how it

  [Note: Simplistic overreactions sometimes lead to simplistic

    Mark Rockwell, Bill explicitly prohibits Internet shut down

    In hopes of dispelling fears of a federal "Internet kill switch," Senate
    homeland security and financial management leaders introduced a
    cybersecurity reform bill that would explicitly prohibit the President
    from shutting down the Internet.


Re: Tree octopus exposes Internet illiteracy (RISKS-26.35)

<Daniel A Graifer>
Mon, 21 Feb 2011 09:36:56 -0500

My minimal legal knowledge is that courts have never accepted photographic
evidence as incontrovertible.  They have always required the testimony of
the person who took the photo along with it—i.e., testify that he/she
took the photo at the place and time alleged, and didn't alter it.

Susan Landau: Surveillance or Security?

"Peter G. Neumann" <>
Wed, 23 Feb 2011 17:14:37 PST

Susan Landau
Surveillance or Security?
  The Risks Posed by New Wiretapping Technologies
MIT Press, 2011

This is an absolutely mandatory source book for everyone interested in the
would-be conflicts represented between and within each side of the "or" in
the title.  It is truly remarkable, incisive, important, timely, superbly
researched, and copiously footnoted for those who want to dig even deeper.

Please read it.  Of course, as RISKS readers are well aware, at the moment
we seem to have surveillance without security, and without sufficient
controls.  However, the challenges of achieving adequate security *and*
legitimate surveillance *and* meaningful privacy (however you might wish to
define them) may be eternally unreachable—especially in the absence of

Here's a quote from Jonathan Zittrain from the back jacket of the book:

  “Susan Landau has taken an exceptionally complex but vital subject and
  presented it in a clear and compelling way.  The ability of a citizen to
  securely communicate with her peers lies at the heart of the rule of law.
  Landau demonstrates the necessity of protecting that right amidst the
  technological changes that can greatly alter the balance of power between
  citizens and governments.''

Please report problems with the web pages to the maintainer