The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 44

Saturday 14 May 2011

Contents

Colleges worry about always-plugged-in students
Tracy Jan via Monty Solomon
Warnings about Risks aren't just for technological issues
Paul Robinson
Amazon Cloud Cloudy?
Ted Samson via Gene Wirchenko
More About the Amazon Cloud Crash
Nestor E. Arellano via Gene Wirchenko
Cloud Reliability
Patrick Thibodeau via Gene Wirchenko
The algorithm says that'll be $23,698,655.93, plus $3.99 shipping
Mark Brader
Texas exposes addresses, SSNs of 3.5 million residents
F John Reinke
Risks of auto-classification
Steven Bellovin
Iran claims it's under a second virus attack
Danny Burstein
RSA hack spear-phishing via an Excel spreadsheet with embedded Flash
Jeremy Epstein
Tracking File Found in iPhones
Matthew Kruk
Re: Skype for Android User Data Leak
Robert N.M. Watson via PGN
Re: Increasing risks due to leap seconds being ever more frequent
Amos Shapir
Re: 'HTTPS Now'
Dimitri Maziuk
Workshop on RFID Security and Privacy
Kevin Fu
Info on RISKS (comp.risks)

Colleges worry about always-plugged-in students (Tracy Jan)

Monty Solomon <monty@roscom.com>
Sun, 24 Apr 2011 22:35:44 -0400

Tangled in an endless web of distractions
Colleges worry about always-plugged-in students

Tracy Jan, *The Boston Globe*, 24 Apr 2011

It was supposed to be a quick diversion, Katie Inman told herself last week
as she flipped open her laptop. She had two tests to study for, three
problem sets due, a paper to revise. But within minutes, the MIT sophomore
was drawn into the depths of the Internet, her work shunted aside.  “I had
just closed Facebook, but then I reopened it. It's horrible, I would type a
sentence for my paper, and then get back on Facebook.''

Desperate for productivity, Inman did something many of her classmates at
one of the most wired campuses would find unfathomable: She installed a
program that blocks certain websites for up to 24 hours. No social
networking. No e-mail. No aimless surfing.

While Inman took matters into her own hands, some MIT professors are urging
college leaders across the country to free students from their tether to
technology. Over the past decade, schools raced to connect students to the
Internet - in dorms, classrooms, even under the old oak tree. But now, what
once would have been considered heresy is an active point of discussion:
pulling the virtual plug to encourage students to pay more attention in
class and become more adept at real-life social networking. ...

http://www.boston.com/news/education/higher/articles/2011/04/24/colleges_worry_about_always_plugged_in_students/


Warnings about Risks aren't just for technological issues

Paul Robinson <paul@paul-robinson.us>
Thu, 21 Apr 2011 15:15:36 -0700 (PDT)

We have warnings about risks because technology, if done incorrectly, can
cause major problems.  But it's not just technology; more than 100 years ago
there was a big warning to the legal community that if you use something the
wrong way you can get into a lot of trouble.  All we have to do to
confirm what happens when someone uses something incorrectly or makes a
mistake using something is look at any decision of the United States Supreme
Court.  I decided to write this up for a Wikipedia article and thought I'd
pass this on as it has relevance to Risks readers.

Every U.S. Supreme Court decision has the following boiler-plate warning
printed before the Syllabus, which is the summary of the decision:

  "NOTE: Where it is feasible, a syllabus (headnote) will be released, as is
  being done in connection with this case, at the time the opinion is
  issued. The syllabus constitutes no part of the opinion of the Court but
  has been prepared by the Reporter of Decisions for the convenience of the
  reader. See United States v. Detroit Timber & Lumber Co., 200 U. S. 321,
  337."

In the case of Detroit Timber, the court reporter misreported the decision
in Hawley v. Diller, 178 U.S. 476 (1900).  The syllabus, which as the above
note says, is the opinion of the court reporter as to what the court's
opinion means, was wrong.  The lawyers for the United States relied on the
syllabus for {Diller} instead of the court's actual opinion of the case and
as a result, they got it wrong too.

Here's why this issue is important. If you asked most people to name a
Supreme Court case they might be able to mention the Miranda Warning even if
they don't know the full case name {Miranda v. Arizona}, but almost
everyone, even if they don't have an opinion on abortions (like myself), can
name the case of {Roe v. Wade}.  The opinion - which I actually read once -
runs over 100 pages.  It basically says that abortions can't be prohibited
for the first three months of pregnancy and restrictions imposed by law on
obtaining an abortion from a licensed physician during this period are not
allowed.  Restrictions can be imposed on the second trimester, and even
greater ones may be imposed on the third trimester.

Now, there are three possible ways the writer of the Syllabus could
summarize the case.  Correctly, as I have done.  Incorrectly, and say that
states can't forbid physician-provided abortions and that a woman may obtain
an abortion at any time (that's actually effectively the decision of the
Canadian Supreme Court in {R. v. Morgentaler)), or the syllabus could
incorrectly say that that states can forbid all abortions at any time.

Now, let's say you're some prosecutor and the syllabus in Roe v. Wade had
misreported the decision as saying a state can forbid all abortions, and
your office decides to prosecute some doctor for performing abortions during
the first month of pregnancy.  What's likely to happen is that first, the
trial court finds your prosecution to be invalid because of the decision in
Roe v. Wade, and dismisses the case; second, orders the state to pay the
several thousand dollars this doctor unnecessarily spent in legal fees; and
third, opens your office up for a civil suit for malicious prosecution for
doing exactly what the Supreme Court said was not permitted, to prosecute a
doctor for performing abortions done during the first three months of
pregnancy, and as a result, the damages could be hundreds of thousands of
dollars.

So as a result of the error I mentioned, every case the Supreme Court prints
has a reference to U.S. v. Detroit Timber to remind them that if you're not
careful to read the actual opinion and instead depend on the syllabus,
you're taking a big risk!

The Lessons of history teach us - if they teach us anything - that no one
learns the lessons that history teaches us.


Amazon Cloud Cloudy? (Ted Samson)

Gene Wirchenko <genew@ocis.net>
Fri, 22 Apr 2011 13:23:52 -0700

http://www.infoworld.com/t/managed-services/popular-websites-crippled-hours-long-amazon-cloud-service-outage-657
Ted Samson, InfoWorld Home / InfoWorld Tech Watch, April 21, 2011

Amazon's popular EC2 and Relational Database Services suffered glitches
earlier this morning, leaving popular websites and services such as Reddit,
Foursquare, and HootSuite crippled or outright disabled well into the early
afternoon. The outages are a sobering reminder of the risks of placing one's
eggs in a service provider's basket, even a relatively well-established one
such as Amazon Web Services. The mishap will no doubt prompt users of
Amazon's services to call on the company to explain why it lacked the
necessary backup and disaster-recovery systems to prevent this sort of
downtime. ...


More About the Amazon Cloud Crash (Nestor E. Arellano)

Gene Wirchenko <genew@ocis.net>
Tue, 26 Apr 2011 10:07:01 -0700

http://www.itbusiness.ca/it/client/en/home/News.asp?id=62242

Nestor E. Arellano, Firm averts Amazon cloud crash by 'spreading out the
risk', *IT Business*,  26 Apr 2011

... but thanks to redundant cloud services a Canadian company was able to
avoid any major disruption.  By employing a combination of cloud and quasi
cloud back-up services, Voices.com, a London, Ontario-based voice talent
firm, suffered only about 90 minutes of minor signal latency before being
able to recover full online capabilities while other Amazon clients did not
fare as well.

Because of server problems at Amazon's data center, which handles the
company's EC2 Web hosting services, Web sites, including popular Web 2.0
sites, were left staggering or disabled.

As of noon Eastern time last Friday, those sites had been affected for about
30 hours.

Reddit reported at 10:30 a.m. that it was still running in emergency
mode. Foursquare appeared to be up and running, while Quora was bouncing
between read-only mode and not launching at all and showing an "internal
server error" message.

Vancouver-based Twitter monitoring service HootSuite was also having
problems, reporting at one point that it was "back up" and then changing to
"again offline."

Thanks to Amazon's most recent outage, supporters of cloud services are
going to have a tough time arguing that the uptime delivered by cloud
services is superior to anything corporate IT can deliver.

Laplante says he has one customer—a small manufacturer whose core
business application was built on WorkXpress and running on Amazon—who
has been knocked offline. "They are fired up and they are very angry," he
said. The customer now wants the app hosted on a server in their shop.

Laplante said the Amazon outage, which began Thursday morning, is going to
make it difficult to sell cloud approaches. "I'm going to have to sell
against this outage."  Paul Haugan, CTO of Lynnwood, Wash., said his city
has been looking at Amazon's cloud offerings, but "the recent outage
confirmed, for us, that cloud services are not yet ready for prime time."

Haugan's view, which stems not just from Amazon's outage alone, is that
"cloud services need some more maturing and a much more hardened
infrastructure and security model prior to our adoption."

Voices.com, said Ciccarelli suffered a hit to its reputation.  “It wasn't
just that our IT department had to wade through a ton of calls.  Our
reliability was put in question because our clients don't really care that
Amazon is providing us the cloud service, what they see is our company
handling their audio files.''

Thankfully, despite the complaints, Voices.com did not lose any clients.

Today, Voices.com spreads the risk around.

“Not having all our eggs is one basket adds extra layers of redundancy in
case disaster strikes,'' said Ciccarelli.

  [Alternative risks result from trying to coordinate too many baskets,
  not to mention too many eggs.  PGN]


Cloud Reliability

Gene Wirchenko <genew@ocis.net>
Tue, 26 Apr 2011 10:09:31 -0700

http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=62250
Patrick Thibodeau, Who gets blame for Amazon outage?
Reliability of cloud services is makes customers complacent;
many don't plan for worst-case scenarios, *IT Business*, 26 Apr 2011

Amazon.com has promised to provide a "detailed post-mortem" on the root
causes of the prolonged outage of its cloud services in recent days. Users
of the Amazon services, meanwhile, may also have to explain how they got
caught up in the outage.  The ensuing conversations may be uncomfortable for
both Amazon and its cloud customers—perhaps even more so for users of the
services.

Cloud services overall have been remarkably reliable, which may be fostering
a dangerous complacency among customers who are putting too must trust in
them. This is another old and familiar story of technology hubris, one that
was famously illustrated by another tech marvel, the unsinkable Titanic.

In this case, it is IT managers who will have to explain to their users --
and to their company's executives—why they didn't have a lifeboat.

Amazon's partial outage, which began Thursday and seemed largely resolved
today, was an exceptional event.

Based on data compiled by AppNeta, the uptime reliability of 40 of the
largest providers of cloud-based services, including Amazon, Google, Azure
and Salesforce.com, shows how well cloud providers are delivering
uninterrupted services. The performance management and network monitoring
firm, known as Apparent Networks until this week, captures minute-by-minute
uptime and other data from cloud providers used by its customers.

The overall industry yearly average of uptime for all the cloud services
providers monitored by AppNeta is 99.9948 per cent, which equal to 273
minutes or 4.6 hours of unavailability per year.

The worst providers clock in at 99.992 per cent or 420 minutes or seven
hours of unavailability a year.

The best providers are at 99.9994 per cent or three minutes or .05 hours of
unavailability a year.

The takeaway for cloud users looking at the AppNeta data is often that the
risk of an outage is very low.


The algorithm says that'll be $23,698,655.93, plus $3.99 shipping

Mark Brader
Tue, 26 Apr 2011 02:18:37 -0400 (EDT)

A biologist named Michael Eisen tells the story of trying to buy
a book about developmental biology from Amazon.  It was out of print,
but Amazon had two listings for new copies—with prices in the
millions of dollars, and rising daily.  Eisen monitored the prices
for a while and came up with the following explanation:

* Seller A didn't really have the book, but planned to buy it from
  Seller B if someone placed an order.  They had a better feedback
  record than B, so someone might buy it from A even at a higher
  price, and had programmed their price to be 27.0589% higher than A's,
  so they'd make a profit.

* Seller B, meanwhile, was trying to ensure they just barely had the
  lowest price, and had programmed their price to be 0.17% lower than
  their competition.

* Both prices were updated automatically once a day—thus rising
  exponentially until somebody noticed.

See http://www.michaeleisen.org/blog/?p=358.


Texas exposes addresses, SSNs of 3.5 million residents

"fj@rcc" <kfjohn@reinke.cc>
Mon, 11 Apr 2011 18:04:32 -0400

Identity Fraud would be impossible with out the Gooferment's lame "social
security number". Argh! Everything is so predictable!

http://arstechnica.com/security/news/2011/04/texas-exposes-addresses-ssns-of-35-million-residents.ars

> And now, a large group of Texans are about to have it a lot worse:the
> state revealed Monday <http://txsafeguard.org/>that personal information
> for 3.5 million citizens has been exposed to the public, including names,
> addresses, Social Security numbers, and more.

Ferdinand John Reinke, 3 Tyne Court, Kendall Park, NJ 08824 908-209-3625
fjohn@reinke.cc  http://www.reinke.cc http://www.reinkefj.com


Risks of auto-classification

Steven Bellovin <smb@cs.columbia.edu>
Sun, 24 Apr 2011 18:38:38 -0400

While reading the AP news recently, via the Associated Press' official iPad
app, I went to the "Religion" section.  I was rather surprised to see an
article about a New York Mets baseball player being put on the disabled list
due to an injury.  This seemed rather odd to me (even though as a long-time
(and long-suffering) Mets fan I might be expected to utter prayers for
relief when such things happen), until my wife pointed out the player's
name: *Angel* Pagan...

                --Steve Bellovin, https://www.cs.columbia.edu/~smb

  [I suppose members of the team now known as the Los Angeles Angels of
  Anaheim appear regularly in that section.  Media supporting a home team
  is always popular, even if it is an example of Plug and Pray.  PGN]


Iran claims it's under a second virus attack

danny burstein <dannyb@panix.com>
Mon, 25 Apr 2011 23:21:21 -0400 (EDT)

After Stuxnet: Iran says it's discovered 2nd cyber attack [Jerusalem Post]

Tehran - Iran has been targeted by a second computer virus in a "cyber war"
waged by its enemies, its commander of civil defense said on Monday.
Gholamreza Jalali told the semi-official Mehr news agency that the new
virus, called "Stars", was being investigated by experts. ...  "Fortunately,
our young experts have been able to discover this virus and the Stars virus
is now in the laboratory for more investigations," Jalali was quoted as
saying. He did not specify the target of Stars or its intended impact.

rest:
http://www.jpost.com/IranianThreat/News/Article.aspx?id=217795


RSA hack spear-phishing via an Excel spreadsheet with embedded Flash

Jeremy Epstein <jeremy.epstein@sri.com>
Mon, 04 Apr 2011 14:46:18 -0400

http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111

Victim retrieved the message from spam folder, opened it, which used a
zero-day vulnerability in Flash to install malware that then phoned home,
giving control to the bad guys.  RSA confirmed it.

Pretty darn clever.....

Jeremy Epstein, Senior Computer Scientist, SRI International
1100 Wilson Blvd, Suite 2800, Arlington VA  22209  703-989-8907 (M)


Tracking File Found in iPhones

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 21 Apr 2011 01:27:58 -0600

Nick Bilton, *The New York Times*, 20 Apr 2011
(Miguel Helft and John Markoff contributed reporting.)
http://www.nytimes.com/2011/04/21/business/21data.html?_r=1&nl=todaysheadlines&emc=tha26

Apple faced questions [on 20 Apr 2011] about the security of its iPhone and
iPad after a report that the devices regularly record their locations in a
hidden file.  The report came from a technology conference in San Francisco,
where two computer programmers presented research showing that the iPhone
and 3G versions of the iPad began logging users' locations a year ago, when
Apple updated its mobile operating system.  After customers upgraded the
software, a new hidden file began periodically storing location data,
apparently gleaned from nearby cellphone towers and Wi-Fi networks, along
with the time.  The data is stored on a person's phone or iPad, but when the
device is synced to a computer, the file is copied over to the hard drive,
the programmers said. The data is not normally encrypted; although users can
encrypt their information when they sync their devices, few do.

To some privacy advocates, the storing of the data was a clear breach.  "The
secretive collection of location data crosses the privacy line," said Marc
Rotenberg, executive director of the Electronic Privacy Information Center,
a privacy policy organization based in Washington.  "Apple should know
better than to track iPhone users in this way."  Others said the discovery
of the hidden file was unlikely to have a major practical impact on privacy
and security.  "It is more symbolic than anything else," said Tim O'Reilly,
a longtime technology pundit and founder of O'Reilly Media. "It is one more
sign of how devices are collecting data about us and potentially sharing it
with others. This is the future. We have to figure out how to deal with it."

  [See also
http://online.wsj.com/article/SB10001424052748704123204576283580249161342.html
  and
Apple, Google In Privacy Hot Water Over "Locationgate", 25 Apr 2011
http://searchengineland.com/apple-google-in-privacy-hot-water-over-locationgate-74526
  PGN]


Re: Skype for Android User Data Leak (RISKS-26.43)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 20 Apr 2011 16:43:17 PDT

> "Skype mistakenly left these files with improper permissions, allowing
> anyone or any app to read them," said Case. "Not only are they accessible,
> but [they're] completely unencrypted."

Robert Watson at the University of Cambridge noted to me:

  Sounds like a classic failure of discretionary access control: you have to
  get the permissions right!

  Although it strikes me that the comment from Case gets the gist wrong:
  encrypting them is all well and good, but if they have to be decrypted to
  be used, then the key has to be lying around too. Getting the permissions
  wrong seems a greater sin. But the greatest sin of all is requiring
  application developers to get the permission bits right.  Robert


Re: Increasing risks due to leap seconds being ever more frequent

Amos Shapir <amos083@hotmail.com>
Tue, 26 Apr 2011 17:26:30 +0300

The problem seems to be that the UTC base serves two purposes, as a basis
for timezones to define local (Sun-relative) time, and also as a benchmark
for timing intervals.  At high precision, these uses might contradict each
other, and the leap-second solution is viewed as inadequate.

There is a good history of the efforts to separate these two functions in
The Future of Leap Seconds (including a reference to Kamp's article).


Re: 'HTTPS Now' (RISKS-26.43)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 21 Apr 2011 13:27:12 -0500

> Date: April 20, 2011 11:15:14 AM EDT
> From: EFF Press <press@eff.org>
> Subject: EFF: 'HTTPS Now' Campaign Urges Users to Take an Active Role
>   in Protecting Internet Security

> As a first step, individuals using the web are encouraged to install HTTPS
> Everywhere, a security tool for the Firefox browser developed by EFF and
> the Tor Project.  HTTPS Everywhere automatically encrypts a user's
> browsing, changing it from HTTP to HTTPS whenever possible.

If that also bypasses the Firefox's "self-signed cert" dialog, it's worth
installing just for that. On the other hand, if it does not, one wonders how
the majority of users will react to "Evil hackers Are Taking Over The
Internet! Run away!" popping up after every other mouse click.

<tinfoil hat>Or perhaps EFF got hired by VeriThawteInc in the cunning plan
to expand the latter's customer base?</tinfoil hat>

Dima

Dimitri Maziuk Programmer/sysadmin
BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Workshop on RFID Security and Privacy

Kevin Fu <kevinfu@cs.umass.edu>
Tue, 26 Apr 2011 02:27:46 -0400

7th Annual Workshop on RFID Security and Privacy (RFIDsec)
Amherst, MA, USA
June 26-28, 2011
http://rfid-cusp.org/rfidsec/
  Early bird registration ends May 13
     [Sorry to be late.  I've been seriously preoccupied.  PGN]

RFIDsec brings together researchers from academia and industry for topics of
importance to improving the security and privacy of RFID, NFC, contactless
technologies, and the Internet of Things.  RFIDsec bridges the gap between
cryptographic researchers and RFID developers through invited talks,
tutorials, and contributed presentations and posters.

Pre-workshop tutorials cover the physics of RFID, hands-on differential
power analysis of hardware tokens, hands-on programming of batteryless
RFID-scale sensor devices, and an introduction to RFID security and privacy.

Social highlights include a reception and a New England-style clambake
with scenic views of the rolling foothills and majestic mountains of
the Pioneer Valley.

Discounts for full-time students are made possible by the generosity
of Microsoft Research, Mocana, Cryptography Research, the RFID
Journal, and DIFRwear.

Please report problems with the web pages to the maintainer