The RISKS Digest
Volume 26 Issue 77

Wednesday, 4th April 2012

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

ICANN Announces Surprise Termination of Domain Name Expansion Program; Plans Own Dissolution
Lauren Weinstein
Unicode in the modern communications world
Mike Tashker
The Evil Bit, the Angelic Bit, and the "I'm not sure" value!
PGN
Arizona Internet censorship bill on Gov's desk
Lauren Weinstein
Reserved Words Anyone?
Marv Schaefer
DDoS attack disrupts Canadian political party leadership vote
Mark Brader
Why Your Vote Won't Count
Mark E. Smith
Tor traffic disguised as Skype video to fool repressive governments
Kazakh gold medal team gets Borat national anthem—googled!
Rob McCool
Australian Court Finds Google Guilty of Deceptive Ad Tactics
Lauren Weinstein
Tom Tom GPS "Leap Year Bug"
Martyn Thomas
Second Murdoch hacking scandal
Charles C. Mann
An end to phones in every home?
David Cay Johnston
Apple holds the master decryption key when it comes to iCloud security, privacy
Chris Foresman via Monty Solomon
Outage of Visa network kept people from using credit, debit cards for a time Sunday afternoon
Monty Solomon
Re: Texting error leads to lockdowns at two schools
Paul Wallich
Re: Not even a tiny bit creepy. After all, Orwell WAS British
Marcus Rowland
Info on RISKS (comp.risks)

ICANN Announces Surprise Termination of Domain Name Expansion

Lauren Weinstein <lauren@vortex.com>
Sun, 1 Apr 2012
  Program; Plans Own Dissolution

 Lauren Weinstein's Blog Update: ICANN Announces Surprise Termination of
 Domain Name Expansion Program; Plans Own Dissolution, March 31, 2012
 http://lauren.vortex.com/archive/000945.html

Sunday, 1 April 2012

MARINA DEL REY, California (ZAP)—In a stunning and unexpected
announcement, the Internet Corporation for Assigned Names and Numbers
(ICANN) has announced the immediate termination of its controversial and
much criticized plan for a vast expansion of generic top-level Internet
domain names (gTLDs), and has set an aggressive timetable for the
dissolution of ICANN itself.

ICANN has been increasingly condemned for what many observers have called
erratic and inappropriate decision-making processes, leading to the
U.S. Department of Commerce refusing to renew a key ICANN function last
month, and ICANN's own outgoing CEO publicly implying that conflicts of
interest on the ICANN board of directors have allowed ICANN to be co-opted
by moneyed "domainer" speculation interests.

ICANN spokesman Seymour Murdochian discussed his organization's drastic
change of course as he snacked on Beluga caviar spread over Wonder Bread,
while watching his Rolls-Royce Silver Shadow being washed and detailed in
Beverly Hills.

"I realize that there are many serious allegations outstanding against ICANN
these days," said Mr. Murdochian.  "We're blamed for ignoring the best
interests of the global Internet community.  We're accused of implementing
an extortionist protection racket via an enormous domain name expansion
program, that would ultimately suck billions of dollars out of the Internet
economy and would only serve to enrich the "domain-industrial complex"
operating those domains.  People claim that we arrogantly ignore legitimate
concerns of trademark holders, are complicit in helping the U.S. government
disable domains around the world without due process, waste money on
unnecessary global travel to exotic locales, have become totally owned by a
"gold rush" mentality via wealthy powers at the top of the DNS food chain,
and even that we use overly expensive hand soap in our office restrooms,"
added Mr. Murdochian.

"I want to be absolutely clear that the ICANN board of directors takes firm
and uncompromising exception to such a characterization.  Our hand soap is
not outrageously expensive, and given the amount of hand washing we do
around here, having quality soap available is a necessity, not a luxury,"
Murdochian noted.

Murdochian then explained ICANN's recent change of heart.  "After extensive
discussions internally, with our travel agents, and with our personal
portfolio managers, we've decided that the time is ripe for us to bow out of
formal Internet affairs. We want to make way for the creation of new
Internet governance models that can be purpose-built to better serve the
entire Internet community around the world, will reduce the risk of Internet
fragmentation that has been rising as domestic governments increasingly
threaten not to play along with our current schemes, and will help reduce
the risk of a potentially disastrous Internet takeover by
politically-encumbered organizations such as the United Nations or
International Telecommunication Union."

"Therefore, we've announced that effective immediately, all ICANN activities
related to new Internet top-level domains are permanently ended. We will be
refunding all associated fees already paid by applicants, and as a token of
our appreciation for past support will be including with each refund an
approximately 1.5 carat, 'H' color, 'SI' quality diamond from our vaults."

"We have filed appropriate notifications with the Department of Commerce and
foreign governments expressing our intention to cease all ICANN operations
no later than a year from now on 1 April 2013."

"I'll be reachable for additional comments at my summer home on the Riviera
if there are any other questions," said Mr. Murdochian, just before his
chauffeur whisked him away.

Asked about these unexpected, dramatic developments, Lauren Weinstein, a
long-time Internet technologist and vocal critic of ICANN's domain name
plans, said that, "It's indeed encouraging to see ICANN finally doing what's
really right for the entire global Internet community, and abandoning their
plans to fleece the Internet at large for the benefit of domain speculators
and associated opportunists.  A new alternative to ICANN and to existing
organizations like the ITU and UN is definitely the way that we need to
proceed to make the Internet better for everyone around the world. It's a
shame though that this process has taken so long, and that this entire
article is only an April Fools' Day posting."

ZAP/NYC 20120401 0916


Unicode in the modern communications world

"Mike Tashker" <tashkerm@transdecsys.com>
Sun, 1 Apr 2012

It's occasionally appropriate to reflect on the beneficial effects of some
unsung piece of technology, for example, Unicode.  Unicode extends the
original Western-alphabet-based encoding of the digital representation of
characters to almost any language--it provides a unique number for every
character, regardless of the language.  This has had a major effect on
digital communications.

A little over 4 years ago (February 2008), analog cellphone service was
turned off in the U.S.  Thereafter all cell service (CDMA or GSM) was based
on digital protocols.  And while previously, all languages could be spoken
on a cellphone, after the demise of analog, only Western languages (all
letters fit within an octet) plus non-Western languages represented by
Unicode could be transmitted due to the new digitization.

Unicode is now up to version 6.1 and covers almost every language spoken in
the world, making digital cell service near universal from a technical point
of view.  Some languages are still not supported, see
http://tinyurl.com/m979dh for a list.  This includes archaic forms such as
Linear A as well as. Klingon.  But unless you want to speak Klingon on a
cellphone, most currently-spoken languages are covered, making digital
cellphone communications a reality for linking the peoples of the world.


The Evil Bit, the Angelic Bit, and the "I'm not sure" value!

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 1 Apr 2012

In his own list, Steve Greenwald noted the following item from RFC 6593 at
https://tools.ietf.org/html/rfc6593 :

  Inherently, services not discovered are more secure than those discovered,
  due to their obscurity.  However, the discoverability or undiscoverability
  of a given service is largely independent of its security characteristics.
  Instead, an implementor is guided to [RFC3514] to denote evilness (and
  associated security) status.  Since [RFC3514] only defines evil and
  non-evil intent of packets, this document suggests assigning an "I am not
  sure" additional value for the evil bit.  The intentional ambiguity of
  this additional state makes it a perfect third value for a binary bit.

Perhaps the fools are winning, and April Fools Day cannot keep up with the
irrationality of the fools.  In RISKS-22.66 on 1 Apr 2003, Steve Bellovin's
Evil Bit (the first item on RFC 3514) and Drew Dean's Angelic Bit (the
second item)—along with Tony Bartoletti's crimeFree bit—were
wonderfool contributions.  The idea of fuzzy logic being applied thereto
with the "I am not sure" value of a ternary Evil bit (sic) is delicious.
PGN


Arizona Internet censorship bill on Gov's desk

Lauren Weinstein <lauren@vortex.com>
Sun, 1 Apr 2012 14:43:25 -0700

Arizona Internet censorship bill on Gov's desk (not a April Fool's joke)

http://j.mp/H8lReN  (Media Coalition)

  "Arizona House Bill 2549 would update the state's telephone harassment law
  to apply to the Internet and other electronic communications. It would
  make it a crime to communicate via electronic means speech that is
  intended to "annoy," "offend," "harass" or "terrify," as well as certain
  sexual speech.  However, because the bill is not limited to one-to-one
  communications, H.B. 2549 would apply to the Internet as a whole, thus
  criminalizing all manner of writing, cartoons, and other protected
  material the state finds offensive or annoying."


Reserved Words Anyone?

Marv Schaefer <bwapast@verizon.net>
Mon, 02 Apr 2012 15:35:22 -0400

Our heating/air condition serviceman just pointed me to news about the NYC
school system's newest attempt to eschew vocabulary and concepts that could
adversely affect test performance by minority or disadvantaged students.

I don't read the *New York Post*, but found their online article. At
first, I thought this to be a satirical piece on their part, but there was
substantiation from CBS and ABC news. I'm, frankly distraught over this and
have difficulty imagining which topics other than some aspects of the hard
sciences can still be in the curriculum. I find it particularly jarring
given recent anti-higher-education statements by a leading presidential
candidate and numerous anti-reason/anti-science statements being made by
other politicians at a time of such need for an educated populace in the
face of unemployment..

Anyway, the *NYPost* ran a story with the headline "PC student tests forbid
dance, dinos & lots more", these words representing topics that are to be
banned from future NYC exams. The article, found at http://nyp.st/H8soqi ,
reads in Part:

  "In a bizarre case of political correctness run wild, educrats have banned
  references to dinosaurs, birthdays, Halloween, and dozens of other topics
  on city-issued tests.  That's because they fear such topics “could evoke
  unpleasant emotions in the students.''  Dinosaurs, for example, call to
  mind evolution, which might upset fundamentalists; birthdays aren't
  celebrated by Jehovah's Witnesses; and Halloween suggests paganism.  Even
  dancing is taboo, because some sects object. But the city did make an
  exception for ballet."

Their list, pulled from the website, is this:

Full list of topics banned on NYC school exams
Last Updated: 2:36 PM, 30 Mar 2012
Here's the full list of topics that if included on city exams would
probably cause a selection to be deemed unacceptable by the New York
City Department of Education:
Abuse (physical, sexual, emotional, or psychological)
Alcohol (beer and liquor), tobacco, or drugs
Birthdays
Bodily functions
Cancer (and other diseases)
Catastrophes/disasters (tsunamis and hurricanes)
Celebrities
Children dealing with serious issues
Cigarettes (and other smoking paraphernalia)
Computers in the home (acceptable in a school or public library setting)
Crime
Creatures from outer space
Dancing (ballet is acceptable)
Death and disease
Dinosaurs and prehistoric times
Divorce
Evolution
Expensive gifts, vacations, and prizes
Gambling involving money
Geological history
Halloween
Homelessness
Holidays
Homes with swimming pools
Hunting
In-depth discussions of sports that require prior knowledge
Junk food
Loss of employment
Movies
Nuclear weapons
Occult topics (i.e. fortune-telling)
Parapsychology
Politics
Pornography
Poverty
Rap music
Religion
Religious holidays and festivals (including but not limited to
  Christmas, Yom Kippur, and Ramadan)
Rock-and-Roll music
Running away
Sex
Slavery
Terrorism
Television and video games (excessive use)
Traumatic material (including material that may be particularly
  upsetting such as animal shelters)
Vermin (rats and roaches)
Violence
War and bloodshed
Weapons (guns, knives, etc.)
Witchcraft, sorcery, etc.
Source: NYC Department of Education Request for Proposals


DDoS attack disrupts Canadian political party leadership vote

Mark Brader
Tue, 27 Mar 2012 15:33:21 -0400 (EDT)

In Canada's federal elections last May, the New Democratic Party (NDP) under
leader Jack Layton rose from their usual third-place finish to reach second
place for the first time.  But in August Layton died.  So on March 23-24,
the NDP held a convention to choose a new leader, who would therefore become
the Leader of the Opposition in Parliament.

To maximize turnout, about 130,000 party members were eligible to vote
online, either in advance (using a preferential ballot) or during the
convention.

  http://www.cbc.ca/news/politics/story/2012/03/01/pol-cp-ndp-leadership-voting.html

In fact some 58,000 advance votes were received.  But despite the relatively
small number  of in-person  votes at the  actual convention,  ballot results
were badly  delayed and voting  was completely shut  down for a  while.  The
total delays amounted to hours.

  http://www.cbc.ca/news/politics/story/2012/03/24/ndp-leadership-voting-problems.html

Subsequently it was reported that this was a the result of a distributed
denial-of-service attack (DDoS), with spurious connection attempts made from
over 10,000 IP addresses.

  http://www.cbc.ca/news/politics/story/2012/03/27/pol-ndp-voting-disruption-deliberate.html

The company that ran the voting, Scytl [http://www.scytl.com], says that an
audit showed that the voting itself, which elected Thomas Mulcair to the
leadership, was not compromised, and that "Obviously, this has now allowed
us to capture additional data to incorporate into the security measures of
our system."

Mark Brader, Toronto, msb@vex.net | "Fast, cheap, good: choose any two."

  [The Scytl press release is online, but much too long to include here.
http://www.newswire.ca/en/story/944715/ndp-leadership-vote-result-not-compromised-by-malicious-orchestrated-effort-to-clog-online-balloting-system-at-weekend-convention-says-scytl-canada
  PGN]


Why Your Vote Won't Count

"Mark E. Smith" <mymark@gmail.com>
Sat, 31 Mar 2012 23:54:18 -0700

The security of the vote casting and tallying processes have nothing to do
with whether or not your vote will count. Even with the most secure
electoral system possible and imaginable, your vote won't necessarily
count. The problem is inherent in the Constitution.

In order to ensure that those who owned the country would always run the
country, and to prevent ordinary voters from ever being able to use the
electoral system to bring about a more democratic form of government where
public opinion was able to influence policy decisions, the framers wrote
the Constitution in such a way as to ensure that the popular vote would not
be the final say in US elections.

There is no Constitutional guarantee that the popular vote be counted at
all, no less that it be counted in a way that is verifiable and subject to
public oversight. The popular vote can be overridden by fraudulent vote
counts, the Electoral College, Congress, or the Supreme Court.

The risk to the public is not in the way that votes are or are not counted,
or even in the fact that more than 90% of US ballots are counted by central
tabulators that cannot be verified in a timely manner, it is in the false
belief that voting constitutes a voice in government rather than consent to
be governed by, and a blank check along with full power of attorney, to
whoever wins.

No matter how much money and effort is devoted to suppressing the vote or
trying to take away the vote, a vote is of no value whatsoever unless 1) it
has to be counted, 2) it must be counted in a way that is verifiable in a
timely manner, and 3) it can influence policy decisions rather than just
delegating such decisions to people who cannot be held accountable.

Would anyone take American Idol seriously if they announced that they
didn't have to count the votes, the vote count could not be verified until
after the winners had been chosen, and that the judges could ignore the
votes and select the winners without regard to the votes?

A reminder that votes don't have to be counted:
  http://fubarandgrill.org/node/1353

Why voting isn't a solution:
  http://fubarandgrill.org/node/1360

Some reasons to boycott elections:
  http://fubarandgrill.org/node/1172


Tor traffic disguised as Skype video to fool repressive governments

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Apr 2012 14:26:38 PDT

  "Recently released software makes communications sent through Tor appear
  almost identical to a Skype video chat to anyone monitoring the
  connection."  http://j.mp/HIzfIO (ars technica)

Memo to Ministry of Communications Suppression: Block all Skype
traffic effective immediately.


Kazakh gold medal team gets Borat national anthem—googled!

Rob McCool <robm@robm.com>
Fri, 23 Mar 2012 11:39:08 -0700 (PDT)

This situation again illustrates the dangers of relying on Google (and
Wikipedia in other cases) without digging any deeper. The article says it
all, really:

  Kazakhstan's shooting team has been left stunned after a comedy national
  anthem from the film Borat was played at a medal ceremony at championships
  in Kuwait instead of the real one.  The team's coach told Kazakh media the
  organisers had downloaded the parody from the internet by mistake.  People
  still fail to realize that Google's ranking algorithms do not always rank
  for correctness. They frequently favor popularity over correctness.
  http://www.bbc.co.uk/news/world-middle-east-17491344


Australian Court Finds Google Guilty of Deceptive Ad Tactics

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Apr 2012 10:35:14 -0700

  [From NNSquad]

  At issue are sponsored links that show up in search results. "Google's
  conduct involved the use by an advertiser of a competitors name as a
  keyword triggering an advertisement for the advertiser with a matching
  headline," ACCC chairman Rod Sims said in a statement. "As the Full Court
  said this was likely to mislead or deceive a consumer searching for
  information on the competitor."  http://j.mp/HbTq12  (PC Mag)

I can't emphasize enough how potentially dangerous this sort of reasoning is
to free speech on the Net generally. If courts are going to hold search
engines responsible for the content of materials that they do not themselves
generate but that their algorithms select and display, the negative impacts
could ultimately go far beyond ads, directly to other forms of content
broadly. These are just the sort of perverse restrictions that various
repressive individuals, organizations, and governments would love to impose
on us all to control and dictate information availability.

 - Network Neutrality Squad: http://www.nnsquad.org
 - People For Internet Responsibility: http://www.pfir.org
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
 - PRIVACY Forum: http://www.vortex.com

Tel: +1 (818) 225-2800 / Skype: vortex.com


Tom Tom GPS "Leap Year Bug"

Martyn Thomas <martyn@thomas-associates.co.uk>
Tue, 03 Apr 2012 17:07:37 +0100

Some GPS devices by the Dutch company Tom Tom had been hit by a leap-year
bug.  The interesting point was that the devices had failed not on Feb. 29
or March 1, but on March 31.

Full story at:
http://www.bbc.com/news/technology-17599701


Second Murdoch hacking scandal

"Charles C. Mann" <ccmann@comcast.net>
Mon, 26 Mar 2012 23:28:05 +0000 (UTC)

http://www.guardian.co.uk/media/2012/mar/26/news-corp-ondigital-paytv-panorama

Snippet:

"The witnesses allege a software company NDS, owned by News Corp, cracked
the smart card codes of rival company ONdigital. ONdigital, owned by the ITV
companies Granada and Carlton, eventually went under amid a welter of
counterfeiting by pirates, leaving the immensely lucrative pay-TV field
clear for Sky."

Unlike the "phone-hacking" scandal, which mainly involved reporters
listening to answering machines whose owners hadn't bothered to set their
passwords, this (if it pans out) seems to feature actual computer
malfeasance.

Charles C. Mann, P.O. Box 66, Amherst, MA 01004-0066  www.charlesmann.org


An end to phones in every home? (David Cay Johnston)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Apr 2, 2012 2:31 PM

(via Dave Farber's IP)

The guarantee of landline telephone service at almost any address, a legal
right many Americans may not even know they have, is quietly being
legislated away in our U.S. state capitals.

AT&T and Verizon, the dominant telephone companies, want to end their
99-year-old universal service obligation known as "provider of last resort."
They say universal landline service is a costly and unfair anachronism that
is no longer justified because of a competitive market for voice services.

http://www.reuters.com/article/2012/03/28/column-dcjohnston-phone-idUSL2E8EROHD20120328


Apple holds the master decryption key when it comes to iCloud

Monty Solomon <monty@roscom.com>
Tue, 3 Apr 2012 19:53:00 -0400
 security, privacy (Chris Foresman)

Ars recently attempted to delve into the inner workings of the security
built into Apple's iCloud service. Though we came away reasonably certain
that iCloud uses industry best practices that Apple claims it uses to
protect data and privacy, we warned that your information isn't entirely
protected from prying eyes. At the heart of the issue is the fact that Apple
can, at any time, review the data synced with iCloud, and under certain
circumstances might share that information with legal authorities.

We consulted several sources to understand the implications of iCloud's
security and encryption model, and to understand what types of best
practices could maximize the security and privacy of user data stored in
increasingly popular cloud services like iCloud. In short, Apple is taking
measures to prevent access to user data from unauthorized third parties or
hackers. However, iCloud isn't recommended for the more stringent security
requirements of enterprise users, or those paranoid about their data being
accessed by authorities. ...  Chris Foresman, Ars Technica,

http://arstechnica.com/apple/news/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy.ars


Outage of Visa network kept people from using credit, debit cards

Monty Solomon <monty@roscom.com>
Sun, 1 Apr 2012 23:32:00 -0400

Outage of Visa network kept people from using credit, debit cards for
a time Sunday afternoon, Associated Press, 1 Apr 2012

A technical problem affecting the Visa network barred some people around the
United States from using their credit and debit cards for about 45 minutes
on Sunday.  The outage was caused by a recent update Visa has made to its
system, said Visa Inc. spokeswoman Sandra Chu. She said Visa had trouble
processing some transactions as a result, but the system is operating
normally now. ...

http://www.washingtonpost.com/politics/outage-of-visa-network-kept-people-from-using-credit-debit-cards-for-a-time-sunday-afternoon/2012/04/01/gIQAZlodpS_story.html


Re: Texting error leads to lockdowns at two schools (Reisert, R-26.76)

Paul Wallich <pw@panix.com>
Sun, 01 Apr 2012 12:25:36 -0400

> The text, saying "gunman be at west hall today," was received and reported
> to police around 11:30 a.m. But after police tracked the number, they
> learned the auto correct feature on the new cellphone changed "gunna" to
> "gunman."

It might well still have auto-corrected to "gunman". Or not. Trying this on
my oldish android phone, I see "gunman" as the fourth correction offered for
"gunna". "Gonna" comes earlier in the list (it's in the phone's dictionary)
and is of course recognized when typed. But there are alternate input
methods such as swype (recognizes a finger track rather than individual
presses) that could do all kinds of things. My phone seemed to want to turn
both "gonna" and "gunna" into "funds", although "guns" and "bombs" were
available further down the correction list.

(I do wonder whether this might eventually lead to a new version of the old
O Henry cipher—or, alternately, cockney rhyming slang—in which the
plaintext is given by some set of alternate spellings of the ciphertext on a
particular virtual keyboard.)


Re: Not even a tiny bit creepy. After all, Orwell WAS British

Marcus Rowland <forgottenfutures@gmail.com>
Sat, 31 Mar 2012 18:49:55 +0100
   (Pfeiffer, RISKS-26.71)

An obvious problem with this - a few weeks ago I bought a motorbike that had
been off the road for several months and was not insured.  Although I
arranged insurance by phone before I left the dealer, I very much doubt that
it went through the system (which is already used to make sure that people
can't get road tax [equivalent to US license plate fees] for an uninsured
vehicle) and was on line by the time I stopped to fill the tank with petrol,
approximately five minutes later.

Please report problems with the web pages to the maintainer

x
Top