The RISKS Digest
Volume 26 Issue 33

Monday, 31st January 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


China Blocks Chinese Word for 'Egypt'
Sam Waltz
Egypt: Risk for a Country
Gene Wirchenko
Re: Egypt's Internet shutdown
Bob Frankston
Re: Internet Society statement on Egypt's Internet shutdown
Non-snailproofed traffic light proves fatal
Mark Brader
Public service announcement on Undigestifying
Jonathan Kamens
BBDB ran off with my Spacebar press
Re: Cyberwar countermeasures a waste of money, says report
Joe Thompson
Re: Yet Another Risk: Not reading the package very carefully
Terje Mathisen
Steve Fenwick
CfP: CRiSIS 2011: Risks and Security of Internet and Systems
Marius Minea
Info on RISKS (comp.risks)

China Blocks Chinese Word for 'Egypt'

Sam Waltz <>
January 30, 2011 3:12:14 PM ESTS

It's interesting to see how the fragmentation of the Net continues. Imagine
not being able to search for current events in Mexico, Europe, or elsewhere.
Sam Waltz

China's microblogs have blocked searches for the word "Egypt," a sign that
the Chinese government is trying to limit public knowledge of the political
unrest occurring in the Middle East. The blocking appeared to begin over the
weekend on the Chinese Twitter-like services operated by Sina, Tencent and
Sohu. Queries using the Chinese word for "Egypt" brought no results. "In
accordance with the relevant laws, regulations and policies, the search
result did not display," said the response on the Sina microblogging
site. The English word for "Egypt," however, is still searchable across the

Egypt: Risk for a Country

Gene Wirchenko <>
Mon, 31 Jan 2011 11:32:47 -0800

Source: Patrick Thibodeau, Microsoft shifts some work out of Egypt;
It is among some 120 companies located in Cairo's Smart Village IT office park
*IT Business*, 31 Jan 2011

Selected text:

Egypt has been aggressively attracting tech companies to its wired office
parks to help create jobs for its young, educated and often English-speaking
workforce. But by cutting off Internet access last week in the wake of civil
unrest, Egypt's government demonstrated just how quickly it can unwind its
hi-tech goals.

Egypt's move to block Internet access prompted Microsoft to respond.  Asked
about the situation in Egypt, Microsoft said in a written response to a
query that it "is constantly assessing the impact of the unrest and Internet
connection issues on our properties and services. What limited service the
company as a whole provides to and through the region, mainly call-center
service, has been largely distributed to other locations."

Egypt's decision to cut Internet access was apparently intended to disrupt
the ability of protestors to use social networks to organize.  But hi-tech
companies have similar flip-the-switch abilities and can shift services in
response to a natural or manmade disaster. It is almost certain that tech
companies in Egypt will respond to the current uncertainty much the same way
Microsoft did—if they haven't already.

Re: Egypt's Internet shutdown (RISKS-26.32)

"Bob Frankston" <>
Sat, 29 Jan 2011 21:29:13 -0500

The reason that it was so easy to disconnect a country from the rest of
Internet is that today's Internet protocols are very much aligned with
authority. You get your IP addresses from authorities (providers) and depend
on a single backbone that requires we trust all providers.

This is a point I make in

It is not sufficient to lament Egypt's actions—we need to move beyond
today's prototype architecture to one that honors the end-to-end principle
by removing the dependency on a centralized authority by defining
connectivity in terms of stable relationships apart from any network. We can
then use whatever facilities are available to exchange bits. The presumed
safety of today's DNS is an illusion that has consequences such as assuring
the Net will unravel as our temporary hold on our own names expires.

Skype gives a hint of what is possible but it relies on a central directory.
The first step is removing the prime dependency—the need to pay mere to
exchange bits over a common infrastructure. We can then evolve to new
protocols that aren't constrained to providers' pipes.

Re: Internet Society statement on Egypt's Internet shutdown (R 26 32)

Mon, 31 Jan 2011 10:21:22 -0500

  "In the longer term, we are sure that the world will learn a lesson from
  this very unfortunate example, and come to understand that cutting off a
  nation's access to the Internet only serves to fuel dissent and does not
  address the underlying causes of dissatisfaction."

It appears that the "lesson learning" statement therein is beamed at
governments. Unfortunately, there seems to be ample and convincing evidence
that "lesson learning" (at least of the benevolent variety) is not a skill
generally within the capabilities of any government. However, it is true
that this is a "learning moment", and the lesson that I have received is
that any of us who value Internet freedom had better have a "Plan B" that is
independent of government, whether that plan involves a darknet, archived
DNS records, or some as yet unformulated solution. Jacob Appelbaum and some
associates have evidently provided some dial-up ISP connectivity to
Egyptians, but while that is an admirable improvisation, it is also woefully
inadequate as a functional solution. On the other hand, I think that I will
refrain from tossing my very last US Robotics 56k modem just yet...

Non-snailproofed traffic light proves fatal

Mark Brader
Mon, 31 Jan 2011 06:20:40 -0500 (EST)

One night last August in Tamworth (near Birmingham), England, two cars
driven by teenagers collided head-on on a one-lane bridge, and one of them
was killed.  It has now been revealed that this happened because the traffic
lights governing the one-lane bridge were short-circuited by a snail or slug
crawling over the circuit board.  The surviving driver said he saw the other
car but did not realize what was happening in time.

Most reports do not mention the state of the lights, so I suppose they were
dark rather than showing green both ways.  The failure had been
automatically reported at a monitoring station, but the collision happened
only 20 minutes later.

"Red lights are not my concern.  I am a driver, not a policeman."
--statement made after collision, 1853  [1953?]

  [Also noted by Stephen McCallister in the *Daily Mail*.  PGN]

Public service announcement on Undigestifying

Jonathan Kamens <>
Sun, 16 Jan 2011 22:13:12 -0500

For those of you who use Thunderbird or Postbox to read your email, I've
just released a new add-on called "Undigestify" at If you
install this add-on, then you can right-click on a Risks Digest and
select "Undigestify", and the digest will be split into separate
messages which you can then read and respond to individually.

(For those of you who are old and nerdy enough to have used Emacs RMAIL
to read your mail, this is equivalent to M-x undigestify.)

Please feel free to forward this to any other digests whose readers might
find it useful. RISKS is the only RFC 1153 digest I still read, so I don't
know who else is out there who might benefit from it.

Please also feel free to contact me with comments, questions or bug reports.

  [Jonathan, Many thanks!  I occasionally still get a complaint about the
  the RISKS *digest* format, so I am happy to know of your undigestifier. PGN]

BBDB ran off with my Spacebar press

Sun, 30 Jan 2011 11:55:38 +0800

There I was paging down with the spacebar, when I noticed something
stuck. Way down in the emacs minibuffer the little snot "BBDB" program it
turned out has been asking me a question, ever so happy to take the spacebar
I had typed (intended to scroll down) as a "y". `Add address
"" to ""? (y or n) y'

Sort of like when you slip a piece of paper under a voter's pen before he
notices it's too late, then run off in glee.

Re: Cyberwar countermeasures a waste of money, says report (R 26 31)

Joe Thompson <>
Mon, 31 Jan 2011 12:09:42 -0500

Here in the DC area, one of the local online-learning institutions has long
run an alarmist "cyber war" radio ad promoting their online certificate
program in cybersecurity.  The lead-in is a woman talking to someone on the
phone about money suddenly disappearing from lots of bank accounts.  Later
in the ad we return to this conversation in time to hear "Now they're saying
it's the cell networks too!  ...Hello?  Hello?"

I wonder if they will move to a more moderate presentation now.  (I'm
not betting on it.)—Joe

Re: Yet Another Risk: Not reading the package very carefully (R 26 32)

Terje Mathisen <"terje.mathisen at">
Mon, 31 Jan 2011 09:17:34 +0100

This was a long tale, in installments, about the need for personal backups
of all data you want to keep: So far, so good.

Paul then decides to "upgrade" from a DVD burner to a BD burner, when the
only good backup these days is to have all your data on multiple independent
disks, all of which are in regular use:

My personal backup strategy for the laptop which carries everything I work
on is to have at least two external USB drives, neither of which are
normally plugged in.

The laptop has a 640 GB 2.5" drive, so my main portable backup is a 750 GB
2.5" drive which runs on USB power. (I also carry my previous internal
drive, a 500 GB model, as a backup.)

A tiny batch file is sufficient to copy all updated files from a set of
working directories onto the USB drive, then I disconnect it again.

When at home I also have a larger 3.5" USB drive, this one requires external
power as well as the USB cable.

If I should suffer a total disk crash while on a longer trip, I can open the
laptop, replace the disk with the previous main drive and be back in
operation in an hour or two, including the time to install all the security
updates and copy back recently updated files.

The total cost of this backup strategy is around $100 every year or two when
I buy one of the latest big laptop drives.

The key idea here is that only media and disks that you regularly
use/monitor/upgrade can be depended upon to last!


PS. I also use my Dreamhost-based personal server and an RSYNC account for
real offsite backup of some really critical (encrypted) files. :-)

Re: Yet Another Risk: Not reading the package very carefully

Steve Fenwick <>
Sun, 30 Jan 2011 20:01:48 -0800

Paul Robinson <> writes:

For small backups, Robinson's suggestion is probably fine. As you start to
fill up your new 2TB drive, the backup cost will rise substantially; worse,
the time to backup will increase to the point at which you may become
discouraged to do backups.

As you noted, HDDs have gotten very, very inexpensive, and you can get
external drive docks at under $50, so this is my preferred mechanism now for

Risk: staying in a paradigm after technology has passed it by.

CfP: CRiSIS 2011: Risks and Security of Internet and Systems

Marius Minea <>
Mon, 31 Jan 2011 20:27:56 +0200 (EET)

                          CALL FOR PAPERS
 [ PDF version at: ]

                The Sixth International Conference on
             Risks and Security of Internet and Systems
                            CRiSIS 2011
             Timisoara, Romania, 26-28 September 2011

     IEEE Computer Society technical co-sponsorship (expected)

The International Conference on Risks and Security of Internet and Systems
2011 will be the 6th in a series dedicated to security issues in
Internet-related applications, networks and systems.  The CRiSIS conference
offers an effective forum for computer and network security researchers from
industry, academia and government to meet, exchange ideas and present recent
advances on Internet-related security threats and vulnerabilities, and on
the solutions that are needed to counter them.

The topics addressed by CRiSIS range from the analysis of risks, attacks to
networks and system survivability, passing through security models, security
mechanisms and privacy enhancing technologies. Prospective authors are
invited to submit research results as well as practical experiment or
deployment reports. Industrial papers about applications and case studies,
such as telemedicine, banking, e-government and critical infrastructure, are
also welcome. The list of topics includes but is not limited to:

* Analysis and management of risk
* Attacks and defences
* Attack data acquisition and network monitoring
* Cryptography, Biometrics, Watermarking
* Dependability and fault tolerance of Internet applications
* Distributed systems security
* Embedded system security
* Intrusion detection and Prevention systems
* Hardware-based security and Physical security
* Trust management
* Organizational, ethical and legal issues
* Privacy protection and anonymization
* Security and dependability of operating systems
* Security and safety of critical infrastructures
* Security and privacy of peer-to-peer system
* Security and privacy of wireless networks
* Security models and security policies
* Security of new generation networks, security of VoIP and multimedia
* Security of e-commerce, electronic voting and database systems
* Traceability, metrology and forensics
* Use of smartcards and personal devices for Internet applications
* Web security

Submission deadline : May 10, 2011
Notification to Authors : July 15, 2011
Camera-Ready Due : August 15, 2011

Submitted papers must not substantially overlap with papers that have been
published or that are simultaneously submitted to a journal or a conference
with proceedings.  Papers must be written in English and must be submitted
electronically in PDF format. Maximum paper length will be 8 printed pages
for full papers or 4 pages for short papers, in IEEE 2-column style.
Authors of accepted papers must guarantee that their papers will be
presented at the conference. All papers selected for presentation at the
conference will be published in the hard-copy proceedings distributed to all
conference participants and will also be available on-line in IEEE Xplore:

The authors of the best conference papers will be invited to submit an
extended version to a special issue of the International Journal of
Information and Computer Security (IJICS).

All paper submissions will be handled through the Easy Chair conference
management system. Follow the instructions given here:


We solicit tutorials on state-of-the-art technologies relevant to the
conference themes. We are particularly interested in tutorials that foster
knowledge exchange among the different research communities present at the
conference. The intended length of each tutorial is 2 to 3 hours.

A tutorial proposal should include a brief summary and outline, specific
goals and objectives, the intended audience and the expected background of
the audience as well as a biographical sketch of the presenter(s). The
length of tutorial proposals should not exceed 5 pages.

Tutorial proposals should be submitted to the tutorial program chair: Anas
Abou el Kalam by email: before 10 May 2011.

GENERAL CHAIR: Marius Minea, Politehnica University of Timisoara, Romania
PC CHAIR: Frederic Cuppens, TELECOM Bretagne, France
PC CO-CHAIR: Simon Foley, University College Cork, Ireland
TUTORIAL CHAIR: Anas Abou ElKalam, Universite de Toulouse, IRIT-INP, France
FINANCE CHAIR: Yannick Chevalier, Universite de Toulouse, IRIT, France
PUBLICATIONS CHAIR: Bogdan Groza, Politehnica University of Timisoara

Please report problems with the web pages to the maintainer