The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 45

Tuesday 24 May 2011

Contents

Computer glitch forces U.S. to cancel visa lottery results
Robert McMillan via Ben Moore
Westpac systems crash in IT meltdown notsp
Michael Rosa
Car Talk and Talk and...
Joseph B. White via Eli the Bearded
Sony breach may drive down value of stolen credit cards
Jeremy Epstein
WSJ Reporter Takes Heat Over Tone Of Privacy Series
Joe Mullin
When the Internet Thinks It Knows You
Eli Pariser via Monty Solomon
"Automatic Updates" considered Zombieware
Henry Baker
Amazon Cloud Crash Write-up
Gene Wirchenko
Lawsuit alleges spyware on rental computers
Joe Mandak via Matt Roberds
The Web browser that cried "wolf"
Mark Thorson
You must enable javascript to view this page
jidanni
Future Risks
John Brandon via Gene Wirchenko
Poor choice for automatic password
Tony Luck
REVIEW: "The Black Swan", Nassim Nicholas Taleb
Rob Slade
Info on RISKS (comp.risks)

Computer glitch forces U.S. to cancel visa lottery results

"Ben Moore" <ben.moore@juno.com>
Mon, 16 May 2011 01:39:03 GMT

Robert McMillan, IDG News Service, 13 May, 2011 [PGN-ed]
http://www.networkworld.com/news/2011/051311-computer-glitch-forces-us-to.html

It turns out that the country's 2012 Diversity Lottery wasn't fair. In a
videotaped statement posted to the Web, Deputy Assistant Secretary of State
for Visa Services David Donahue said the results, announced by his
department earlier this month, "did not represent a fair random selection of
the entrants, as required by U.S. law.  Although we received large numbers
of entries every day during the 30-day registration period, a computer
programming error caused more than 90 percent of the selectees to come from
the first two days of the registration period." (5-6 Oct 2010)

More than 12 million people applied for the green card lottery last
year. The program is designed to even out the mix of U.S. immigrants by
giving some people from certain countries priority in the years-long wait
for a U.S. work visa, also known as a green card. There are between 50,000
and 55,000 winners each year.  Entrants will have to wait until July 15,
when the State Department will announce results based on a new, random
algorithm.


Westpac systems crash in IT meltdown

Michael Rosa <MRosa@workcover.com>
Thu, 5 May 2011 13:07:07 +0930

http://www.theaustralian.com.au/business/industry-sectors/westpac-systems-crash-in-it-meltdown/story-e6frg96f-1226050242014

An air-conditioning failure has crippled Westpac's (Australian bank) IT
systems throughout the nation one day after reporting record profits of
almost $4 billion.

At 12.05 AEST Westpac said ATM and EFTPOS facilities were restored but there
was no word on when online banking would be working.  "Westpac sincerely
apologises to all our customers who have been impacted by today's outage.
We take systems reliability extremely seriously and are very disappointed by
the inconvenience to our customers and will undertake a thorough review,"
Rob Coombe, Westpac Group executive, retail and business banking, said.

Westpac subsidiary St George Bank was also affected by the system failure.

Customers have complained to The Australian and taken to social media
websites to vent their anger after they couldn't withdraw funds from ATMs or
use EFTPOS facilities this morning.

Earlier a Westpac spokeswoman told ABC Radio that an air conditioning
problem at one of its data centres had triggered the shut down of the bank's
systems.

Michal Rosa, WorkCover SA, 100 Waymouth St, Adelaide, SA 5000 P: 0882332147
www.workcover.com<http://www.workcover.com/> mrosa@workcover.com


Car Talk and Talk and... (Joseph B. White)

Eli the Bearded <risks@eli.users.panix.com>
Mon, 23 May 2011 15:27:15 -0400 (EDT)

I noticed an article in the Wall Street Journal today about
vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications
to cars. The idea is cars so equipped could help alert drivers to sudden
changes in traffic.

Joseph B. White, Car Talk and Talk and..., *Wall Street Journal*, 23 May 2011
http://online.wsj.com/article/SB10001424052748703778104576286631174569232.html

Mostly the article does a good job of outlining positives and the risks of
this effort: false alarms could numb drivers, auto makers could be sued if
an alarm fails to sound, drivers would not like their cars to help them get
tickets.

One quote near the end from an advocacy group spokesman caught my attention
as worrisome however:

  "It's important to move to large-scale deployments to figure out what the
  issues are," says Scott Belcher, president of the Intelligent
  Transportation Society of America ...

I hope most issues can be found before the "large-scale deployments" take
place.


Sony breach may drive down value of stolen credit cards (Nick Bilton)

Jeremy Epstein <jeremy.epstein@sri.com>
Wed, 04 May 2011 02:53:33 -0400

This is actually quite funny - the thieves are worried that the increased
supply of stolen credit card numbers will drive down the value of the
already-stolen cards.  Perhaps they'll ask for government regulation to
protect the value of their stolen merchandise?

Nick Bilton, Bits, Perverse cybereconomic impacts, *The New York Times*,
3 May 2011
http://bits.blogs.nytimes.com/2011/05/03/card-data-is-stolen-and-sold/

Last week, after the Sony PlayStation Network was attacked by a group of
unknown hackers, Sony's 77 million customers, along with security
specialists and government officials, were surprised by the amount of
information that might have been stolen from the company.

But there was another group that worried about the attack: other hackers who
steal credit card numbers and personal identity online and then sell and
trade this information in underground markets.

"We're keeping a close eye on the Sony story as it would drastically affect
the resale of other cards," explained an experienced hacker based in Europe
who declined to share his name due to the nature of his work.

Kevin Stevens, senior threat researcher at the computer security firm Trend
Micro, explained in an interview last week that there was a lot of
discussion taking place in hacker forums about the Sony data breach.
Several credit card dealers are worried that the distribution of millions of
credit cards would flood the market and lower prices, he said. [...]

Jeremy Epstein, Senior Computer Scientist, SRI International
1100 Wilson Blvd, Suite 2800, Arlington VA  22209  703-989-8907 (M)


WSJ Reporter Takes Heat Over Tone Of Privacy Series (Joe Mullin)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 24 May 2011 11:53:23 PDT

  [Thanks to Richard M. Smith, computerbytesman.  PGN]

Joe Mullin, *The Wall Street Journal*, 20 May 2011
http://paidcontent.org/article/419-wall-street-journal-reporter-takes-heat-over-tone-of-privacy-series/

In many ways, the series of articles about online privacy that *The Wall
Street Journal* began publishing last year has set the tone for the privacy
debate nationally—but not everyone is thrilled about that.

During a discussion about personal information and privacy at the pii2011
<http://pii2011.com/> conference, Evidon CEO Scott Meyer suggested that the
tone of the WSJ series about digital privacy, called
<http://online.wsj.com/public/page/what-they-know-digital-privacy.html>
"What They Know," was over the top and inflammatory. "When you use words
like 'surveillance' and 'spying,' it freaks people out," Meyer said to Julia
Angwin, one of the WSJ reporters who has worked on the series. "If it
weren't for you, we wouldn't be here," he said, referring to the panel of
behavioral advertising companies that he was on, which Angwin was
moderating.

A questioner from the audience, Morgan Reed of the Association for
Competitive Technology <http://actonline.org/>, agreed, noting that the WSJ
series had directly influenced the comments made by Congressional
representatives. "The question addressed to me [by Congress] was, 'Look at
these apps the Wall Street Journal found-so you, app developer, tell us why
we shouldn't be afraid of these.'"


When the Internet Thinks It Knows You (Eli Pariser)

Monty Solomon <monty@roscom.com>
Tue, 24 May 2011 00:34:08 -0400

Eli Pariser, 22 May 2011, *The New York Times*, 23 May 2011
http://www.nytimes.com/2011/05/23/opinion/23pariser.html

Once upon a time, the story goes, we lived in a broadcast society. In that
dusty pre-Internet age, the tools for sharing information weren't widely
available. If you wanted to share your thoughts with the masses, you had to
own a printing press or a chunk of the airwaves, or have access to someone
who did. Controlling the flow of information was an elite class of editors,
producers and media moguls who decided what people would see and hear about
the world. They were the Gatekeepers.

Then came the Internet, which made it possible to communicate with millions
of people at little or no cost. Suddenly anyone with an Internet connection
could share ideas with the whole world. A new era of democratized news media
dawned.

You may have heard that story before - maybe from the conservative blogger
Glenn Reynolds (blogging is "technology undermining the gatekeepers") or the
progressive blogger Markos Moulitsas (his book is called "Crashing the
Gate"). It's a beautiful story about the revolutionary power of the medium,
and as an early practitioner of online politics, I told it to describe what
we did at MoveOn.org. But I'm increasingly convinced that we've got the
ending wrong - perhaps dangerously wrong. There is a new group of
gatekeepers in town, and this time, they're not people, they're code.

Today's Internet giants - Google, Facebook, Yahoo and Microsoft - see the
remarkable rise of available information as an opportunity. If they can
provide services that sift though the data and supply us with the most
personally relevant and appealing results, they'll get the most users and
the most ad views. As a result, they're racing to offer personalized filters
that show us the Internet that they think we want to see. These filters, in
effect, control and limit the information that reaches our screens. ...


"Automatic Updates" considered Zombieware

Henry Baker <hbaker1@pipeline.com>
Wed, 27 Apr 2011 17:24:03 -0700

I wish this were only April 1st.

My Windows computer is now spending a significant fraction of its time
running "updates" on every program that I have installed.  I have no idea
what these "updates" do, but each "update" takes more and more space, and my
computer runs slower and slower.  A large fraction of these "updates"
require restarting Windows, so these "updates" are disruptive to my use of
my computer.

The "going rate" for updates now appears to be 100Mbytes.  Adobe's Reader X
is *three times* the size of Reader 8, and (as far as I'm concerned) it is
much worse because it takes forever to load.  I'm also terribly concerned
that Javascript is enabled by default in Adobe Reader; since when does Adobe
Reader need Javascript?  For that one time per year when I need to fill out
the IRS form?

The latest Apple iTunes "update" from a couple of days ago not only didn't
work, but froze my system so badly I had to "system restore" to a previous
date.  Apple themselves has the hubris to not bother installing a restore
point itself, because it assumes that its software would _never_ be buggy
enough to require a restore.  I'm about ready to ditch iTunes completely,
since none of this additional bloat has anything to do with me (I don't have
an iPhone or iPad, although I do have an older iPod).  iTunes also has an
unfixed bug that has existed for the past two years, where with hundreds of
podcast feeds, I try to update them all at once, iTunes reliably crashes.
Each crash, of course, is dutifully sent back to Microsoft, which Microsoft
apparently throws directly into the circular file because Microsoft is
thrilled to see Apple software crash & burn.

If I were cynical, I would assume that that the computer in "cloud
computing" means *my computer*, and under the guise of "updates", all of
these vendors are stealing time & disk space on my computer to sell to their
cloud customers.

At the current rate of bloat, my computer will soon run out of disk space --
not for any of *my* data—but for all the bloatware "updates" that
everyone wants to install.

I'm starting to downgrade my software—I've reinstalled Adobe Reader 8
(only 33Mbytes), and I'm moving more and more to open source software which
(at least so far) isn't so bloated with features that I have no idea what
they do or why they are there, yet they open security holes that continually
need to be fixed with even more updates.

 - - -

I can't wait for automobiles with WiFi to start automatically "updating"
themselves every time I want to buy gas.  Clearly, *nothing could go wrong*
in that scenario.

I can foresee massed armies arrayed against one another in the near future,
but neither is capable of fighting, because each is receiving "updates" for
all of its computers & rebooting...

Who needs Stuxnet, when we have Microsoft/Apple/Adobe/Java/...
automatic updating?


Amazon Cloud Crash Write-up

Gene Wirchenko <genew@ocis.net>
Fri, 29 Apr 2011 10:12:07 -0700

Summary of the Amazon EC2 and Amazon RDS Service Disruption in the US
East Region

Now that we have fully restored functionality to all affected services, we
would like to share more details with our customers about the events that
occurred with the Amazon Elastic Compute Cloud ("EC2") last week, our
efforts to restore the services, and what we are doing to prevent this sort
of issue from happening again. We are very aware that many of our customers
were significantly impacted by this event, and as with any significant
service issue, our intention is to share the details of what happened and
how we will improve the service for our customers.
http://aws.amazon.com/message/65648/


Lawsuit alleges spyware on rental computers (Joe Mandak)

Matt Roberds <mroberds@att.net>
Wed, 4 May 2011 02:56:50 -0500 (CDT)

Joe Mandak, AP wire story, 3 May 2011:

PITTSBURGH - A major furniture rental chain has software on its computers
that lets it track the keystrokes, screenshots and even webcam images of
customers while they use the devices at home.  A lawsuit was filed on behalf
of a Wyoming couple who said they learned about the PC Rental Agent "device
and/or software" inside the computer they rented last year when an Aaron's
Inc. store manager in Casper came to their home on 22 Dec 2010.

The manager tried to repossess the computer because he mistakenly believed
the couple hadn't finished paying for it, the couple said.  Brian Byrd, 26,
said the manager showed him a picture of Byrd using the computer - taken by
the computer's webcam. The image was shot with the help of spying software,
which the lawsuit contends is made by North East, Pa.-based Designerware LLC
and is installed on all Aaron's rental computers.  [...]

PC Rental Agent includes components soldered into the computer's motherboard
or otherwise physically attached to the PC's electronics, the lawsuit
said. It therefore cannot be uninstalled and can only be deactivated using a
wand, the suit said."

source: http://news.yahoo.com/s/ap/20110503/ap_on_re_us/us_rental_computer_spyware

I'm not exactly sure what the hardware components mentioned above *are*,
especially not the one that can be "deactivated using a wand".  I have seen
a recent (mid-2000s) IBM PC that had some kind of antenna connected to the
motherboard, but it wasn't for a built-in WiFi adapter.  The marketing
material for that machine implied it was some kind of asset-tracking system.
The machine boots and appears to run OK with the antenna unplugged.

The other functions mentioned (remote activation of webcam, key logging,
etc.) could easily be implemented in software, and this has already been
done by various school districts to spy on their students (Wirchenko,
RISKS-25.95).


The Web browser that cried "wolf"

Mark Thorson <eee@sonic.net>
Sun, 8 May 2011 17:23:08 -0700

Sometimes those annoying pop-ups warning about not having a trusted
certificate really do indicate something is wrong, as in the case of this
recent Syrian man-in-the-middle attack.

https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

As noted in the bulletin, we often reflexively click through these warnings.
The RISK is that a warning given too often is ignored, a scenario we've seen
so many times in other contexts, such as warning alarms on medical
equipment.


You must enable javascript to view this page

<jidanni@jidanni.org>
Sun, 15 May 2011 10:25:55 +0800

Muhahaha, they forgot that we occasional _text browser_ users can still
see their page as plain as day!

$ w3m -dump http://lyrics.wikia.com/Devo:Triumph_Of_The_Will
You must enable javascript to view this page. This is a requirement of
our licensing agreement with music Gracenote.


Future Risks

Gene Wirchenko <genew@ocis.net>
Tue, 24 May 2011 13:44:54 -0700

John Brandon, Six rising threats from cyber criminals Watch out for these
cyber attacks that can turn smartphones into texting botnets, shut off
electricity, jam GPS signals, ...  InfoWorld, 19 May 2011
http://www.infoworld.com/d/security/six-rising-threats-cyber-criminals-573

      The article is eight Web pages long.  Here are the topics:
1. Text-message malware
2. Hacking into smart grids
3. Social network account spoofing
4. Cyber stalking
5. Hackers controlling your car
6. GPS jamming and spoofing: Threat or nuisance?


Poor choice for automatic password

Tony Luck <tony.luck@gmail.com>
Mon, 9 May 2011 14:46:22 -0700

My credit union has been acquired by a larger credit union.  Instructions
for logging in to the "bill pay" area of the new website include:

  Important: Your new Bill Pay Password is the last four digits of your
  five-digit home ZIP code, followed by the last four digits of your home
  phone number (i.e., if your ZIP code is "95125," and your home phone
  number is "555-1234," your CEFCU Bill Pay password would be "51251234")

Somebody thinks that my zip code and home phone number are secrets
only known to me ... sigh.


REVIEW: "The Black Swan", Nassim Nicholas Taleb

Rob Slade <rMslade@shaw.ca>
Tue, 24 May 2011 14:20:35 -0800

BKBLKSWN.RVW   20110109

"The Black Swan", Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
U$26.95/C$34.95
%A   Nassim Nicholas Taleb
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2007
%G   978-1-4000-6351-2 1-4000-6351-5
%I   Random House/Vintage/Pantheon/Knopf/Times/Crown
%O   U$26.95/C$34.95 800-733-3000 randomhouse.ca www.atrandom.com
%O  http://www.amazon.com/exec/obidos/ASIN/1400063515/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1400063515/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1400063515/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   366 p.
%T   "The Black Swan: The Impact of the Highly Improbable"

I was irritated into reviewing this book.  I knew that the title referred to
events which are rare, and therefore seen as unlikely or impossible, but
which, once observed, are obviously true.  I had heard this book (and idea)
discussed in terms of risk analysis, but the mere fact didn't strike me as
terribly useful.  To a certain extent we deal with such issues all the time
in business continuity planning.  So, when, during yet another conversation
on risk analysis, one participant insisted that we should all read this
text, I responded that the earth might fall into the sun, soon, and
therefore I couldn't see risking what little time I had left reading Taleb's
work.

The participant insisted that we weren't going to fall into the sun for a
long while, and therefore I should read the book.  Having now read it, I can
say that this person didn't understand one of the author's main points.

In the prologue, Taleb describes a Black Swan event as one which is rare,
has an enormous impact on the world, and is explainable after the fact.
During the course of the work he presents a number of examples.  A great
deal of the text, though, discusses, disparages, and even rants against
efforts to predict future events or outcomes, particularly those which rely
on models.  The author notes that many of these models fail to take certain
factors into account.  This is quite true: a model, by its very nature, must
be limited.  A map of Canada, the full size of Canada, would be accurate,
but not very portable, and thus not useful.  In the same way, any model is a
heuristic, giving a quick indication of operation on the basis of a very
limited set of factors.  Taleb's thesis about rare events seems to take
second place to his assertion that you can go badly awry by relying on a
model which fails to take all factors into account.

My "earth into the sun" example, therefore, fits well into the theme of the
book.  As far as we understand, we have probably billions of years before we
spiral into the sun.  On the other hand, some rare event may make this
happen much sooner, and we'll all be impacted (if you'll pardon the
expression).  And, if it does happen, you can bet that, in the few weeks or
hours between the event and our incineration, there will be plenty of people
who will be building models to explain why it did happen.

This statement is undoubtedly true.  But is it helpful?  Much of the
author's work is addressed at the issue of investment, and particularly
"playing" the stock market.  He notes that an investor, by betting on black
swan events, can make a large return (since black swan events have a large
impact).  This declaration is also true, but you can't bet on all possible
events, so which ones do you choose?  For example, computer equipment
retailers who "bet" on tablet computers last year would, this year, be in a
very strong position.  Those who did the same thing twenty-three years ago
would have been stuck supporting the Newton.

Taleb keeps repeating (and repeating, and repeating, and repeating: his few
points are duplicated many times over through nineteen chapters) that just
about everyone tries to avoid risk on the basis of what they have seen in
the past.  In fact, not only many studies but also common observation show
that this isn't the case.  The general public loves to gamble.  Studies of
"successful" people (business leaders, etc.) indicate that they are more
prone to gambling and risk- taking than the general public, and, in fact,
foolishly so.  ("Leaders" have a strong tendency to gamble even when it is
quite clear that taking the small but sure return is the better deal.)

Is this, in fact, evidence that Taleb is correct, and that we all should be
risk-takers, betting on black swans?  No.  As he, himself, points out in a
different context, some risk-takers win, and become "successful," while a
lot of risk-takers lose, but disappear into the general population.  (Or
just disappear.)

The central point about making predictions on the basis of insufficient
knowledge is emphasized most repetitively in regard to investments and
finance.  The author does suggest a method for ventures: keep 90% of your
funds in the most conservative undertakings, and invest the 10% in wildly
speculative "positive" black swans.  Of course, this doesn't guarantee that
any of your wild investments do pay off, but at least you will have your
90%.  Unless a "negative" black swan comes along and wipes them out.

The book is, actually, fairly fun to read, but annoying to review.  Taleb
has good facility with language, and writes in an amusing, if scattered,
manner.  As a means of passing the time, the text is fluid, entertaining,
and even has some points worth thinking about.  However, in terms of this
review series, I must consider whether the tome is useful or not, and I'm
not certain that it is.  Taleb presents some salient warnings, but makes any
number of statements ( several of them outrageous) without going to the
trouble of backing them up.  (This fact is rather ironic in view of his
repeated denigration of academics and technical authors who cannot write
clearly and "properly."  He even admits, almost up front, that a friend
"caught [him] red-handed" by challenging him to "justify the use of the
precise metaphor of a Black Swan," and he had to confess "this book is a
story.")

To take a page from the way Taleb writes, I could point out that his
"Extremistan" bears a strong resemblance to the age of the dinosaurs.  They
developed the largest land-dwelling creatures ever to walk on earth, lasted
much longer than we humans have, and, some models show, were able, simply
because of their immense numbers, to effect climate in ways that we have
only recently been able to do by pumping their remains out of the earth and
burning them.  They were also subject to a black swan event in the shape of
an asteroid, which left, as their descendants, only Taleb's much maligned
turkeys.

There are certainly holes in this argument, but it is as entertaining, and
as valid, as much of what Taleb writes in the book.

In the end, I have to agree with Taleb's mother: there is some use in
this book, but an enormous disparity between what the author thinks it
is worth, and what it is actually worth.

(No ballet dancers were mentally harmed in the reviewing of this book.)

copyright, Robert M. Slade   2011     BKBLKSWN.RVW   20110109
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links

Please report problems with the web pages to the maintainer

Top