The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 72

Sunday 12 February 2012


Programming error doomed Russian Mars probe
Lauren Weinstein
... or maybe radiation, not programming, killed the Russian probe
The Research Works Act
HGI scientists break satellite telephony security standards
Horst Goertz Inst
PayPal STILL doesn't get it
Jim Garrison
FBI to track social networks
Antony Savvas via Gene Wirchenko
Twitter can now block tweets in specific countries
Stephen Lawson via GW
Evidence of massive Iranian Internet blocking—SSL, etc.
"Man-in-the-middle" corporate attack in the wild
Jim Ausman
Symantec recommends disabling pcAnywhere
via Monty Solomon
"Got remote access? Lock it down"
Robert Lemos via GW
Aloha Privacy! - Hawaii bill would track all Web surfing in detail
via LW
Privacy on the Barbie! - Australia considers unlimited communications data retention
via LW
Lawyer sues ex-girlfriend over Google Search results
via LW
Inside China's censorship machine
via LW
Hackers take over Boston Police Department website; message cites handling of Occupy Boston protest
via Monty Solomon
Risks: Conviction of Card Scam operators. How the Scam worked.
Len Spyker
Would the US Extradite UK Blogger for Linking to Works in the Public Domain in Other Countries?
Dewayne Hendricks via Dave Farber's IP
The Heartbreaking Truth About Online Dating Privacy
Over 3 years later, "deleted" Facebook photos are still online
via LW
Re: deducing causality
Richard O'Keefe
Re: Pocket-dialed 911 calls increasingly common
Danny Burstein
Info on RISKS (comp.risks)

Programming error doomed Russian Mars probe

Lauren Weinstein <>
Tue, 7 Feb 2012 11:28:23 -0800

A report presented to Russian Deputy Prime Minister Dmitry Rogozin concludes
that the primary source of the failure of Russia's Phobos-Grunt Mars
spacecraft launched on 9 Nov 2011 was a programing error that "led to a
simultaneous reboot of two working channels of an onboard computer" that
prevented the probe from escaping earth orbit.

... or maybe radiation, not programming, killed the Russian probe

Lauren Weinstein <>
Tue, 7 Feb 2012 14:14:41 -0800

The Research Works Act

"Peter G. Neumann" <>
Fri, 27 Jan 2012 13:24:18 PST

This bill would make it illegal to require researchers to make their work
available publicly.

  [Does the Research Works Act work?  Probably not.
   Do Research Works act?  No, although this act might seem theatrical!
   Does Research work?  Yes.  Sometimes it can be very valuable,
     even if often ignored in development communities.  However, much
     past research is widely ignored.  On the other hand, the answer is No,
     if its existence is hidden or otherwise obscured!

> Date: Thu, 26 Jan 2012 17:21:43 -0500
> From: David Farber <>
> Subject: [IP] A small bill in the US, a giant impact for research worldwide


HGI scientists break satellite telephony security standards

<Newsletter of the Horst Goertz Institute of IT Security in Bochum>
8 Feb 2012 17:45:13 +0100

Satellite telephony was thought to be secure against eavesdropping.
Researchers at the Horst Goertz Institute for IT-Security (HGI) at the Ruhr
University Bochum have cracked the encryption algorithms of the European
Telecommunications Standards Institute (ETSI), which is used globally for
satellite telephones, and revealed significant weaknesses.  With simple
equipment, they found the crypto key which is needed to intercept telephone
conversations. Using open-source software and building on their previous
research results, they were able to exploit the security weaknesses.

Telephoning via satellite

In some regions of the world standard cell phone communication is still
not available. In war zones, developing countries and on the high seas,
satellite phones are used instead. Here, the telephone is connected via
radio directly to a satellite. This passes the incoming call to a
station on the ground. From there, the call is fed into the public
telephone network. So far this method, with the ETSI’s encryption
algorithms A5-GMR-1 and A5-GMR-2, was considered secure.

Simple equipment—fast decryption

For their project, the interdisciplinary group of researchers from the areas
of Embedded Security and System Security used commercially available
equipment, and randomly selected two widely used satellite phones. A simple
firmware update was then loaded from the provider's website for each phone
and the encryption mechanism reconstructed. Based on the analysis, the
encryption of the GMR-1 standard demonstrated similarities to the one used
in GSM, the most common mobile phone system.  “Since the GSM cipher had
already been cracked, we were able to adopt the method and use it for our
attack,'' explained Benedikt Driessen, of the Chair for Embedded Security
(Prof. Christof Paar). To verify the results in practice, the research group
recorded their own satellite telephone conversations and developed a new
attack based on the analysis.  “We were surprised by the total lack of
protection measures, which would have complicated our work drastically'',
said Carsten Willems of the Chair for System Security at the RUB.

Invasion of privacy

Encryption algorithms are implemented to protect the privacy of the
user. “Our results show that the use of satellite phones harbours dangers
and the current encryption algorithms are not sufficient'', emphasized Ralf
Hund of the Chair for System Security (Prof. Thorsten Holz). There is, as
yet, no alternative to the current standards. Since users cannot rely on
their security against interception, similar to the security of standard
cell phones, they will have to wait for the development of new technologies
and standards, or make use of other means of communication for confidential

  "We were able to completely reverse engineer the encryption algorithms
  employed," said Benedikt Driessen and Ralf Hund of Ruhr University Bochum
  as they announced their report, "Don't Trust Satellite Phones".

PayPal STILL doesn't get it

Jim Garrison <>
Fri, 10 Feb 2012 10:41:07 -0800

Last week I received an e-mail from PayPal with the subject

  Your action is needed to continue using your PayPal account

and containing lines like

  Log in to agree to our Electronic Communications Delivery Policy

        LOGIN TO CONSENT [link]

Of course, this looks *exactly* like the millions of other phishing e-mails
that are this very moment flying across the Internet.  But this one looked
really well put together, unlike most others, so I took a look at the

It's real.  All the links are legit, and when I logged in (by typing in the
PayPal URL, not clicking a link) there indeed was a notice of updated terms.

As we all know, the e-mail should have contained no login links and should
have advised the recipient to login by entering the URL manually. Somebody
at PayPal deserves a dope-slap.

I decided to submit it to PayPal's spoof-investigation address to point out
the error of their ways, and today received this:

  Our security team is working to identify if the e-mail you forwarded to us
  is a phishing e-mail. We will get in touch shortly to let you know our

I await their findings with interest :-)

FBI to track social networks (Antony Savvas)

Gene Wirchenko <>
Fri, 27 Jan 2012 10:26:23 -0800

Antony Savvas, App would crawl Twitter and Facebook, *IT Business*, 27 Jan 2012

The US Federal Bureau of Investigation (FBI) is planning to develop an
application that can track the public's postings to Facebook, Twitter and
other social networks, in order to aid how it predicts and reacts to
criminal behaviour, including public disorder and terrorism.  ...

"Twitter can now block tweets in specific countries"

Gene Wirchenko <>
Fri, 27 Jan 2012 10:24:29 -0800

Stephen Lawson, *IT Business*, 27 Jan 2012
The messages would be visible elsewhere in the world and the removal
would be clearly marked, Twitter said.

Evidence of massive Iranian Internet blocking (SSL, etc.)

Lauren Weinstein <>
Fri, 10 Feb 2012 09:53:05 -0800

Evidence of massive Iranian Internet blocking—SSL, etc. [From NNSquad]  (Google+)  (Google+)

"Man-in-the-middle" corporate attack in the wild

"Jim Ausman" <>
Feb 7, 2012 4:49 PM

  (From Dave Farber's IP)

Trustwave, a Certificate Authority, issued a certificate that allowed the
owner to issue any valid certificate to facilitate man-in-the-middle attacks
on their employees.

They say that they used a special hardware container to ensure that this
could not be used for anything other than the intended purpose, but this
still indicates that a long-suspected weakness in the CA infrastructure is
being exploited to eavesdrop on traffic.

EFF sent out an alert about the fact that Iran was doing this a few months
ago, but this is the first I have heard of a corporation doing it.

Symantec recommends disabling pcAnywhere

Monty Solomon <>
Fri, 27 Jan 2012 09:00:15 -0500

Symantec pcAnywhere Security Recommendations


Upon investigation of the claims made by Anonymous regarding source code
disclosure, Symantec believes that the disclosure was the result of a theft
of source code that occurred in 2006. We believe that source code for the
2006-era versions of the following products was exposed: Norton Antivirus
Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton
Utilities and Norton GoBack); and pcAnywhere.

With this incident pcAnywhere customers have increased risk.  Malicious
users with access to the source code have an increased ability to identify
vulnerabilities and build new exploits.  Additionally, customers that are
not following general security best practices are susceptible to
man-in-the-middle attacks which can reveal authentication and session
information. General security best practices include endpoint, network,
remote access, and physical security, as well as configuring pcAnywhere in a
way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec
releases a final set of software updates that resolve currently known
vulnerability risks. For customers that require pcAnywhere for business
critical purposes, it is recommended that customers understand the current
risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as
they are released, and follow the general security best practices discussed

This document is designed to help customers understand the situation and to
provide remediation steps to maintain the protection of their devices and
information. ...

"Got remote access? Lock it down" (Robert Lemos)

Gene Wirchenko <>
Fri, 10 Feb 2012 15:05:10 -0800
Robert Lemos, InfoWorld, 10 Feb 2012
Got remote access? Lock it down
Poorly configured remote-access software is to blame for the majority of
data breaches by hackers, according to security reports from Verizon and

opening text:

While the theft of source code for Symantec's pcAnywhere has put the
remote-access program in the spotlight, the security issues posed by remote
management products are not new. In fact, data released over the last year
shows that poorly configured remote-access programs routinely account for a
significant portion of data breaches and network security incidents.

Remote-access software, for example, led to a stunning 62 percent of
breaches studied by security firm Trustwave in its recently released global
security report.

Aloha Privacy! - Hawaii bill would track all Web surfing in detail

Lauren Weinstein <>
Thu, 26 Jan 2012 09:49:06 -0800  (CNET via NNSquad)

  Hawaii's legislature is weighing an unprecedented proposal to curb the
  privacy of Aloha State residents: requiring Internet providers to keep
  track of every Web site their customers visit.

Privacy on the Barbie! - Australia considers unlimited

Lauren Weinstein <>
Thu, 26 Jan 2012 09:46:56 -0800
        communications data retention  (Slashdot via NNSquad)

  Australia would like to follow the EU down the 'European Directive on Data
  Retention' path. Law enforcement agencies may have the option to request a
  log of all a users of interest telco usage without any review or time

Lawyer sues ex-girlfriend over Google Search results

Lauren Weinstein <>
Thu, 26 Jan 2012 10:24:16 -0800  (FOX via NNSquad)

  But in Matt's case, his "slanderer" isn't so anonymous. In fact, Amanda
  Ryncarz, Matt's former girlfriend, fully admits posting on the site about
  their three-year relationship.  "I posted on," she
  said in a written statement, "because I wanted to warn other women in
  order to protect them from what I suffered."  Couloute is now suing
  Ryncarz for "tortuous interference with prospective business
  relations. It's a case that could determine what people are and are not
  allowed to post on the Web.

Inside China's censorship machine

Lauren Weinstein <>
Sun, 29 Jan 2012 17:18:36 -0800  (Full Comment, via NNSquad)

  China's censorship system is complex and multilayered. The outer layer is
  generally known as the "great firewall" of China, through which hundreds
  of thousands of websites are blocked from view on the Chinese
  Internet. What this system means in practice is that when one goes online
  from an ordinary commercial Internet connection inside China and tries to
  visit a website such as, the website belonging to Human Rights
  Watch, the web browser shows an error message saying, "This page cannot be
  found." This blocking is easily accomplished because the global Internet
  connects to the Chinese Internet through only eight "gateways," which are
  easily "filtered."

Hackers take over Boston Police Department website; message cites

Monty Solomon <>
Sat, 4 Feb 2012 21:13:34 -0500
 handling of Occupy Boston protest

Risks: Conviction of Card Scam operators. How the Scam worked.

"Len Spyker" <>
Sun, 5 Feb 2012 10:05:51 +0800

Hooray! Two people running a card  swipe scam mainly in Perth Australia have
been convicted on $3.5 million dollar scam. Over 400 people were defrauded.

The expert witness for the DA and the lay jury bravely handled the attempt
by the highly technically savvy defence team to throw doubt on the technical

A small group of Perth gurus, with backgrounds in design of card reader
hardware, software and security, aided the police investigation and provided
support for the DA's team.

This scam was achieved by substituting at fast food drive-throughs, modified
same make handheld terminals that were previously stolen.

Yet, how this substitution could be done without anyone noticing, is
described later on.

The criminals applied a set of clever modifications INSIDE the terminal.
Undetectable from the outside.

These bugged terminals were then handed over to customers, in cars at fast
food drive throughs, throughout the Perth area.

The modified terminals sent the customer's CARD swipe and PIN codes by radio
link to a nearby cars staffed by yet uncaught associates.

New cards were created with this information and all the funds sucked out of
many accounts.

Caveat- some of the below is based on off the record rumours :

Security failures:

[1] There was no inside job: Sadly the drive through sites themselves
provided the "Open Sesame" for these baddies quite by accident.

The card terminals that were handed to the car, had the spiral cable
security clamps REMOVED because of the habit of this brand of terminals to
lock up and ONLY by unplugging would the terminal reset.

This fault occurred so often that the under pressure staff worked out a
"solution" and just left the cable's security clamp off!

Terminal Swap out technique:

The crook's car enters the drive through as normal. They order, the staff
hands over a  (unclamped) terminal, a normal transaction occurs.

Then the modified terminal is substituted in just a few seconds, and handed

This clean terminal is then modified and taken to a new store.

A nearly perfect Do While loop with one exit case, "If Police" then break.

[2] So why was this swap  not detected?

My guess is that there was software in the card host controller which
allowed new or different terminals to be rapidly connected and re-activated
without causing any alarms or requiring a manual log-in.

Many possible reasons: Code flaws, poor testing, misguided directions from a
client?  I do hope this may be made public one day.

Do not treat this as a one off down under crime. This crime is likely to be
part of a worldwide scam.

A smart techno crook has noticed the physically unprotected terminal cable
and worked out how to get rich quick.

Notify the store, police or newspaper in your area if you see an unclamped
cable when you are handed a terminal in a drive through.

If you can unplug it so can the crooks.

Len Spyker Perth Australia.

Would the US Extradite UK Blogger for Linking to Works in the

Dewayne Hendricks <>
Mon, Feb 6, 2012 at 11:10 AM
  Public Domain in Other Countries?

  [From Dave Farber's IP distribution.  PGN]

Would The US Extradite UK Blogger For Linking To Works In The Public Domain
In Other Countries?
from the insanity-of-today's-copyright-laws dept

James Firth has an interesting post, talking about some of the more
ridiculous consequences of current US law enforcement interpretation of
copyright law. Looking at the case of Richard O'Dwyer, the computer science
student that the US is getting closer to extraditing to the US to face
criminal copyright infringement charges for merely linking to infringing
works (something that had already been found legal in the UK multiple
times), Firth takes it to its logical ends. He points out that George
Orwell's works, Animal Farm and 1984 have gone into the public domain in
South Africa, Canada or Australia. And thus, there are completely legal
free copies of such works online. But they're only legal in those
countries. In the US and the UK, both remain under the yoke of copyright
thanks to copyright extensions.

This leads to a simple fear. If he merely pointed people to the location of
these completely legalversions of the work, he would now be just as
"guilty" as Richard O'Dwyer under the interpretation of the US Justice
Department. After all, he is using a .com domain (American property,
according to the stretched interpretation of the DOJ) to link to works that
technically infringe in both the UK—where he is—and the US, where the
DOJ has suddenly become the US entertainment industry's private police
force. ...

The Heartbreaking Truth About Online Dating Privacy (EFF)

"EFF Press" <>
Feb 10, 2012 10:30 AM

Electronic Frontier Foundation Media Release
For Immediate Release: Friday, February 10, 2012

The Heartbreaking Truth About Online Dating Privacy
Users Beware: Many Sites Have Serious Security Holes

San Francisco - Millions of people use Internet dating sites to search for
love and connection every day, but it could come a big cost for their
privacy and security.  The Electronic Frontier Foundation (EFF) has found
that many services are taking shortcuts in safeguarding users' profiles and
other sensitive data.

In "Six Heartbreaking Truths About Online Dating Privacy," EFF identifies
serious security holes and counter-intuitive privacy settings that could
expose daters' private information.  For example, your dating profile =96
including your photo =96 can hang around long after you think you've taken
yourself off the market.  Some sites are also sucking up the vast quantity
of data their users share and selling it to online marketers.  If you aren't
careful, your profile can also be indexed by Google, perhaps popping up in
search results if you have an unusual nickname or other unique ways of
describing yourself.

"Whether you signed up on a lark or maintained an active profile for years,
you may be exposing more information about yourself than you know," said EFF
Activism Director Rainey Reitman.  "There are a number of ways your online
dating profile can be connected to your real identity, exposing things like
religious and political beliefs, drug and alcohol use, and sexual
preferences.  That's why we created this list of the biggest risks, and
included some simple tips for online daters who want to protect themselves."

As part of its campaign to raise awareness about the privacy and security
risks on popular online dating sites, EFF analyzed the security practices of
eight major sites.  Many of the most popular sites, like eHarmony and, don't offer secure access through HTTPS by default, and OkCupid
doesn't provide HTTPS access at all.  That means every OkCupid username,
e-mail, chat session, search, and page viewed are all transmitted in
plaintext instead of in encrypted form.

"OkCupid says it can limit who sees your profile—for example, users who
identify as gay or bisexual may opt out of being seen by straight people,"
said EFF Senior Staff Technologist Seth Schoen.  "But without HTTPS, the
fact that you identify as gay and don't want to be seen by some groups is
sent in plaintext, making it easy for someone with the right skills to
uncover it.  Major sites like Twitter and Facebook have implemented HTTPS
recently to protect their users.  But dating sites like OkCupid are sadly
lagging behind."

Six Heartbreaking Truths About Online Dating Privacy:**2012/02/six-heartbreaking-**

Comparing Privacy and Security Practices on Online Dating

Find out more at

Rainey Reitman
 Activist, Electronic Frontier Foundation,
 +1 415 436-9333 x140

Seth Schoen
 Senior Staff Technologist,  Electronic Frontier Foundation,
 +1 415 436-9333 x107

Over 3 years later, "deleted" Facebook photos are still online

Lauren Weinstein <>
Sun, 5 Feb 2012 16:46:35 -0800


  "Facebook is still working on deleting photos from its servers in a timely
  manner nearly three years after Ars first brought attention to the
  topic. The company admitted on Friday that its older systems for storing
  uploaded content "did not always delete images from content delivery
  networks in a reasonable period of time even though they were immediately
  removed from the site," but said it's currently finishing up a newer
  system that makes the process much quicker. In the meantime, photos that
  users thought they "deleted" from the social network months or even years
  ago remain accessible via direct link."  (ars technica)

Re: deducing causality (RISKS-26.71)

"Richard O'Keefe" <>
Tue, 31 Jan 2012 15:43:39 +1300

In RISKS-26.71, PGN drew our attention to a *WiReD* article by Jonah Lehrer.
I've read that article carefully, and have to say that it has some large
leaps of illogic.  A better title that 'Why Science is Failing Us' would
have been 'Trials and Errors: How Scientific Testing Prevented Millions of
People Being Killed'.  Let me offer a translation for programmers:

(1) Pfizer's scientific understanding of the cholesterol pathways was
    soundly based and their drug design rightly worth exploring.  The
    drug had the immediate effects on that system that they expected it
    to.  A closely related drug with the *same* target (that is, based
    on the same science) looks as though it may work, with less bad.

(2) However, their understanding was *limited*.  As is by now pretty
    well known, *most* drugs have multiple effects in many systems of
    the body.  Pfizer's scientists understood quite well that understanding
    what a drug will do to the cholesterol pathway is NOT the same as
    understanding what it will do in a whole person.

(3) The thing that makes scientific drug development science is TESTING.
    As Risks readers will surely understand, when the test phase said
    "OOPS!", that was NOT science failing, that was science working brilliantly.
    If the *drug* fails the test, that means the *test* did NOT fail.

There are obvious lessons for programmers here.  They are not the lessons
("causality is hallucination", "science is failing us") that Jonah Lehrer
learned.  The lesson is that the real world is always more complicated than
our models of it (otherwise there wouldn't be any point in _having_ models);
that there are always unexpected interactions in complex systems; and that
there is no substitute for testing in the best approximation to the real
world that you can get; and that failed tests count as successes of the
testing process.

It is *better* that Pfizer should lose $21e9 in value on the questionably real
stock market than that millions of people should die from an untested drug.

Anyone who expects (program or drug or bridge or highway or ...) designs to
work without testing and without unexpected consequences must have
slept through the entire 20th century.

Re: Pocket-dialed 911 calls increasingly common (Brader, RISKS-26.71)

Danny Burstein <>
Thu, 26 Jan 2012 22:02:01 -0500 (EST)

Risks-Forum Digest, Volume 26 : Issue 71, had the following (excerpted)

From: (Mark Brader)
Subject: Pocket-dialed 911 calls increasingly common

[snip... regarding "butt dialing" of 911 calls]

Police are now campaigning to ask cellphone users to "lock it before you
pocket", but some smartphones can dial 911 even when the phone is locked.
    - --------

For some value of "smartphones", and for that matter, "dumbphones",
approaching pretty close to 100 percent.

* A likely contributor to this problem is that a hefty percentage of
  cellphones will _also_ accept calls to "112", the GSM international
  standard for emergency calls. (There's another one as well which isn't as
  common, but many phones will accept that one, too.)

  And, per FCC (US) and similar rules in Canada, cell phones, even without a
  service plan, must be allowed to connect to the "911" call receiving
  centers (PSAPs).

  If you take, for example, a T-Mobile (USA) or Rogers (Canada) cellphone
  and remove the SIM card, you can still make calls to "911". And... if you
  punch in "112", the phone will contact the network, which will then handle
  is as if you dialed "911".

Given the physical layout of keypads, I'd guess that "112" is probably the
path for a hefty number of these calls.

Please report problems with the web pages to the maintainer