The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 85

Monday 28 May 2012


Class 1 Recall: Nicolet, Software Malfunction and Short Circuit
Monty Solomon
Class I Recall: Baxa Software, Potential Dosing Errors
Monty Solomon
NJ Mayor hacks website that advocated his recall
"Why voting machines still suck"
Paul Venezia via Gene Wirchenko
Japanese Satellite Broadcasting scramble protection cracked
"Smartphone users more oblivious to others: study"
Gene Wirchenko
The risk of having to "sell" research
Bob Frankston
Controlling the Internet?
Lauren Weinstein
China's version of Twitter adopts new usage restrictions
Lauren Weinstein
In Malaysia, new Internet laws make you guilty unless proven innocent
Lauren Weinstein
FBI forms a new internet-surveillance unit
Declan McCullagh via Joly MacFie
BBC on Flame virus
Joly MacFie
ID Thieves Loot Tax Checks, Filing Early and Often
Lizette Alvarez via Monty Solomon
Orthodox Rally for a More Kosher Internet
Josh Nathan-Kazis via Monty Solomon
Illuminating dialog with a scammer
Identity withheld by request
"Can an Algorithm Write a Better News Story Than a Human Reporter?"
Gabe Goldberg
Re: Never Trust a Robot, take 2
Jonathan Pritchard
Re: Microsoft Funded Startup Aims to Kill BitTorrent Traffic
Barry Gold
Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone
Dan-Erling Smørgrav
Info on RISKS (comp.risks)

Class 1 Recall: Nicolet, Software Malfunction and Short Circuit

Monty Solomon <>
Mon, 28 May 2012 11:12:54 -0400

CareFusion Cortical Stimulator Control Unit:
Class 1 Recall - Software Malfunction and Short Circuit

Nicolet Cortical Stimulator Control Unit, Nicolet C64 Stimulus Switching
Unit (SSU) Amplifier and NicoletOne Software with Cortical Stimulator License
U.S. Food and Drug Administration [Posted 02/23/2012]

AUDIENCE: Neurology, Risk Managers

ISSUE: CareFusion is recalling Nicolet Cortical Stimulator Control Unit,
Nicolet C64 Stimulus Switching Unit (SSU) Amplifier and NicoletOne Software
with Cortical Stimulator License for two reasons: the device's software
incorrectly indicates stimulation is delivered to a different electrode than
the one selected and a short circuit may develop between the cortical
stimulator control unit and the stimulus switching unit amplifier.  Both of
these issues may result in the surgeon resecting the wrong brain tissue. The
surgeon may also fail to resect pathological tissue, potentially leading to
continued pathologic processes and the need for re-operations. ...

Class I Recall: Baxa Software, Potential Dosing Errors

Monty Solomon <>
Mon, 28 May 2012 11:12:54 -0400

Baxa Corporation Abacus Total Parenteral Nutrition (TPN) Calculation
Software: Class I Recall - Potential Dosing Errors  [PGN-ed]
U.S. Food and Drug Administration [Posted 05/25/2012]

AUDIENCE: Pharmacy, Risk Manager

ISSUE: A number of errors have been reported by Abacus software users as a
result of ordering salt based parenteral nutrition ingredients on an ion
based ordering template. Abacus TPN Calculation Software is designed and
intended to allow the ordering of electrolytes in only one of two ways: as a
salt (such as calcium gluconate 10%) or as an elemental ion (such as
calcium). However, if a dosage is entered into the system based on one
method, when the template is configured for the other method, a dosing error
can occur.

The problem associated with mix-ups related to salt-based or ion-based
ordering of electrolytes is not exclusive to calcium gluconate. ...

The Abacus TPN Calculation Software was manufactured and distributed from
August 7, 2006 through April 15, 2009.  Affected catalog numbers include:

  8300-0045: Abacus Calculator Only (Abacus CE)
  8300-0046: Abacus Single Work Station (Abacus SE)
  8300-0047: Abacus Multi-Work Station (Abacus ME)

NJ Mayor hacks website that advocated his recall

"Peter G. Neumann" <>
Sat, 26 May 2012 10:18:23 PDT

The mayor of a small town in New jersey managed to take down the a website
that openly advocated his removal from office by recall.  He did not exactly
hack the web site, but he managed to hijack the e-mail account associated
with the domain of the website, and then used it to cancel the registration
for the domain, thereby causing the site to go dark.

  [Thanks to David Jefferson for spotting this one.  PGN]

"Why voting machines still suck" (Paul Venezia)

Gene Wirchenko <>
Thu, 17 May 2012 08:41:41 -0700

Paul Venezia, *InfoWorld, 14 May 2012

Significant government funds go into snooping on citizens and outrageously
sophisticated weaponry. How about a little scratch for the basic instrument
of democracy?

This article has a good summary of the situation and links to several
related articles.

Japanese Satellite Broadcasting scramble protection cracked

ishikawa <>
Thu, 17 May 2012 12:45:34 +0900

It has been widely reported in many blogs in Japan that a widely used
scramble protection system for satellite broadcasting (and for that matter
some ground-based broadcasting) in Japan called B-CAS (BS Conditional Access
System) has been compromised.

Basically, satellite broadcasting relies on an IC card supplied by B-CAS
company limited, to handle the management of subscription and duration (and
presumably key handling for descrambling).  In Japan, TV tuners on the
market have the card slot where the card is inserted.

Now, there were earlier reports of so called "black" B-CAS card that seems
to enable the viewing of all paid such channels earlier this year, which
initially seemed to be a hoax, but then turned out to be true(!). The card
was imported from Taiwan (or China).

Based on the knowledge that someone outside Japan cracked the basic
protection mechanism, the hacking community in Japan and elsewhere seems to
have been busy cracking the card, and apparently it has been successful.

It seems that some IC cards in selected lots seemed to have forgotten to
lock the key management file thus allows unauthorized modification.

And finding the PIN (8bytes) was brute force, but for some type of chips
used in the B-CAS cards, it was easy.  (Obviously, B-CAS cards are built
using different chips in lots.)

They password checking is performed by plain-text comparison using memcmp()
and thus immediately return failure when the mismatching occurs. Thus it was
vulnerable to timing analysis. If you get the first byte of 8 byte PIN
correct, then your NG is returned somewhat late. [These contact IC's clock
is often 1-10 MHz range, and thus you can tell.]  So you can know that you
now obtain the first byte. And then you can find the correct 2nd byte of PIN
when your NG result is returned somewhat later than in other cases, etc.  (I
think the cracker who found this has already disassembled the code inside
the chip AFTER he/she (?) figured out the PIN and found ways to dump the
code inside the chip.)

All in all, the news seems to have spread widely. I have heard it from a
friend of mine via e-mail early this week. And by that time, most of the
major chip types used in the B-CAS IC card seem to have been cracked.

Worse, in one type of the chip, it seems that the programmers can access the
internal program cleverly and thus can disassemble the internal routine,
thus finding the used encryption algorithm inside, which was never published
before.  With this knowledge, there are people who are talking of creating a
soft-BCAS routine that can decode off-line the scrambled data recorded from
satellite broadcast later without the IC card at all.

Initially, only a few types of the used chips were reported to be
vulnerable, and people who heard the early news seemed to have gone out and
bought tuner units with the vulnerable B-CAS IC card with the particular
chip types: so there was an usual surge of sales of these otherwise slow
selling tuners in the stores in Tokyo last weekend.

There has been a severe criticism of this adoption of this B-CAS card: even
the ordinary non-paying TV broadcast has to go through this scrambling today
and thus the B-CAS card is in EVERY tuner. (This may have been one reason
for the demise. The cards are available in the market aplenty. If you buy a
new one, and retire the old one, engineering types keep at least this IC
card from the old unit for the keeps. Thus crackers have had no qualm of
invalidating such cards by mis-programming during trials and errors

Strangely or understandably, TV news programs are silent for now.  I think
B-CAS company and the satellite broadcasting channels have to come up with a
clear road map before making an announcement. Then there will be a big TV
news, I suppose.

On the other hand, there may not. My friends say there are not so many
interesting TV programs in paid channels. And people who go out and modify
their B-CAS cards in this manner will be in the minority.

However, the operator of the paid-channel can not sit idle and must have
been pushing B-CAS company to do something in the last few days.

Stay tuned :-)

"Smartphone users more oblivious to others: study"

Gene Wirchenko <>
Wed, 16 May 2012 14:56:15 -0700

"The Daily News", Kamloops, British Columbia, Canada; May 12, 2012; p. B3:

Users of smartphones, such as iPhones and BlackBerrys, have a different
sense of privacy and of the appropriateness of public cellphone usage
compared to users of more traditional mobile devices, a study shows.

Researchers from Tel Aviv University drew this conclusion after studying the
attitudes of about 150 people in Israel.

Eran Toch, from the school's department of industrial engineering, said in
a statement that smartphone users tend to have an illusion of being in a
"privacy bubble" when using their devices in public.

The research found that people with smartphones were 70 per cent more likely
than those with less advanced cellphones to think their devices gave them a
fair degree of privacy when using them in public.

Smartphone users were also 20 per cent less likely to think talking on their
devices in public bothered other people, and 50 per cent less inclined to be
annoyed by other people using their phones, the study found.'

The risk of having to "sell" research

"Bob Frankston" <>
Thu, 17 May 2012 17:05:25 -0400

I have no issue with the research reported below itself but the statement,
"A typical data network consists of an array of nodes—which could be
routers on the Internet ...", implies they are talking about information in
the everyday sense as in the content of web pages. But that's an entirely
different sense of the term and doesn't have a simple mapping into Shannon's
abstract measure.

While I understand the need to make research appear relevant but we must be
wary of, and even critical of, researchers who may do meticulous research
and then ignore the difference between their technical use of the terms and
the common use. Such reports often become the basis for public policy as
when channel limits are used to justify claims of "spectrum scarcity".

Controlling the Internet? (via NNSquad)

Lauren Weinstein <>
Mon, 28 May 2012 09:26:03 -0700

UN/ITU Internet Control (and an EU Web Cookie Insanity update!)  (This message on Google+)

House to examine plan for United Nations to regulate the Internet  (The Hill)

  "House lawmakers will consider an international proposal next week to give
  the United Nations more control over the Internet. The proposal is backed
  by China, Russia, Brazil, India and other UN members, and would give the
  UN's International Telecommunication Union (ITU) more control over the
  governance of the Internet."

If the UN/ITU actually did manage to get their clutches on the Internet, the
resulting blowback in terms of network fragmentation would be
immense. Unfortunately, ICANN's continuing shenanigans pretty much guarantee
network fragmentation as well. We need a purpose-built *third way*.

On the EU Web Cookie Insanity (WCI) front, reports are (and a quick test
seems to confirm for the moment) that the BBC for now appears to have pulled
down their wacky, looping cookie warning/control banners.

The British Telecom community donations site, however, continues to
intercept with a full page of cookie gobbledegook, which users who already
block cookies *cannot click past*.

As the old song goes, "Quick, send in the clowns—Don't bother, they're

Lauren Weinstein (
People For Internet Responsibility:
Data Wisdom Explorers League:
Network Neutrality Squad:
Global Coalition for Transparent Internet Performance:
Lauren's Blog:
Tel: +1 (818) 225-2800 / Skype:

China's version of Twitter adopts new usage restrictions

Lauren Weinstein <>
Sun, 27 May 2012 17:09:50 -0700

  "China's biggest microblogging service has introduced a code of conduct
  explicitly restricting the type of messages that can be posted."  (BBC via NNSquad)

In Malaysia, new Internet laws make you guilty unless proven innocent

Lauren Weinstein <>
Sun, 27 May 2012 12:48:52 -0700  (the star via NNSquad)

  PETALING JAYA: The amendment to the Evidence Act transfers the burden of
  proof to the accused, which is contrary to the principle of justice, said
  lawyers and Internet users.  "At any trial, whether criminal or civil
  cases, it is up to the prosecutor to prove guilt beyond reasonable
  doubt. Now the burden will be shifted to the accused to disprove (the
  allegation against them)," said human rights lawyer Edmund Bon.  He added:
  "All around the world where there is Internet any reasonable person would
  be against the posting of hate messages.  But whether the Government
  should step in and take such control is another matter."

FBI forms a new internet-surveillance unit

Joly MacFie <>
Sat, May 26, 2012 at 8:57 AM

  [By Declan McCullagh, via Dave Farber's IP]

The FBI has recently formed a secretive surveillance unit with an ambitious
goal: to invent technology that will let police more readily eavesdrop on
Internet and wireless communications.

The establishment of the Quantico, Va.-based unit, which is also staffed by
agents from the U.S. Marshals Service and the Drug Enforcement Agency, is a
response to technological developments that FBI officials believe outpace
law enforcement's ability to listen in on private communications.

While the FBI has been tight-lipped about the creation of its Domestic
Communications Assistance Center, or DCAC—it declined to respond to
requests made two days ago about who's running it, for instance—CNET has
pieced together information about its operations through interviews and a
review of internal government documents.

DCAC's mandate is broad, covering everything from trying to intercept and
decode Skype conversations to building custom wiretap hardware or analyzing
the gigabytes of data that a wireless provider or social network might turn
over in response to a court order. It's also designed to serve as a kind of
surveillance help desk for state, local, and other federal police.

The center represents the technological component of the bureau's "Going
Dark" Internet wiretapping push, which was allocated $54 million by a Senate
committee last month. The legal component is no less important: as CNET
reported on May 4, the FBI wants Internet companies not to oppose a proposed
law that would require social-networks and providers of VoIP, instant
messaging, and Web e-mail to build in backdoors for government surveillance.

During an appearance last year on Capitol Hill, then-FBI general counsel
Valerie Caproni referred in passing, without elaboration, to "individually
tailored" surveillance solutions and "very sophisticated criminals." Caproni
said that new laws targeting social networks and voice over Internet
Protocol conversations were required because "individually tailored
solutions have to be the exception and not the rule."
<> on

Joly MacFie 218 565 9365 VP(Admin), ISOC-NY - Skype:punkcast
WWWhatsup NYC - -

BBC on Flame virus (via Dave Farber's IP)

Joly MacFie <>
Mon, May 28, 2012 at 12:22 PM

This new threat appears not to cause physical damage, but to collect huge
amounts of sensitive information, said Kaspersky's chief malware expert
Vitaly Kamluk.  "Once a system is infected, Flame begins a complex set of
operations, including sniffing the network traffic, taking screenshots,
recording audio conversations, intercepting the keyboard, and so on."  More
than 600 specific targets were hit, ranging from individuals, businesses,
academic institutions and government systems.

Iran's National Computer Emergency Response Team posted a security alert
stating that it believed Flame was responsible for "recent incidents of mass
data loss" in the country.

The malware code itself is 20MB in size - making it some 20 times larger
than the Stuxnet virus. The researchers said it could take several years to
analyse.  Kamluk: size and sophistication of Flame suggested it was not the
work of independent cybercriminals, and more likely to be government-backed.

This is an extremely advanced attack. It is more like a toolkit for
compiling different code based weapons than a single tool. It can steal
everything from the keys you are pressing to what is on your screen to what
is being said near the machine.  It also has some very unusual data stealing
features including reaching out to any Bluetooth enabled device nearby to
see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't
need to be connected to a network, although it has that capability as well.
This wasn't written by some spotty teenager in his/her bedroom. It is large,
complicated and dedicated to stealing data whilst remaining hidden for a
long time.  [PGN-ed]

Joly MacFie 218 565 9365 VP(Admin), ISOC-NY - Skype:punkcast
WWWhatsup NYC - -

  [George Ledin comments that Flame is heating up.

ID Thieves Loot Tax Checks, Filing Early and Often (Lizette Alvarez)

Monty Solomon <>
Sat, 26 May 2012 16:31:06 -0400

Lizette Alvarez, *The New York Times*, 26 May 2012

MIAMI - Besieged by identity theft, Florida now faces a fast-spreading form
of fraud so simple and lucrative that some violent criminals have traded
their guns for laptops. And the target is the United States Treasury.

With nothing more than ledgers of stolen identity information - Social
Security numbers and their corresponding birth dates and names - criminals
have electronically filed thousands of false tax returns with made-up
incomes and have received hundreds of millions of dollars in wrongful
refunds, law enforcement officials say.

The criminals, some of them former drug dealers, outwit the Internal Revenue
Service by filing a return before the legitimate taxpayer files. Then the
criminals receive the refund in a convenient but hard-to-trace prepaid debit
card, typically sent to them by a bank or a tax software company, which
downloads the amount approved by the IRS The swindlers often provide
addresses for vacant houses, even buying mailboxes for them, and then
collect the refunds there.

Postal workers have been harassed, robbed and, in one case, murdered as they
have made their rounds with mail trucks full of debit cards and master keys
to mailboxes.

The fraud, which has spread around the country, is costing taxpayers
hundreds of millions of dollars annually, federal and state officials
say. The IRS sometimes, in effect, pays two refunds instead of one: first
to the criminal who gets a claim approved, and then a second to the
legitimate taxpayer, who might have to wait as long as a year while the
agency verifies the second claim. ...

Orthodox Rally for a More Kosher Internet (Josh Nathan-Kazis)

Monty Solomon <>
Wed, 16 May 2012 17:46:41 -0400

Use Twitter and Facebook While Condemning Danger of Web
Josh Nathan-Kazis, *Forward*, 14 May 2012, issue of May 18, 2012.

An upcoming ultra-Orthodox mega-rally in New York about the dangers posed by
the Internet has a promotional Twitter account.

The event's box office has an e-mail address. Speeches will be live
streamed. And one of the event's organizers owns a Web marketing company
specializing in search engine optimization.

This isn't your average anti-Internet demonstration.

After years of oft-flouted rabbinic bans on Internet use, a group of both
Hasidic and non-Hasidic rabbis is pushing a new approach that will be
unveiled at the Mets' CitiField on May 20. Organizers project an attendance
of some 40,000 Orthodox Jewish men; women were not invited.

Without letting up on their severe condemnation of technology and the
Internet, the rabbis behind the CitiField event are accepting the Web's
inevitability while instructing their followers to use Internet-filtering
technology. ...

Illuminating dialog with a scammer

<[Identity withheld by request]>
Wed, 23 May 2012 00:11:22 -WXYZ

Today I got to see first-hand how one class of computer scammers work.

I answered the phone and said "Hello", but there was a silence, and then
someone with a subcontinental accent comes on and says "Hello".  So it
sounds like they are using a predictive dialer and came on too late to hear
me answer the phone.  After a few moments the caller realizes this and
starts with the pitch:

"We are calling from the Computer Department.  Your Microsoft Windows
Computer has been sending us many error messages due to viruses and
malicious files on your computer.  You have not responded to the error
messages we sent you so we are calling you about this problem."

The caller went into a long pitch about how malicious files were even worse
than viruses.  They wanted to convince me that my Windows computer had a
problem, so they told me to sit down in front of the computer.  The caller
then asked me to locate the Windows key on my keyboard, and to press Windows
- R, then type in "EVENTVWR".  I figured this meant they wanted to run the
Windows Event Viewer, so I told them OMG, there are many scary messages
here!  The caller explained that these messages were indications of the
"malicious files" that they were warning me about.

Once the caller was satisfied that I had bought into their scenario that my
computer was "dangerously corrupted", they moved into the payload phase -
they asked me to press Windows - R, then type in "".  This
brought me to, a remote login service.  They tried to walk
me through downloading the remote control console software.  At this point I
tired of the game and told them the program wouldn't run.  They then asked
me about "how do you get to your e-mail", but before I could finish giving
them an e-mail address they hung up.

I reported the scammers to  Apparently they offer free
trial accounts, so the scammers don't have to pay for the remote access to
their victims' computers.  This seems to have been going on for a while: a
web search for " scam" shows many reports going back at least to

Here's a recording of one scam session that was using the same script
I was called with:

From the point of view of a technical person, the entire come-on was
laughably lame, but they're still in business after years of operation --
the joke is on us.

"Can an Algorithm Write a Better News Story Than a Human Reporter?"

Gabe Goldberg <>
Sat, 26 May 2012 11:14:44 -0400

"Can an Algorithm Write a Better News Story Than a Human Reporter?"

Had Narrative Science—a company that trains computers to write news
stories—created this piece, it probably would not mention that the
company's Chicago headquarters lie only a long baseball toss from the
Tribune newspaper building. Nor would it dwell on the fact that this
potentially job-killing technology was incubated in part at
Northwestern's Medill School of Journalism, Media, Integrated Marketing
Communications. Those ironies are obvious to a human. But not to a computer.

Re: Never Trust a Robot, take 2 (RISKS-26.83)

"Jonathan Pritchard" <>
Thu, 17 May 2012 11:21:13 +0100

As an occasional reader of RISKS this one caught my eye. Electronic systems
for navigation and chart display on commercial ships have well established
mechanisms for filtering displays specifically to reduce "clutter" but the
anti-grounding functions on all of them are mandated to alarm even when data
is not being displayed on screen. This is seen as one of the major benefits
of electronic chart display systems in that the person using them can be
alerted to potential dangers without having to display all categories of
chart objects all the time. There are also many many guidelines for how
over-reliance can be countered through manual inspection of routes prior to
departure. This is very different to car navigation where a "good" display
is synonymous with "complete" - i.e all features - the point being the sea
doesn't have roads and the fundamental dynamics are different...

Jonathan Pritchard, Product Research and Development, United Kingdom
Hydrographic Office, Admiralty Way, TAUNTON, Somerset TA1 2DN
+44 (0)1823 337900 Ext 4006

Re: Microsoft Funded Startup Aims to Kill BitTorrent Traffic

Barry Gold <>
Wed, 16 May 2012 15:06:55 -0700
  (Hendricks, RISKS-26.84)

> Billions in revenue are lost each year, they claim. But not for long if the
> Russian based startup Pirate Pay has its way. ...

I had to look again to check the date.  Then I noticed it was Pirate *P*ay,
not Pirate *B*ay.

Even so... do these people think that there will be no response?  The
Internet does what with censorship?

Oh well, if they're willing to invest the $$ to keep changing their methods
of attack as the underlying BitTorrent software changes to adapt, they may
be able to slow (not stop) the flow of pirated content—over BitTorrent.
Leaving... YouTube and various file-sharing sites and a gazillion

A new business model is needed.  Until MPAA & RIAA come up with that, they
will be fighting a permanent losing battle.

Anyway, assuming it's serious.

Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83)

Dan-Erling Smørgrav <>
Thu, 17 May 2012 19:24:46 +0200

Geoff Kuenning <> writes:
> If they have a friend nearby during those ten seconds, is it also wiped
> from the friend's mind?

This reminds me of the following video, which is currently making the rounds
on the intertubes:

Dag-Erling Smørgrav -

Please report problems with the web pages to the maintainer