The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 94

Tuesday 24 July 2012

Contents

Who Really Invented the Internet?
PGN
Denials of Service spam attacks commercially available
PGN
"How to avoid an Elections-Ontario-style data-breach fiasco"
Christine Wong via Gene Wirchenko
Re: Washington State wants to register voters via Facebook
JC Cantrell
The car in the future is connected - I hope not..
Peter Houppermans
Navy radio might be crippling Connecticut garage doors
Russ Furze
Searching for Clues to Calamity
Fred Guterl via Monty Solomon
Olympics security poster 'gibberish' to Arabic speakers
Chris J Brady
Google ordered to censor 'torrent', 'megaupload' and more words
Lauren Weinstein
Patient information may have been breached after laptop stolen at Beth Israel Deaconess
Kay Lazar via Monty Solomon
Apple removes security app from the App Store
Mark Thorson
"Mobile and Web security will be major topics at Black Hat"
Lucian Constantin via Gene Wirchenko
Oops! Vivus awaits weight-loss drug approval, even as story breaks
Ron Leuty via Monty Solomon
PGN
Re: In the UK, encryption implies potential guilt?
Jonathan Thornburg
Chris Drewe
Re: Accidents due to confusion of units of measurement
Mark Brader
Re: Apple wins patent for transparent scroll bar
Richard O'Keefe
Re: You can have security or privacy. Pick one
Anthony Thorn
Info on RISKS (comp.risks)

Who Really Invented the Internet?

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 23 Jul 2012 11:47:28 PDT

In a really egregious piece of so-called journalism relating to the
Internet, L. Gordon Crovitz has written item in the *Wall Street Journal*,
23 Jul 2012, with the above Subject line:

  It's an urban legend that the government launched the Internet. The myth
  is that the Pentagon created the Internet to keep its communications lines
  up even in a nuclear strike. The truth is a more interesting story about
  how innovation happens—and about how hard it is to build successful
  technology companies even once the government gets out of the way.

http://online.wsj.com/article/SB10000872396390444464304577539063008406518.html?mod=WSJ_article_comments#articleTabs%article


Crovitz's thesis seems to imply that U.S. Government funding did not have a
major role in development network technology, with a perhaps not-so-hidden
agenda that government funding is an undesirable interference in private
enterprise?

His article has led to a huge flurry of corrective items on the Web,
pointing out numerous misstatements.  To make a long story short, Crovitz
seems to confuse The Internet with internetting and networking, confuse
internetting with the ethernet, and somehow miss the fact that Vint Cerf and
Bob Kahn were first funded by and then worked for ARPA!  Hawaii's AlohaNet
(Frank Kuo and Norm Abramson) preceded ethernet, also government funded.
SRI's packet-switched radio experiment is generally credited as being the
first real "internetworking" demonstration, linking 3 different networks
(also government funded), and recently celebrated at the Computer History
Museum.  Without those impeti or impetuses, might we still have only circuit
switching and even analog telephony?  (By the way, ARPA also contributed
considerably to the pioneering Multics development.)

Joseph Lorenzo Hall noted in Dave Farber's IP distribution that
*ArsTechnica's* Timothy Berners Lee penned a superb rejoinder:
WSJ mangles history to argue government didn't launch the Internet
http://arstechnica.com/tech-policy/2012/07/wsj-mangles-history-to-argue-government-didnt-launch-the-internet/

Also, see the *Scientific American*: Yes, Government Researchers Really Did
Invent the Internet:

  But perhaps the most damning rebuttal comes from Michael Hiltzik, the
  author of "Dealers of Lightning," a history of Xerox PARC that Crovitz
  uses as his main source for material. "While I'm gratified in a sense that
  he cites my book," writes Hiltzik, "it's my duty to point out that he's
  wrong. My book bolsters, not contradicts, the argument that the Internet
  had its roots in the ARPANet, a government project."
  http://j.mp/NQtACW  (Scientific American)

Lauren Weinstein commented in his Network Neutrality Squad, Privacy Forum,
and People for Internet Responsibility,

  “This Wall Street Journal "opinion piece" really mucked up big time.  And
  the sense of some associated political motivation is difficult to ignore.
  The fact is, without ARPA/IPTO, there would not be an Internet as we know
  it today.  Period.  Other networks would have very likely developed of
  course, probably along the lines of various pay-per-packet, walled garden
  modalities that the dominant ISPs seem hell-bent at deploying today—but
  not the end-to-end ARPANET/Internet model that has been so very crucial to
  the spread and wide availability of these technologies.


Denials of Service spam attacks commercially available

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 20 Jul 2012 9:37:10 PDT

Security expert Brian Krebs was the target of a malicious e-mail flood.
Such attacks are widespread, and can used to mask all sorts of computer
crimes.  Various plans are offered beginning at $25 for 25,000 e-mails.

[Cory Doctorow, Commercial Spamflooding used by crooks to tie up their
victims at key moments, BoingBoing, 19 Jul 2012; PGN-ed]
http://boingboing.net/2012/07/19/commercial-spamflooding-used-b.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29

  [Proponents of voting over the Internet from hardwired or wireless devices
  tend to ignore such vulnerabilities, along with many others.  PGN]


"How to avoid an Elections-Ontario-style data-breach fiasco"

Gene Wirchenko <genew@ocis.net>
Fri, 20 Jul 2012 10:35:18 -0700
  (Christine Wong)

Christine Wong, Think it's too expensive and time consuming to embed
'privacy by design' into your SMB? A security expert and an SMB who've done
it tell us how it can be accomplished. *IT Business*, 19 Jul 2012
http://www.itbusiness.ca/it/client/en/home/News.asp?id=68311


Re: Washington State wants to register voters via Facebook (R-26.93)

JC Cantrell <jccant@pacbell.net>
Mon, 23 Jul 2012 08:25:02 -0700 (PDT)

> [An obvious next step might be legislation requiring would-be voters to
> cast their votes on Facebook or other social networking media.  That would
> clearly solve all our concerns for security, integrity, equal access, and
> privacy? PGN]

Not only that, but this might help solve the chronic problem here in the USA
of getting the registered voters to actually vote! We might even get over
100% of the population to vote. Reminds me of my time living in Chicago ...


The car in the future is connected - I hope not..

Peter Houppermans <peter@houppermans.com>
Mon, 23 Jul 2012 12:33:31 +0200

Oh, they soooo much want this..

A BBC article refers to a bright and wonderful future where cars communicate
and thus save fuel and are safer.
(http://www.bbc.com/future/story/20120719-road-opens-for-connected-cars/1)

Security in this context warrants one paragraph, but the article concludes
that the rise of the Apps on mobiles should be an indication that an absence
of security is not likely to be a hindrance to adoption.

Thus, they gloss over a tiny, yet important detail: a breach in this kind of
information exchange can get you killed. That's why cars have to be
type-certified before they are allowed on the road.

The astute reader will also observe a full and complete absence of any
reference to the privacy implications of such an enthusiastic data exchange.
The simplest example is "If <all registered inhabitants> are not <at
location> then ransack <location>"..

As I have said before in this context, not so fast..


Navy radio might be crippling Connecticut garage doors

Russ Furze <rfurze@elpaseobank.com>
Tue, 24 Jul 2012 11:32:58 -0700

  [The subject line says it all.  Apparently, signals from the Groton
  submarine base are blocking garage door openers in southeastern
  Connecticut—on the same frequency.  For more recent RISKS readers, this
  is a new manifestation of an old story.  Previous cases noted here include
  garage doors opening and closing as Sputnik transited overhead, and
  President Reagan's Air Force One interfering as well.  PGN]

http://news.yahoo.com/navy-radio-might-crippling-conn-garage-doors-183220009.html?_esi=1

Russ Furze, CISSP, Senior Vice President, Chief Information Officer
Frontier Bank FSB, dba El Paseo Bank  760.834.3116


Searching for Clues to Calamity (Fred Guterl)

Monty Solomon <monty@roscom.com>
Sat, 21 Jul 2012 15:26:07 -0400

Fred Guterl, *The New York Times*, 20 Jul 2012

So far 2012 is on pace to be the hottest year on record. But does this mean
that we've reached a threshold - a tipping point that signals a climate
disaster?

For those warning of global warming, it would be tempting to say so.  The
problem is, no one knows if there is a point at which a climate system
shifts abruptly. But some scientists are now bringing mathematical rigor to
the tipping-point argument. Their findings give us fresh cause to worry that
sudden changes are in our future.

One of them is Marten Scheffer, a biologist at Wageningen University in the
Netherlands, who grew up swimming in clear lowland ponds. In the 1980s, many
of these ponds turned turbid. The plants would die, algae would cover the
surface, and only bottom-feeding fish remained.  The cause - fertilizer
runoff from nearby farms - was well known, but even after you stopped the
runoff, replanted the lilies and restocked the trout, the ponds would stay
dark and scummy.

Mr. Scheffer solved this problem with a key insight: the ponds behaved
according to a branch of mathematics called "dynamical systems," which deals
with sudden changes. Once you reach a tipping point, it's very difficult to
return things to how they used to be.  It's easy to roll a boulder off a
cliff, for instance, but much harder to roll it back. Once the ponds turned
turbid, it wasn't enough to just replant and restock. You had get them back
to their original, clear state. ...

http://www.nytimes.com/2012/07/21/opinion/the-climate-change-tipping-point.html


Olympics security poster 'gibberish' to Arabic speakers

Chris J Brady <chrisjbrady@yahoo.com>
Fri, 20 Jul 2012 02:20:31 -0700 (PDT)

A UK train company has been criticised for producing an Olympics 2012
security poster which reads as "gibberish" in Arabic.  First Capital Connect
sent posters to 13 stations printed in English and seven other languages.
But the Council for Arab-British Understanding called the Arabic lettering
"ridiculous" and unreadable since the characters are not joined up and are
back to front.  http://www.bbc.co.uk/news/uk-england-london-18911599

The posters, which are supposed to warn people not to leave items
unattended, have been displayed in stations including Blackfriars, King's
Cross, City Thameslink, Farringdon, St Pancras International, Luton and
Stevenage.  The lame excuse was "... our supplier substituted one font for
another so that the wrong alphabet was used for the Arabic message,
rendering it meaningless."  The risk? Perhaps proof-reading by a native
speaker would have been an idea.


Google ordered to censor 'torrent', 'megaupload' and more words

Lauren Weinstein <lauren@vortex.com>
Thu, 19 Jul 2012 17:50:30 -0700

  "The French Supreme Court has ruled that Google should censor the words
  'torrent', 'rapidshare' and 'megaupload' from its Instant and Autocomplete
  search services."  http://j.mp/OKRA66 (*The Register*, via NNSquad)

Here's another word: Ridiculous.


Patient information may have been breached after laptop stolen at

Monty Solomon <monty@roscom.com>
Mon, 23 Jul 2012 10:59:53 -0400
  Beth Israel Deaconess (Kay Lazar)

Kay Lazar, *The Boston Globe*, 20 Jul 2012

Approximately 3,900 Beth Israel Deaconess Medical Center patients will be
getting letters alerting them that some of their personal health information
may have been breached after a physican's personal laptop computer was
stolen from a hospital office.  The theft occurred on 22 May 2012, and the
stolen laptop, which contained a tracking device, has not been recovered.
Police were notified and a suspect has been arrested in the case, the
officials said.

The hospital hired a national forensic firm to investigate if data were
compromised, and it has found no indication that any information has been
misused, according to the hospital. ...

http://www.boston.com/whitecoatnotes/2012/07/20/patient-information-may-have-been-breached-after-laptop-stolen-beth-israel-deaconess/tgOtdeQBL2QP9JgzsjVn4J/story.html


Apple removes security app from the App Store

Mark Thorson <eee@sonic.net>
Sun, 22 Jul 2012 19:56:48 -0700

After two months of availability, Apple has removed a third-party iPhone app
from the App Store that informs users about the data being collected by
other apps.
  http://www.securityweek.com/apple-yanks-privacy-app-app-store

Interesting statistics collected by the app are:

* 42.5 percent of apps do not encrypt users' personal data, even when
  accessed via public Wi-Fi.

* 41.4 percent of apps were shown to track a user's location unbeknownst to
  them.

Almost one in five of the apps analyzed can access a user's entire Address
Book, with some even sending user information to the cloud without
notification.


"Mobile and Web security will be major topics at Black Hat"

Gene Wirchenko <genew@ocis.net>
Mon, 23 Jul 2012 09:28:19 -0700
  (Lucian Constantin)

The article names some of the risks that will be presented.

Lucian Constantin, *IT Business*, 20 Jul 2012
Mobile and Web security will be major topics at Black Hat
Security researchers will disclose new vulnerabilities affecting
mobile and Web technologies at security conference
http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68327


Oops! Vivus awaits weight-loss drug approval, even as story breaks

Monty Solomon <monty@roscom.com>
Fri, 20 Jul 2012 11:10:32 -0400
  (Ron Leuty)

Ron Leuty, An OK by any other name: Oops! Vivus awaits weight-loss drug
approval, even as story breaks; *San Francisco Business Times*, 17 Jul 2012

Nothing stands in the way of a good FDA drug approval story—except, of
course, when the drug isn't yet approved.

*USA Today* ran a story online Tuesday about Mountain View-based Vivus
Inc. winning approval of its weight-loss drug, Qnexa.  The story had new
details about the drug—like a new name (Qsymia) and when the drug would
be available to consumers (later this year)—as well as quotes attributed
to President Peter Tam and a photo of Qsymia pills and bottles.

Great news, right? After all, the FDA was expected to rule on the drug
Tuesday. Except the FDA has not—at least, not yet—approved Vivus'
drug.

http://www.bizjournals.com/sanfrancisco/blog/biotech/2012/07/vivus-arena-qne=
xa-belviq-weight-loss-fda.html


Re: Vivus awaits weight-loss drug approval, even as story breaks

Peter G Neumann <risko@csl.sri.com>
Sat, 21 Jul 2012 20:56:28 PDT

My favorite instance of this problem was back in the Multics days, when we
(Bell Labs) had issued a contract to Digitek to produce the first PL/I
compiler, for the Multics development.  The contract specified delivery in
*six* months.  (Digitek was a very experienced developer of Fortran
compilers.)

During the sixth month, a full-page ad appeared in Datamation: "Here and
Now: The world's first PL/I compiler."

The only problem was that Digitek defaulted on the contract that month.
Doug McIlroy and Bob Morris rushed to the fore, and produced the
EPL compiler for a subset of the language just powerful enough for the
Multics development, and whipped it together in a few months.  That may
well have been one of the inspirations for GCC.


Re: In the UK, encryption implies potential guilt? (RISKS-26.92,93)

Jonathan Thornburg <jthorn@astro.indiana.edu>
Thu, 19 Jul 2012 22:04:28 -0400 (EDT)

While the the Regulation of Investigatory Powers Act 2000 (RIPA) was passed
over a decade ago, the present discussion concerns Part 3, which only came
into effect on 1 October 2007.

Some of the first actual prosecutions for refusing to supply decryption keys
were:

http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/
*Animal rights activist hit with RIPA key decrypt demand*
UK terror law change kicks in

http://www.theregister.co.uk/2009/11/24/ripa_jfl/
*UK jails schizophrenic for refusal to decrypt files*
Terror squad arrest over model rocket

The latter story opens:

"The first person jailed under draconian UK police powers that Ministers
 said were vital to battle terrorism and serious crime has been identified
 by The Register as a schizophrenic science hobbyist with no previous
 criminal record.

 His crime was a persistent refusal to give counter-terrorism police
 the keys to decrypt his computer file."


Re: "In the UK, encryption implies potential guilt?" (RISKS-26.91)

"Chris Drewe" <e767pmk@yahoo.co.uk>
Mon, 23 Jul 2012 21:12:59 +0100

Well... the garden-variety laptop computer that I'm typing this on (running
Windows 7) has over a million files on it, according to the anti-virus scan
log, and I have no idea what most of them are.  I've never knowingly stored
any files that may get me into trouble, but neither can I tell what gets
loaded with updates (see other thread on browsers), and I bought the laptop
at a reduced price as 'ex-demonstration' as it had been used in the store
before purchase (with the network name TECHSUPPORT already set up!).  So if
by some chance I do "have my data examined by the UK authorities" and they
do find something questionable, where does that leave me?  (And if I didn't
have a computer or use the Internet, is that evidence of having something to
hide?!?)  As the poster says, it's worth a debate, but personally I feel
that people are becoming more likely to have their lives trashed by a
heavy-handed criminal investigation than be blown up by terrorists.


Re: Accidents due to confusion of units of measurement (RISKS-26.93)

Mark Brader
Thu, 19 Jul 2012 18:47:25 -0400 (EDT)

> ... resulting in the aircraft receiving 22,300 pounds of fuel instead of
> the required 22,300 kg.

PGN forgot to add "See risks 10.12, 11.16, 17.32, 20.30, 24.13, and
especially 10.13".

  [Yup, Mark gets to remind me every time I forget.  Thanks!  PGN]


Re: Apple wins patent for transparent scroll bar (Wirchenko, RISKS-26.93)

"Richard O'Keefe" <ok@cs.otago.ac.nz>
Mon, 23 Jul 2012 12:49:21 +1200

Gene Wirchenko noted an Apple patent for a transparent scroll bar.  The
article he linked to starts "Apple on Tuesday was awarded the patent for a
transparent-style of scroll bar that disappears when the window is not being
used."

I think it was Dan Ingalls who wrote "From the earliest days, Smalltalk used
flop-out scroll-bars to economize on screen real estate."  So half of the
invention was in use before the first Macintosh was built.  And Apple
certainly knew about Smalltalk.

Pretty much since the Morphic GUI library was developed it has been possible
to set the colours of the various components that make up a scroll bar in
Squeak Smalltalk; that includes TranslucentColor-s.  And Apple certainly
knew about Squeak and Morphic.  I presume other GUI toolkits let you do the
same.

What then _is_ the invention?


Re: You can have security or privacy. Pick one (RISKS-26.93)

Anthony Thorn <anthony.thorn@atss.ch>
Fri, 20 Jul 2012 07:48:52 +0200

I would like to slightly modify Mr Alexanderro's choice:
     "Security, with as much privacy as possible."
as follows:

"Where our privacy (and other liberties) are exposed to official bodies,
effective controls (measures) against misuse must be implemented."

Of course the problem of defining "effective" and implicitly also
"practicable" and "affordable" remains .  However this is now a classic risk
management problem.  It is still a difficult problem, but hopefully more
amenable to discussion and even agreement!

Please report problems with the web pages to the maintainer

Top