The RISKS Digest
Volume 27 Issue 31

Friday, 31st May 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Captcha fail leaves blind people unable to sign petition
Drew Guarini via Jim Reisert
Ruby on Rails vulnerability to compromise servers, create botnet
Lucian Constantin via Gene Wirchenko
"Twitter's two-factor authentication can be abused"
Lucian Constantin via Gene Wirchenko
From Bad to Worse: Online Repression in the Gulf
EFF via Lauren Weinstein
Browser 'Back' button may cause student loan application to fail
John Standen
EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight
Lauren Weinstein
The risks of Public Wi-Fi [sic]
Bob Frankston
Re: Risks of reporting a bug to the wrong place
Paul Robinson
Re: The Internet is no place for Critical Infrastructure
Bob Frankston
Re: Risks of spreadsheets
Bob Frankston
Re: The Hazards of Gambling
Martin Ward
Die Passwords! Die!
Lauren Weinstein
Info on RISKS (comp.risks)

Captcha fail leaves blind people unable to sign petition

Jim Reisert AD1C <>
Thu, 30 May 2013 18:50:16 -0600
Drew Guarini, Petition To Help The Blind, 30 May 2013
The Huffington Post

"Thanks in part to a dreaded Captcha code on the White House's petitions
website, it's nearly impossible for blind web users to sign a "We The
People" petition seeking support for an international treaty intended to
help ... the blind."

Ruby on Rails vulnerability to compromise servers, create botnet (Lucian Constantin)

Gene Wirchenko <>
Thu, 30 May 2013 10:44:44 -0700
Lucian Constantin, InfoWorld, 29 May 2013
Hackers exploit Ruby on Rails vulnerability to compromise servers,
create botnet
The targeted vulnerability was patched in January, but many servers
haven't been updated yet

"Twitter's two-factor authentication can be abused" (Lucian Constantin)

Gene Wirchenko <>
Thu, 30 May 2013 10:46:02 -0700
Lucian Constantin, InfoWorld, 28 May 2013
Attackers could lock users who don't have it enabled out of their
accounts if they steal their log-in credentials, F-Secure researchers say

From Bad to Worse: Online Repression in the Gulf (EFF)

Lauren Weinstein <>
Thu, 30 May 2013 17:12:25 -0700
  "In Kuwait, dozens imprisoned in an effort to stifle online dissent.  In
  the United Arab Emirates, a sentence of 10 months in prison for describing
  a court hearing without "honesty and in bad faith."  And in Qatar, a draft
  cybercrime law that threatens the relative freedom of expression enjoyed
  by residents."  (EFF via NNSquad)

Browser 'Back' button may cause student loan application to fail

John Standen <>
Fri, 31 May 2013 20:44:46 +0100
Student Finance England (Student Loan Company) have been putting the
following message out on Twitter several times over the last few months:

  Applying online? Don't use the 'back' button of your browser as this
  may cause an error on your app that could prevent you from submitting!

A number of students seeking finance for their university tuition fees and
maintenance loan/grant have been finding that on clicking the 'Submit
Application' button are getting a message stating an error has occurred,
asking them to check the data and resubmit. The error message does not state
what the failure is.

In the early days of this year's applications on contacting the support
phone line students were being told to either 'try a different browser' or
'wait 24 hours and try again', only to get the same error.

Students were then told to fill out a paper form (34 pages), and on the
basis of the Twitter post blaming the student for using the browser 'Back

Completing a new student paper form also seems to require parents (if
providing details of household income to get an income based maintenance
loan/grant) to provide information on paper even if it has already been
provided online to support another student.

As a separate issue: the paper form is available as an editable PDF document
allowing a student to enter information for most fields before printing.
Some fields would not accept the required number of characters or were not
aligned with the shaded boxes of the form.

This year I had one student who completed his renewal online and one who got
the error and had to complete the paper form!

EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight

Lauren Weinstein <>
Fri, 31 May 2013 08:13:28 -0700
  "The law is already clear that computer languages are mediums of
  communication and aren't copyrightable. Even though copyright might cover
  what was creatively written in the language, it doesn't cover functions
  that must all be written in the same way," said EFF Staff Attorney Julie
  Samuels. "APIs are similarly functional - they are specifications allowing
  programs to communicate with each other. As Judge Alsup found, under the
  law APIs are simply not copyrightable material."  (EFF via NNSquad)

The risks of Public Wi-Fi [sic]

"Bob Frankston" <>
Fri, 31 May 2013 13:25:53 -0400
I've been find that I often have to shut off the Wi-Fi connection on my
portable device (AKA Smartphone) in order to get simple things like map
searches to work. I suspect the reason is that even after I've gone through
an authentication cycle with a service like XfinityWiFi it may decide to ask
me again. Same for agree screens.

One problem is that the failure is not explained - I simply see a wait
indicator. For an app like email I might not even know I'm missing the
critical message because there is no obvious difference between failure and
no having any email. Yet the phone itself seems to work because the voice
path tests for Wi-Fi connectivity and uses cellular if it can't get a
connection. The apps and the base networking software aren't so smart.

I put the "[sic]" in the title because Wi-Fi is just the name of a
technology and the problem is in confusing the Internet with the web and
then assuming only eyeballs browse and not having the concept of agency
(programs) working on others' behalf.

Re: Risks of reporting a bug to the wrong place (RISKS-27.30)

Paul Robinson <>
Thu, 30 May 2013 23:58:01 -0700 (PDT)
Dr J R Stockton <> wrote

> The Gregorian Calendar was first used in 1582, not 1583.
> In most of your supposed country, not at the time a country, the use of
  Gregorian started in 1752.

True, but the Papal Bull was issued February 24, 1582 so it was not "used"
for a full year. The first year the Gregorian calendar was used starting on
January 1 was 1583. :)

Re: The Internet is no place for Critical Infrastructure (R 27 30)

"Bob Frankston" <>
Wed, 29 May 2013 19:54:32 -0400
This begs the question of what one means by "The Internet". There is no such
thing or place—the Internet is just a technique for using any available
means for communicating without being limited to the channels of traditional
telecom or depending on a third party (the "provider") to "understand" what
you are trying to do in order to make each application work.

If anything "The Internet" is the technique for what we might call "critical
infrastructure" because it is about taking responsibility rather than
dependence. Unfortunately the more we treat the Internet as a thing and try
to solve issues such "security" within the network the more we are at risk.
Not depending on the Internet is the risk.

In I try to address this misunderstanding
by explaining how the Internet is the antithesis of the dependencies
inherent in traditional telecommunications. We must not confuse redundancy
with resilience. This also begs the question of what we mean by "critical
infrastructure". Failure is always an option—the question is how we are
prepared to deal with it and at what scale.

The danger is in confusing the Internet with traditional telecommunication
and becoming complacent because rigid infrastructure seems so reliable ...
until it isn't. We compound this by confusing uses such as the web with
something called "The Internet".

Re: Risks of spreadsheets (RISKS-27.30)

"Bob Frankston" <>
Wed, 29 May 2013 22:17:35 -0400
The real risk here is having programmers miss the point by trying to fit
(electronic) spreadsheets into traditional programming paradigms.

As the article notes spreadsheets are a tool that gives people with domain
expertise the ability to play with their ideas. In doing so it can amplify
misunderstandings in the way that any computer is shines light on ones
misunderstandings. Sure one can use spreadsheets as an alternative to lava
but one can also use Matlab and other tools.

I saw the reference to Mike Schrage's comment about the government being
"outspreadsheeted". Translation—people with domain expertize didn't let
programmers get in the way but in doing so their understanding gets tested.
These aren't spreadsheet errors any more than bad writing is a typing error.
What about the errors introduced when a domain expert tries to speak to a

The real question is how do we educate people so they avoid being seduced by
the seeming authority of numbers. One example is understanding the concept
of significant digits so they don't looking a five year projection and
assuming if you subtract one number from another in the last column a small
difference is meaningful. There is also the problem with confusing
guesstimates with hard numbers. We see this in confusing a strike price with
a hard number and then building trillion dollar derivatives on such a basis.

Of course there are programming-like errors in terms of dealing with
spreadsheet ranges and other artifacts but the solution is less in
preventing errors than learning how to do reality checking and not be
dazzled by the pretty tables. In that sense releasing untested spreadsheet
software is no different than releasing untested code.

By calling these "spreadsheet" errors we shift responsibility from coming to
terms with the new literacy to blaming the tool. This is similar to the
other Risks post in complaining about using Internet as critical
infrastructure rather viewing it as a technique for using available

Re: The Hazards of Gambling (Unger, RISKS-27.30)

Martin Ward <>
Thu, 30 May 2013 11:43:21 +0100
Steve Unger mentions the biggest losers (gambling addicts), people who spend
excessive amounts and people on low income who are lured into buying lottery
tickets, but there is a much larger problem with gambling: that all gambling
results in a net loss of value!

The best discussion I have found on this issue is by John Nevil Maskelyne in
his book "Sharps and Flats":

  "It must be obvious to any one who will take the trouble to think over the
  matter, that chances which are fair and equal are a question of proportion
  rather than of actual amounts and odds.  At first sight, however, it would
  appear that if a man stands an equal chance of winning or losing a certain
  amount, nothing fairer could possibly be imagined, from whatever point of
  view one may regard it.  I venture to say, nevertheless, that this is not
  so.  Suppose for the moment that you are a poor man, and that you meet a
  rich acquaintance who insists upon your spending the day with him, and
  having what the Americans call 'a large time.'  At the end of the day he
  says to you, 'I will toss you whether you or I pay this day's expenses.'
  Such a proposition is by no means uncommon, and suppose you win, what is
  the loss to him?  Comparatively nothing.  He may never miss the amount he
  has to pay; but if you lose, your day's outing may have to be purchased by
  many weeks of inconvenience.

  "A bet of a hundred pounds is a mere bagatelle to a rich man, but it may
  be everything to a poor one.  In the one case the loss entails no
  inconvenience, in the other it means absolute ruin.  It must be granted,
  then, in matters of this kind, that proportion is the chief factor, not
  the actual figures.  If you are with me so far, you are already a step
  nearer to my way of thinking.

  "Let us proceed a step further, and see how it is that a bet is
  necessarily unfair to both parties.  The simple fact is that no two men
  can make a wager, however seemingly fair, or however obviously unfair,
  without at once reducing the actual value to them of their joint
  possessions.  This can be proved to a demonstration.  We will take a case
  in which the chances of winning are exactly equal, both in amount and in
  proportion to the wealth of two bettors.  Suppose that your possessions
  are precisely equal in amount to those of a friend, and that your
  circumstances are similar in every respect.  There can be, then, no
  disparity arising from the fact of a bet being made between you, where the
  chances of winning or losing a certain amount are the same to each.  To
  present the problem in its simplest form, we will say that you each stake
  one-half of your possessions upon the turn of a coin.  If it turns up head
  you win, if it falls 'tail up' your friend wins.  Nothing could possibly
  be fairer than this from a gambler's point of view.  You have each an
  equal chance of winning, you both stake[319] an equal amount, you both
  stand to lose as much as you can win, and, above all, the amount staked
  bears the same value, proportionately, to the wealth of each person.  One
  cannot imagine a bet being made under fairer conditions, yet how does it
  work out in actual fact?  You may smile when you read the words, but you
  both stand to lose more than you can possibly win!  You doubt it!  Well,
  we shall see if it cannot be made clear to you.

  "Suppose the turn of the coin is against you, and therefore you lose half
  your property; what is the result?  To-morrow you will say, 'What a fool I
  was to bet!  I was a hundred per cent.  better off yesterday than I am
  to-day.' That is precisely the state of the case; you were exactly a
  hundred per cent.  better off.  Now, the most feeble intellect will at
  once perceive that a hundred per cent.  can only be balanced by a hundred
  per cent.  If you stood a chance of being that much better off yesterday
  than you are to-day, to make the chances equal you should have had an
  equal probability of being a hundred per cent.  better off to-day than you
  were yesterday.  That is obvious upon the face of it, since we agree that
  these questions are, beyond dispute, matters of proportion, and not of
  actual amounts.

  "Then we will suppose you win the toss, and thus acquire half your
  friend's property; what happens then?  When the morrow arrives you can
  only say, 'I am fifty per cent better off to-day than I was yesterday.'
  That is just it.  If you lose, your losses have amounted to as much as you
  still possess, whilst, if you win, your gains amount only to one-third of
  what you possess.  The plain facts of the case, then, are simply that the
  moment you and your friend have made the bet referred to, you have
  considerably reduced the value of your joint possessions.  Not in actual
  amount, it is true, but in actual fact, nevertheless; for whichever way
  the bet may go, the loss sustained by one represents a future deprivation
  to that one far greater than the future proportional advantage gained by
  the other.  The mere fact of one having gained precisely as much as the
  other has lost does not affect the ultimate result in the least.  The
  inconvenience arising from any loss is always greater than the convenience
  resulting from an equal gain." —"Sharps and Flats", Chapter XIV, by
  John Nevil Maskelyne

The argument above is a purely economic one: that gambling necessarily
involves the destruction of value.  A corollary is that imposing high taxes
on the rich and using the money for public public welfare (schools,
hospitals, roads etc.), or just giving the money to the poor, does not just
shift value around but actually *creates* value. Conversely, the current UK
and US government policies of cutting public spending to fund tax cuts for
the rich are destroying value.

The *moral* argument, that gambling is essentially theft, is also discussed
by Maskelyne:

  "The absolute immorality of gambling--the desire to obtain money to which
  one has no right--in any form is beyond dispute; and the sooner this fact
  is generally recognised, the better it will be for the world at large.
  There are some, of course, in whom the passion is ingrained, and from
  whose natures it can never be wholly eradicated.  But everyone should
  clearly understand that the vice is as reprehensible in proportion to its
  magnitude as that, for instance, of either lying or stealing."

For some, this argument is stronger than the economic one.  But even those
who believe that economics trumps morality should be convinced by the
economic argument.

STRL Reader in Software Engineering and Royal Society Industry Fellow

Die Passwords! Die!

Lauren Weinstein <>
Fri, 31 May 2013 11:53:53 -0700
                          Die Passwords! Die!

In one form or another—verbal, written, typed, semaphored, grunted, and
more—passwords broadly defined have been part of our cultures pretty much
since the dawn of humans at least.  Whether an 18-character mixed-case
password replete with unusual symbols, or the limb-twisting motions of a
secret handshake, we've always needed means for authentication and identity
verification, and we've long used the concept of a communicable "secret" of
some kind to fill this need.

As we plow our way ever deeper into the 21st century, it is notable that
most of our Internet and other computer-based systems still depend on the
basic password motif for access control.  And despite sometimes herculean
efforts to keep password-based environments viable, it's all too clear that
we're rapidly reaching the end of the road for this venerable mechanism.

That this was eventually inevitable has long been clear, but recent
events seem to be piling up and pointing at a more rapid degeneration
of password security than many observers had anticipated, and this is
taking us quickly into the most complex realms of identity and

Advances in mathematical techniques, parallel processing, and
particularly in the computational power available to password crackers
(now often using very high speed graphics processing units to do the
number crunching) are undermining long held assumptions about the
safety of passwords of any given length or complexity, and rendering
even hashed password files increasingly vulnerable to successful
attacks.  If a single configuration error allows such files to fall
into the wrong hands, even the use of more advanced password hashing
algorithms is no guarantee of protection against the march of
computational power and techniques that may decimate them in the

What seems like an almost daily series of high profile password
breaches has triggered something of a stampede to finally implement
multiple-factor authentication systems of various kinds, which are
usually a notch below even more secure systems that use a new password
for every login attempt (that is, OTP - One-Time Password systems,
which usually depend on a hardware device or smartphone app to
generate disposable passwords).

As you'd imagine, the ultimate security of what we might call these
"enhanced password" environments depends greatly on the quality of
their implementations and maintenance.  A well designed multiple
factor system can do a lot of good, but a poorly built and vulnerable
one can give users a false sense of security that is actually even
more dangerous than a basic password system alone.

Given all this, it's understandable that attention has now turned
toward more advanced methodologies that—we hope—will be less
vulnerable than any typical password-based regimes.

There are numerous issues.  Ideally, you don't want folks routinely
using passwords at all in the conventional sense.  Even relatively
strong passwords become especially problematic when they're used on
multiple systems—a very common practice.  The old adage of the
weakest link in the chain holds true here as well.  And the less said
about weak passwords the better (such as "12345"—the kind of
password, as noted in Mel Brooks' film "Spaceballs"—that "an idiot
would have on his luggage")—or worse.

So, much focus now is on "federated" authentication systems, such as
OAuth and others.

At first glance, the concept appears simple enough.  Rather than
logging in separately to every site, you authenticate to a single site
that then (with your permission) shares your credentials via "tokens"
that represent your desired and permitted access levels.  Those other
sites never learn your password per se, they only see your tokens,
which can be revoked on demand.  For example, if you use Google+, you
can choose to use your Google+ credentials to access various other
cooperating sites.  An expanding variety of other similar environments
are also in various stages of availability.

This is a significant advance.  But if you're still using simple
passwords for access to a federated authentication system, many of the
same old vulnerabilities may still be play.  Someone gaining illicit
access to your federated identity may then have access to all
associated systems.  This strongly suggests that when using federated
login environments you should always use the strongest currently
available practical protections—like multiple-factor

All that being said, it's clear that the foreseeable future of
authentication will appropriately depend heavily on federated
environments of one form or another, so a strong focus there is
utterly reasonable.

Given that the point of access to a federated authentication system is
so crucial, much work is in progress to eliminate passwords entirely
at this level, or to at least associate them with additional physical
means of verification.

An obvious approach to this is biometrics—fingerprints, iris scans,
and an array of other bodily metrics.  However, since biometric
identifiers are so associated with law enforcement, cannot be
transferred to another individual in cases of emergency, and are
unable to be changed if compromised, the biometric approach alone may
not be widely acceptable for mass adoption outside of specialized,
relatively high-security environments.

Wearable devices may represent a much more acceptable compromise for
many more persons.  They could be transferred to another individual
when necessary (and stolen as well, but means to render them impotent
in that circumstance are fairly straightforward).

A plethora of possibilities exist in this realm—electronically
enabled watches, bracelets, rings, temporary tattoos, even swallowable
pills—to name but a few.  Sound like science-fiction?  Nope, all of
these already exist or are in active development.

Naturally, such methods are useless unless the specific hardware
capabilities to receive their authentication signals is also present,
when and where you need it, so these devices probably will not be in
particularly widespread use for the very short term at least.  But
it's certainly possible to visualize them being sold along with a
receiver unit that could be plugged into existing equipment.  As
always, price will be a crucial factor in adoption rates.

Yet while the wearable side of the authentication equation has the
coolness factor, the truth is that it's behind the scenes where the
really tough challenges and the most seriously important related
policy and engineering questions reside.

No matter the chosen methods of authentication—typed, worn, or
swallowed—one of the most challenging areas is how to appropriately
design, deploy, and operate the underlying systems.  It is incumbent
on us to create powerful federated authentication environments in ways
that give users trustworthy control over how their identity
credentials are managed and shared, what capabilities they wish to
provide in specific environments, how these factors interact with
complex privacy parameters, and a whole host of associated questions,
including how to provide for pseudonymous and anonymous activities
where appropriate.

Not only do we need to understand the basic topology of these
questions and develop policies that represent reasonable answers, we
must actually build and deploy such systems in secure and reliable
ways, often at enormous scale by historical standards.  It's a
fascinating area, and there is a tremendous amount of thinking and
work ongoing toward these goals—but in many ways we're only just at
the beginning.  Interesting times.

One thing is pretty much certain, however.  Passwords as we've
traditionally known them are on the way out.  They are doomed.  The
sooner we're rid of them, the better off we're all going to be.

Especially if your password is "12345" ...

Please report problems with the web pages to the maintainer