The RISKS Digest
Volume 27 Issue 35

Tuesday, 18th June 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Metacharacters bite again
Jeremy Epstein
Online ballot fraud in Miami
Marc Caputo and Patricia Mazzei
Accidental bank transfer
Gunnar Peterson via Jeremy Epstein
FDA issues draft guidance on cybersecurity for medical devices
Kevin Fu
Static electricity in clothes ignites carpet
Martyn Thomas
Found a home via wifi
Attacks coming from Amazon Web services
Geoff Kuenning
An Innovative Inno/Vention
Gabe Goldberg
Hard to get that much out of the ATM
Paul Robinson
NSA et al.: it started well before "1984"...
Peter Houppermans
Richard Clarke: Why you should worry about the NSA
Richard Forno
Ray Ozzie on Spying
David Farber
More Intrusive Than Eavesdropping? NSA Collection of Metadata ... Personal Info ...
Dewayne Hendricks via Dave Farber
Outsourced: How the FBI and CIA Use Private Contractors to Monitor
Stephen Benavides
Government Secrets and the Need for Whistleblowers
Bruce Schneier
T-Mobile, Verizon Wireless not under U.S. data watch: foreign ties
Lauren Weinstein
Info on RISKS (comp.risks)

Metacharacters bite again

Jeremy Epstein <>
Wed, 12 Jun 2013 19:35:45 -0400
NSF's review system has a method for program officers to redact text from
reviews prior to their release to the person who submitted the proposal
(*).  I discovered today that it can accidentally get triggered - if the
characters <<% are in the review, the following text is redacted.  Of
course the reviewer who submits a review with these characters doesn't get
a warning, which isn't documented.  The program officer indirectly gets a
warning, in the fact that the text in the review is cut off, but can't tell
the system "no, this really isn't a redaction".

Of course any form of special sequences is potentially problematical, and
the number of errors caused by lack of escaping such sequences is probably
uncountably infinite.

And yes, I discovered this because a reviewer used that string, and I
didn't notice the excised text because I had read the review through a
different interface that doesn't excise it.

(*) If you're not familiar with the NSF process, consider this to be
equivalent to a program chair releasing anonymized reviews written by
program committee members to the authors of a paper.

  [Excise tacks on more problems?  PGN]

Online ballot fraud in Miami (Marc Caputo and Patricia Mazzei)

"Peter G. Neumann" <>
Sun, 16 Jun 2013 14:18:41 PDT
Marc Caputo and Patricia Mazzei (
The election scandal dogging Congressman Joe Garcia's campaign and two state
House races makes it clear: Computer techies are supplementing old-school,
block-walking ballot-brokers known as boleteras.

Over just a few days last July, at least two groups of schemers used
computers traced to Miami, India and the United Kingdom to fraudulently
request the ballots of 2,046 Miami-Dade voters.

Garcia said he knew nothing of the plot that recently implicated three
former campaign workers, two employed in his congressional
office. Investigators, meanwhile, have hit a dead end with a larger fraud
involving two state House races.

A third incident cropped up Thursday in Miami’s mayoral race, but
the case appears unrelated to last year’s fraud when two groups
appeared to act separately from each other. They employed different tactics
to target different types of voters, a University of Florida/Miami Herald
analysis of election data indicates.

The ultimate goal was the same: get mail-in ballots into the hands of
voters, a job that many boleterasonce handled on the streets of Miami-Dade.

Now, it's electronic. [...]

Accidental bank transfer (noted by Gunnar Peterson)

Jeremy Epstein <>
Tue, 11 Jun 2013 14:14:11 -0400
"A German bank employee accidentally transferred 222,222,222.222 euros ($295
million) from a customer's account when he fell asleep at his computer."


FDA issues draft guidance on cybersecurity for medical devices

Kevin Fu <>
Thu, 13 Jun 2013 23:28:03 -0400
FDA has issued a draft guidance document on cybersecurity for medical
devices and hospital networks after several years of growing concern,
punctuated by a recent discovery of 300 hard coded passwords across more
than 50 medical device manufacturers.  In other words, manufacturers have
been warned to improve the trustworthiness of medical device software.  The
normally staid agency is unusually blunt in its recommendations and
assessment.  Public comment is accepted for 90 days.

Further details appear on:

Kevin Fu, Associate Professor, EECS Department, The University of Michigan,, 616-594-0385

Static electricity in clothes ignites carpet

Martyn Thomas <>
Sun, 16 Jun 2013 15:29:13 +0100
I have never seen this on a risk register ...  It sounds incredible. Could
it be true?  Martyn

  An Australian man built up so much static electricity in his clothes as he
  walked that he burned carpets, melted plastic and sparked a mass
  evacuation.  Frank Clewer, of the western Victorian city of Warrnambool,
  was wearing a synthetic nylon jacket and a woolen shirt when he went for a
  job interview.  As he walked into the building, the carpet ignited from
  the 40,000 volts of static electricity that had built up.... ... ...

Found a home via wifi

Sat, 15 Jun 2013 05:55:07 +0800
One Amazing Thing I've Seen or Done says

I am always terrible with directions. there was this one time when I went to
visit my friend in another city. I got lost the moment I got off the
taxi. my friend tried her best to guide me via phone yet failed. but I
finally found her apartment building all by myself when wandering in that
big community, cos my phone got connected to her wifi when approaching that

Attacks coming from Amazon Web services

Geoff Kuenning <>
Mon, 17 Jun 2013 00:52:13 -0700
This is interesting: One of my machines got a probe last week, looking for a
vulnerable PHP script.  Here's the relevant log line:

> - - [12/Jun/2013:01:11:13 -0700] "HEAD /wp-login.php HTTP/1.1" 404 - "-" "Googlebot/2.1 (+"

It's not very interesting that they're masquerading as the googlebot, as
if Google would ever use HEAD requests.

What *is* interesting is the IP address:

% host domain name pointer

So the bad guys are either cracking Amazon Web Services virtual machines,
or renting them.  Probably the former...

Geoff Kuenning

An Innovative Inno/Vention

Gabe Goldberg <>
Wed, 12 Jun 2013 23:50:24 -0400
Josh Soussan is the team leader on a project called Aegis, which would allow
handguns to be disabled by radio transmitter when brought into a school or
other such environment. "[Aegis] will not alter the weapon's functionality
at all, unless the firearm is within range of [a] signal emitter," he
explained. "With the recent massacre in Newton, Connecticut, we believe that
this is the next crucial step in providing a safe environment for children
in schools."

Pervasive disabling of firearms via radio signal—what could possibly go
wrong with this?

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433

Hard to get that much out of the ATM

Paul Robinson <>
Thu, 13 Jun 2013 05:24:28 -0700 (PDT)
A woman is $300,000,000 in debt to her bank and neither she nor the bank
knows why.  ABC News reported that Suntrust decided to debit $100,000,000
from a woman's checking account, then while that was being investigated,
they deducted another $100,000,000 from her savings account, then apparently
feeling they hadn't taken enough out (to cover additional overdrafts, I
guess), deducted a second US$100 million out of her checking account.
Suntrust announced they are investigating and have no idea why it happened.
The woman says that she would have known if she had spent 300 million
dollars.  Yeah, I do believe that the woman would have known if she had.
Then again, electric bills can be high, maybe the electric company had to
auto-deduct a large power bill. (Some utilities you would normally just pay
anyway like electric companies, have it set up where you can approve them to
make a monthly deduction for the charge each month; they mail you a bill and
issue a draft for the amount due, so your bill is automatically paid.)

This is also common for some mortgage companies. She probably forgot she had
a bill for last month's mortgage on, oh, I guess the entire state of Rhode
Island...  Maybe she's wrong and she just forgot she withdrew it. Let's see,
the average cash machine has about $20,000 - 50,000 in it, loaded in
canisters, so the woman would have had to visit - and drain - 3,000 ATM
machines, but since the average bank limits you to $500 a day she'd have to
do it a little at a time. Let's be generous and say the limit is $3000 a day
instead, to make it easier. It would have required she take $3,000 out every
day for just shy of 274 years (273.93 years). Gee, she has been busy. That
is, she, her mother, her grandmother, her great grandmother, her

The Lessons of history teach us - if they teach us anything - that no one
learns the lessons that history teaches us.  [Indeed, a motto for RISKS.  PGN]

NSA et al.: it started well before "1984"...

Peter Houppermans <>
Wed, 12 Jun 2013 23:38:02 +0200
Ubiquitous surveillance and its nefarious impact on those so observed was
not originally Orwell's idea.  The inspiration for the "1984" novel came
from a prison concept developed by the English philosopher and social
theorist Jeremy Bentham in the late 18th century called Panoptikon - allow
me to refer you to Wikipedia ( for
more detail.

The reason I'm pointing this out is that it establishes an IMHO
fundamentally clearer purpose: said surveillance model was developed to
establish mental control over inmates, in other words, people already in
prison.  Keep this in mind when you are encouraged to agree with any
government intercept program.

Peter Houppermans, The Privacy Club, privacy advisers, Switzerland

Richard Clarke: Why you should worry about the NSA

Richard Forno <>
June 12, 2013 2:01:44 PM EDT
The just-revealed surveillance stretches the law to its breaking point and
opens the door to future potential abuses

Richard A. Clarke, *New York Daily News*, 12 Jun 2013
(Clarke is a former counterterrorism adviser to Presidents George H.W. Bush,
Bill Clinton and George W. Bush.)

None of us want another terrorist attack in the United States. Equally, most
of us have nothing to hide from the federal government, which already has so
many ways of knowing about us. And we know that the just-revealed National
Security Agency program does not actually listen to our calls; it uses the
phone numbers, frequency, length and times of the calls for data-mining.

So, why is it that many Americans, including me, are so upset with the Obama
administration gathering up telephone records?

My concerns are twofold. First, the law under which President George W. Bush
and now President Obama have acted was not intended to give the government
records of all telephone calls. If that had been the intent, the law would
have said that. It didn't. Rather, the law envisioned the administration
coming to a special court on a case-by-case basis to explain why it needed
to have specific records.

I am troubled by the precedent of stretching a law on domestic surveillance
almost to the breaking point. On issues so fundamental to our civil
liberties, elected leaders should not be so needlessly secretive.

The argument that this sweeping search must be kept secret from the
terrorists is laughable. Terrorists already assume this sort of thing is
being done. Only law-abiding American citizens were blissfully ignorant of
what their government was doing.

Secondly, we should worry about this program because government agencies,
particularly the Federal Bureau of Investigation, have a well-established
track record of overreaching, exceeding their authority and abusing the
law. The FBI has used provisions of the Patriot Act, intended to combat
terrorism, for purposes that greatly exceed congressional intent.

Even if you trust Obama, should we have programs and interpretations of law
that others could abuse now without his knowing it or later in another
administration? Obama thought we needed to set up rules about drones because
of what the next President might do. Why does he not see the threat from
this telephone program?

The answer is that he inherited this vacuum cleaner approach to telephone
records from Bush. When Obama was briefed on it, there was no forceful and
persuasive advocate for changing it. His chief adviser on these things at
the time was John Brennan, a life-long CIA officer. Obama must have been
told that the government needed everyone's phone logs in the NSA's
computers for several reasons.

The bureaucrats surely argued that it was easier to run the big data search
and correlation program on one database. They said there was no law that
could compel the telephone companies to store the records on their own

If the telephone companies did so, government and company lawyers then
certainly said, they would become legally `an agent' of the government and
could be sued by customers for violating the terms of their service

Finally, Obama was certainly told, if the NSA and the FBI had to query
telephone company servers, then the phone companies would know whom the
government was watching, a violation of need-to-know secrecy traditions.

If there had been a vocal and well-informed civil liberties advocate at the
table, Obama might have been told that all those objections were either
specious or easily addressed. Law already requires Internet service
providers to store emails for years so that the government can look at
them. An amendment to existing law could have extended that provision to
telephone logs and given the companies a `safe harbor' provision so they
would not be open to suits. The telephone companies could have been paid to
maintain the records.

If the government wanted a particular set of records, it could tell the
Foreign Intelligence Surveillance Court why—and then be granted
permission to access those records directly from specially maintained
company servers. The telephone companies would not have to know what data
were being accessed. There are no technical disadvantages to doing it that
way, although it might be more expensive.

Would we, as a nation, be willing to pay a little more for a program
designed this way, to avoid a situation in which the government keeps on its
own computers a record of every time anyone picks up a telephone? That is a
question that should have been openly asked and answered in Congress.

The vocal advocate of civil liberties was absent because neither Bush nor
Obama had appointed one, despite the recommendation of the 9/11 Commission
and a law passed by Congress. Only five years into his administration is our
supposedly civil liberties-loving President getting around to activating a
long-dormant Privacy and Civil Liberties Oversight Board. It will have a lot
of work to do.

Richard Clarke is a former counterterrorism adviser to Presidents George
H.W. Bush, Bill Clinton and George W. Bush.

Ray Ozzie on Spying

David Farber <>
Wed, 12 Jun 2013 16:34:53 -0400
Ray Ozzie on NSA spying: We got what we asked for. Now it's time to wake up.
The Boston Globe, 7 Jun 213

Ray Ozzie, the creator of Lotus Notes and Microsoft's former software head,
joined the chorus of technical leaders pushing back on the government's
far-reaching surveillance program.

“I hope that people wake up, truly wake up, to what's happening to society,
from both a big brother perspective and little brother perspective,'' he
said during the Nantucket Conference.  He said that, after Sept. 11, the
pendulum had swung too far towards government surveillance and data

“We got what we asked for, and now it's time to pull it back,” Ozzie
said, referencing the near-unanimous passage of the PATRIOT Act, noting the
danger that broad data gathering operations present. “Imagine if you had
an administration targeting journalists or groups of people based on
political leanings.”

The current administration, of course, is facing allegations that it did
just that, with the Department of Justice secretly obtaining Associated
Press phone records and investigating a Fox News reporter's personal emails
while the IRS is facing allegations it focused audits on politically
conservative groups.

Ozzie has been an advocate of strengthened online privacy and serves on the
board of the Electronic Privacy Information Center, a group that has been
instrumental in bringing to light much of the government's surveillance. He
also said that current protections are simply inadequate and outdated.

“The privacy act that we're operating under right now was written in
1974,” he noted. “What's happened since 1974?” For example, he was
critical of third-party doctrine, which holds that information given to a
third-party — such as a phone company, an email host, or social network
like Facebook or Twitter — essentially waives Fourth Amendment protections
“against unreasonable searches and seizures.”

Given how much information is stored digitally, that means a much wider
array of information is now available without probable cause.

“It's really dangerous,” Ozzie said. “I hope that what's happened in
the past few days gets people riled up. This is a non-partisan issue. I hope
people wake up a little bit more and don't just build apps and say, I'm
going to sell private information for ads.”

More Intrusive Than Eavesdropping? NSA Collection of Metadata Hands Gov't Sweeping Personal Info (via Dave Farber)

"Dewayne Hendricks" <>
Jun 12, 2013 5:31 PM

As the American Civil Liberties Union sues the Obama administration over its
secret NSA phone spying program, we look at how the government could use
phone records to determine your friends, medical problems, business
transactions and the places you've visited. While President Obama insists
that nobody is listening to your telephone calls, cybersecurity expert Susan
Landau says the metadata being collected by the government may be far more
revealing than the content of the actual phone calls. A mathematician and
former Sun Microsystems engineer, Landau is the author of the book
"Surveillance or Security?: The Risks Posed by New Wiretapping

Dewayne-Net RSS Feed: <>

Outsourced: How the FBI and CIA Use Private Contractors to Monitor Social Media

Stephen Benavides <>
Thu, 13 Jun 2013 17:36:19 -0400 (EDT)
Stephen Benavides, Truthout
Right now, companies like Palantir Technologies Inc, Booze Allen Hamilton
and i2 are mining your Facebook and Twitter data to discern whether you're a
terrorist, have ties to terrorists or maybe just have the potential to
someday become one.

Government Secrets and the Need for Whistleblowers

Bruce Schneier <schneier@SCHNEIER.COM>
Sat, 15 Jun 2013 01:14:45 -0500
  [Bruce's latest issue is full of commentary on this and related subjects.
  I've excerpted just the beginning for RISKS.  Copyrighted but
  Intentionally Distributable.  PGN]

Bruce Schneier, Chief Security Technology Officer, BT

[From CRYPTO-GRAM, 15 Jun 2013 [free monthly newsletter providing summaries,
analyses, insights, and commentaries on security: computer and otherwise.
You can subscribe, unsubscribe, or change your address on the Web at
<>. Back issues are also available
at that URL.]

Recently, we learned that the NSA received all calling records from Verizon
customers for a three-month period starting in April. That's everything
except the voice content: who called who, where they were, how long the call
lasted—for millions of people, both Americans and foreigners. This
"metadata" allows the government to track the movements of everyone during
that period, and a build a detailed picture of who talks to whom. It's
exactly the same data the Justice Department collected about AP journalists.

The "Guardian" delivered this revelation after receiving a copy of a secret
memo about this—presumably from a whistleblower. We don't know if the
other phone companies handed data to the NSA too. We don't know if this was
a one-off demand or a continuously renewed demand; the order started a few
days after the Boston bombers were captured by police.

We don't know a lot about how the government spies on us, but we know some
things. We know the FBI has issued tens of thousands of ultra-secret
National Security Letters to collect all sorts of data on people—we
believe on millions of people—and has been abusing them to spy on
cloud-computer users. We know it can collect a wide array of personal data
from the Internet without a warrant. We also know that the FBI has been
intercepting cell-phone data, all but voice content, for the past 20 years
without a warrant, and can use the microphone on some powered-off cell
phones as a room bug—presumably only with a warrant.

We know that the NSA has many domestic-surveillance and data-mining programs
with codenames like Trailblazer, Stellar Wind, and Ragtime—deliberately
using different codenames for similar programs to stymie oversight and
conceal what's really going on. We know that the NSA is building an enormous
computer facility in Utah to store all this data, as well as faster computer
networks to process it all. We know the U.S.  Cyber Command employs 4,000

We know that the DHS is also collecting a massive amount of data on people,
and that local police departments are running "fusion centers" to collect
and analyze this data, and covering up its failures. This is all part of the
militarization of the police.

Remember in 2003, when Congress defunded the decidedly creepy Total
Information Awareness program? It didn't die; it just changed names and
split into many smaller programs. We know that corporations are doing an
enormous amount of spying on behalf of the government: all parts.

We know all of this not because the government is honest and forthcoming,
but mostly through three backchannels—inadvertent hints or outright
admissions by government officials in hearings and court cases, information
gleaned from government documents received under FOIA, and government

There's much more we don't know, and often what we know is obsolete. We know
quite a bit about the NSA's ECHELON program from a 2000 European
investigation, and about the DHS's plans for Total Information Awareness
from 2002, but much less about how these programs have evolved. We can make
inferences about the NSA's Utah facility based on the theoretical amount of
data from various sources, the cost of computation, and the power
requirements from the facility, but those are rough guesses at best. For a
lot of this, we're completely in the dark.

And that's wrong.

The U.S. government is on a secrecy binge. It overclassifies more
information than ever. And we learn, again and again, that our government
regularly classifies things not because they need to be secret, but because
their release would be embarrassing.

Knowing how the government spies on us is important. Not only because so
much of it is illegal—or, to be as charitable as possible, based on novel
interpretations of the law—but because we have a right to know.
Democracy requires an informed citizenry in order to function properly, and
transparency and accountability are essential parts of that. That means
knowing what our government is doing to us, in our name. That means knowing
that the government is operating within the constraints of the
law. Otherwise, we're living in a police state.

We need whistleblowers.

  [For lots more, go back to the source.  PGN]

T-Mobile, Verizon Wireless not under U.S. data watch: foreign ties

Lauren Weinstein <>
Thu, 13 Jun 2013 20:41:37 -0700
  "Telecom providers T-Mobile US Inc and Verizon Wireless do not directly
  contribute to the controversial U.S. surveillance program, partly due to
  their overseas ownership ties, the Wall Street Journal reported Thursday,
  citing people familiar with the matter."  (Reuters)

Please report problems with the web pages to the maintainer