The RISKS Digest
Volume 27 Issue 54

Wednesday, 16th October 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Adi Shamir Prevented from Attending Crypto and Cryptology Conferences
An App That Saved 10,000 Lives
Amy O'Leary via Monty Solomon
From the Start, Signs of Trouble at Health Portal
Pear et al. via Monty Solomon
Deloitte IT projects plagued with troubles around the country
Woolhouse and Healy via Monty Solomon
Online Application Woes Make Students Anxious and Put Colleges Behind Schedule
Lauren Weinstein
Deutsche Telekom hopes to hide German Internet traffic from spies
Lauren Weinstein
"We can't let the Internet become Balkanized"
Sascha Meinrath via NNSquad
"Risk considerations: Tracking services monitor your every move"
Steve Ragan via Gene Wirchenko
Info on RISKS (comp.risks)

Adi Shamir Prevented from Attending Crypto and Cryptology Conferences

"Peter G. Neumann" <>
Wed, 16 Oct 2013 9:43:36 PDT
Adi Shamir applied for a J1 visa at the beginning of June 2013, two and
one-half months early, so that he could attend the annual Crypto Conference
in Santa Barbara in mid-August (which he has almost always attend for the
past 32 years) and a subsequent NSA-affiliated History of Cryptography
Conference—at which he was to present his paper, The Cryptology of John
Nash from a Modern Perspective.  As the S in RSA, and one of the most
important cryptographers in the world, it would seem to be a no-brainer that
he should be present for both conferences.  However, he was unable to attend
either, because the U.S. took exactly *four* months to send him his new
visa.  In his apology <>
(dated 15 Oct 2013) for not being able to attend the History of Cryptography
conference, Adi notes that "I am not alone, and many foreign scientists are
now facing the same situation."

Because of the delay, his paper was removed from the program for the History
conference.  Even though his visa has now arrived long after Crypto 2013, he
was reinvited to give the talk at the Cryptology History conference, it is
apparently no longer possible due to other commitments.

This could be some sort of egregious combination of incredible arrogance,
ignorance, stupidity, personal vendetta, diplomatic blunder, and misguided
attitude to International scientific collaboration, or possibly just
attributable to a serious miscarriage of innate bureaucracy.  In any case,
the injustice is really sad, because four months for the simple nth renewal
of a visa seems outrageous.  Indeed, public-key cryptography might not even
be with us today if Adi had not been involved with Ron Rivest and Leonard
Adleman so long ago.  [PGN's personal opinion]

An App That Saved 10,000 Lives (Amy O'Leary)

Monty Solomon <>
Mon, 14 Oct 2013 10:11:16 -0400
  [Note: RISKS always solicits success stories, particularly those that
  result from foresight, long-term planning, intelligent software
  development and software engineering practices, and so on.  Here's one.
  Unfortunately, the norm seems to be that we generally run items on actual
  cases were the risks are either exacerbated or evidently present, as more
  or less dominated by the rest of this issue—because they are
  predominant.  PGN]

[Source: Amy O'Leary, *The New York Times*, 5 Oct 2013]

While most start-ups feverishly track figures like the total number of
users, Ron Gutman, the founder and chief executive of the health information
start-up, HealthTap, is more interested in a different data point.

This week, the start-up heard from its 10,000th user who said the site saved
her life.

"My local doctor brushed me off and told me it was anxiety without doing any
tests at all," wrote one woman who turned to HealthTap after seeing her
doctor. After spending two hours on HealthTap, she was told by a doctor who
contributes to the site that her condition sounded like a blocked artery.
She soon saw a cardiology specialist who later inserted a coronary stent.

Since its founding in 2012, the site has logged nearly a billion questions
and answers, from simple queries about headaches or the flu, to more
complicated ones, like whether mechlorethamine is a cancer medication.
Questions are then routed to a physician who is both an expert in that
particular field of medicine, and who is determined by an algorithm to be
likely to respond fast, Mr. Gutman said.

None of that would be possible without the participation of nearly 50,000
doctors who contribute their advice free. (Every page on the site has a
disclaimer saying that the site "does not provide medical advice, diagnosis
or treatment.") ...

From the Start, Signs of Trouble at Health Portal (Pear et al.)

Monty Solomon <>
Sun, 13 Oct 2013 23:16:39 -0400
Robert Pear, Sharon LaFraniere and Ian Austen. *The New York Times*,
dated 12 Oct 2013, published 13 Oct 2013

WASHINGTON - In March, Henry Chao, the chief digital architect for the Obama
administration's new online insurance marketplace, told industry executives
that he was deeply worried about the Web site's debut. "Let's just make sure
it's not a third-world experience," he told them.

Two weeks after the rollout, few would say his hopes were realized.

For the past 12 days, a system costing more than $400 million and billed as
a one-stop click-and-go hub for citizens seeking health insurance has
thwarted the efforts of millions to simply log in. The growing national
outcry has deeply embarrassed the White House, which has refused to say how
many people have enrolled through the federal exchange.

Even some supporters of the Affordable Care Act worry that the flaws in the
system, if not quickly fixed, could threaten the fiscal health of the
insurance initiative, which depends on throngs of customers to spread the
risk and keep prices low. ...

Deloitte IT projects plagued with troubles around the country (Woolhouse and Healy)

Monty Solomon <>
Mon, 14 Oct 2013 10:01:01 -0400
6 Oct 2013

Mass. IT project is latest black eye for Deloitte
By Megan Woolhouse and Beth Healy |  GLOBE STAFF
07 Oct 2013â15

State senate committee to hold hearing on troubled Deloitte unemployment system contract
October 3, 2013

A thousand defects: DOR fired Deloitte in August
October 3, 2013

$54m later, state fired computer contractor
By Megan Woolhouse and Beth Healy |  GLOBE STAFF
04 Oct 2013â15

Massachusetts, California jobless benefit claim woes both tied to Deloitte Consulting of New York
24 Sep 2013

Mass., Calif. benefit claim woes tied to same firm
By Megan Woolhouse |  GLOBE STAFF
25 Sep 2013â15

Flawed contract for jobless claim system cost state millions
By Beth Healy and Megan Woolhouse |  GLOBE STAFF
19 Sep 2013â15

Online Application Woes Make Students Anxious and Put Colleges Behind Schedule

Lauren Weinstein <>
Sun, 13 Oct 2013 09:43:32 -0700
  With early admission deadlines looming for hundreds of thousands of
  students, the new version of the online Common Application shared by more
  than 500 colleges and universities has been plagued by numerous
  malfunctions, alarming students and parents and putting admissions offices
  weeks behind schedule "It's been a nightmare," Jason C. Locke, associate
  vice provost for enrollment at Cornell University. "I've been a supporter
  of the Common App, but in this case, they've really fallen down."  (*The New York Times* via NNSquad)

So, like, this is rocket science to do correctly at these volumes of
transactions for relatively straightforward applications? Uh, no.

Deutsche Telekom hopes to hide German Internet traffic from spies

Lauren Weinstein <>
Sun, 13 Oct 2013 11:43:27 -0700
  "One of Deutsche Telekom's competitors, Internet service provider QSC, had
  questioned the feasibility of its plan to shield Internet traffic, saying
  it was not possible to determine clearly whether data was being routed
  nationally or internationally, WirtschaftsWoche magazine reported."  (Reuters via NNSquad)

What they really mean is foreign spies. Their own vast surveillance
apparatus of course would have full access. No matter, it's basically
impractical, as noted.

"We can't let the Internet become Balkanized" (Sascha Meinrath)

Lauren Weinstein <>
Mon, 14 Oct 2013 08:28:54 -0700  (Slate via NNSquad)

  "Traditionally, that debate has featured America in the role as champion
  of a free and open Internet, one that guarantees the right of all people
  to freely express themselves. Arguing against that ideal: repressive
  regimes that have sought to limit connectivity and access to
  information. The NSA's actions have shifted that debate, alienating key
  Internet-freedom allies and emboldening some of the most repressive
  regimes on the planet. Think of it as an emerging coalition between
  countries that object to how the United States is going about upholding
  its avowed principles for a free Internet, and countries that have
  objected to those avowed principles all along."

 - - -

It is my personal belief that much of the breathless foreign government
hyperbole against the US relating to surveillance has little do with actual
surveillance (after all, many of these countries have their own major
surveillance systems, sometimes focused specifically inward to further
political repression and censorship) and everything to do with pushing the
abhorrent UN/ITU agenda (or similar agendas) for Internet control that would
codify censorship and heavy-handed government directed dictates over
Internet content and associated retribution against Internet users.  China's
and Russia's longstanding duplicity in these respects relating to Internet
governance and censorship is particularly noteworthy.

"Risk considerations: Tracking services monitor your every move" (Steve Ragan)

Gene Wirchenko <>
Mon, 14 Oct 2013 13:16:24 -0700
Steve Ragan, CSO Online, 14 Oct 2013
Tracking services offer no real value to the business, but they exist on
networks both large and small, and administrators are often unaware of their

Please report problems with the web pages to the maintainer