The RISKS Digest
Volume 27 Issue 61

Tuesday, 19th November 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

GIGO cholesterol, but is it a bug or specifications failure?

Jeremy Epstein

Voter ID laws and voter suppression

Richard L. Hasen

Vendors Liable under No Surreptitious Code Warranties?

Henry Baker

Fined For Posting A Negative Review Online

Lauren Weinstein

Riders double-charged after transit card rollout

Kurt Sheffer

Technological Due Process

Danielle Keats Citron via Robert Schaefer

UK conservatives attempting to erase their Internet history

Lauren Weinstein

NSA Admits That Edward Snowden Stole Up to 200,000 Documents

David Farber

Hack of MacRumors forums exposes password data for 860,000 users

Dan Goodin via Monty Solomon

"Facebook forces some users to reset passwords because of Adobe data breach"

Lucian Constantin via Gene Wirchenko

Apple takes strong privacy stance in new report, publishes rare 'warrant canary'

Cyrus Farivar via Dewayne Hendricks

EFF Files 22 Firsthand Accounts of How NSA Surveillance Chilled the Right to Association

David Farber

LexisNexis helping police stake out social media

Lauren Weinstein

FBI deems PhD thesis a national security concern

Richard Forno

LG Smart TV logging everything to a website

Eli the Bearded

Hoping to avert "collision" with disaster, Microsoft retires SHA1

Monty Solomon

"Adobe patches critical vulnerabilities in Flash Player, ColdFusion"

Lucian Constantin via Gene Wirchenko

"'Blurry fonts' bug KB 2670838 persists with IE11 and Windows 7"

Woody Leonhard via Gene Wirchenko

Re: An App That Saved 10,000 Lives

Geoff Kuenning

Clifford Nass: Obituary

Chris Drewe

Info on RISKS (comp.risks)

GIGO cholesterol, but is it a bug or specifications failure?

A newly released risk calculator for figuring out heart disease risk based
on cholesterol levels is flawed, and is giving inaccurate results.  But the
article is unclear whether the specifications for the calculation are wrong,
or whether the calculation was implemented incorrectly.

As always, if you have a bad specification, of course the results will be
wrong.  But even if the specification is right, the computation could be
wrong.

In either case, the result could be putting people on medications that are
inappropriate given their risks and have side effects (not to mention the
costs of the medications).

http://www.nytimes.com/2013/11/18/health/risk-calculator-for-cholesterol-appears-flawed.html

  [Computer-related?  Sure.  Bug?  Spec error?  The old LDL number is
  calculated, not the result of any testing.  And the new "standards" appear
  to be deeply flawed, still unable to discriminate between harmful small
  LDL and constructive large LDL, and ignoring the fundamental differences,
  as well as overendowing statins despite their well-known history of liver
  damage and other "features" that seem to be relegated to "inconsequential".
  PGN]

Voter ID laws and voter suppression (Richard L. Hasen)

Richard L. Hasen, Voter Suppression's New Pretext, OpEd, *The New York Times*
http://www.nytimes.com/2013/11/16/opinion/voter-suppressions-new-pretext.html?ref=opinion&pagewanted=print

Vendors Liable under No Surreptitious Code Warranties?

The following language (or very similar language) appears in a large number
of contracts for software and systems procured in the U.S.  There appears to
be _no exception_ for NSA backdoors.  I'm no lawyer, but perhaps every
software & system vendor is liable under these warranties—e.g., for
deliberately weakened encryption, Microsoft-installed backdoors (WMF),
bugged/compromised routers (D-Link) & name-servers, etc.

The potential liabilities could be in the trillions of dollars if any
NSA-inspired backdoor were to be utilized for accessing financial
information.

"No Surreptitious Code Warranty

"The Contractor represents and warrants that no copy of licensed Software
provided to the [customer] contains or will contain in any Self-Help Code or
any Unauthorized Code as defined below.  This warranty is referred to in
this Contract as the "No Surreptitious Code Warranty."

"As used in this Contract, "Self-Help Code" means any back door, time bomb,
drop dead device, or other software routine designed to disable a computer
program automatically with the passage of time or under the positive control
of a person other than the licensee of the software.  Self-Help Code does
not include Software routines in a computer program, if any, designed to
permit an owner of the computer program (or other person acting by authority
of the owner) to obtain access to a licensee's computer system(s)
(e.g. remote access via modem) for purposes of maintenance or technical
support.

"As used in this Contract, "Unauthorized Code" means any virus, Trojan
horse, spyware, worm or other Software routines or components designed to
permit unauthorized access to disable, erase, or otherwise harm software,
equipment, or data; or to perform any other such actions.  The term
Unauthorized Code does not include Self-Help Code.

"In addition, Contractor will use up-to-date commercial virus detection
software to detect and remove any viruses from any software prior to
delivering it to the [customer].

"The Vendor shall defend [customer] against any claim, and indemnify the
[customer] against any loss or expense arising out of any breach of the No
Surreptitious Code Warranty."

Fined For Posting A Negative Review Online

  Wanting an explanation, Jen says she tried to call the company but could
  never reach anyone. So frustrated, she turned to the Internet writing a
  negative review on ripoffreport.com.  "There is absolutely no way to get
  in touch with a physical human being," it says. And it accuses
  kleargear.com of having "horrible customer service practices."  That was
  the end of it, Jen thought, until three years later when Jen's husband got
  an email from Kleargear.com demanding the post be removed or they would be
  fined. Kleargear.com says Jen violated a non-disparagement clause. It
  turns out that, hidden within the terms of sale on Kleargear.com there is
  a clause that reads: "In an effort to ensure fair and honest public
  feedback, and to prevent the publishing of libelous content in any form,
  your acceptance of this sales contract prohibits you from taking any
  action that negatively impacts kleargear.com, its reputation, products,
  services, management or employees."  The clause goes on to say if a
  consumer violates the contract they will have 72 hours to remove your post
  or face a $3500 fine. If that fine is not paid, the delinquency will be
  reported to the nation's credit bureaus.  "This is fraud," Jen said.
  "They're blackmailing us for telling the truth."  http://j.mp/17Ynay4
  (KTVU via NNSquad)

Riders double-charged after transit card rollout

One problem among many with the rollout of the Chicago Transit Agency's new
Ventra system: Riders who kept their Ventra card in their wallet along with
another contactless payment card were double-charged:
http://www.chicagonow.com/arkielad/2013/09/chicago_ventra_card/

Other problems included riders being charged a second time upon exiting a bus:
http://articles.chicagotribune.com/2013-11-06/news/ct-met-ventra-bus-door-exit-20131107_1_ventra-reader-ventra-card-ventra-contractor
And, 15,000 free rides due to a system outage:
http://articles.chicagotribune.com/2013-11-14/news/chi-ventra-outage-hits-60-cta-stations-results-in-15000-20131113_1_ventra-readers-card-readers-free-rides

Technological Due Process (Danielle Keats Citron)

Despite the exceedingly dry abstract, the 2007 legal studies research,
"Technological Due Process" by Danielle Keats Citron is truly illuminating
on the consequences of computer automation on law.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id12360

The risks that come from software automation have entered the judicial and
executive policy making domain and in turn affect all of us. Automated legal
policy software is as invisible to us as software in auto manufacturer's
electronic control modules, but has greater consequence, having the rule of
law itself.

The software programmer now has to power to make legal policy because the
lawmakers are unable to, or choose not to, review the code after the
decision is make to automate the policy.  Where does one go because a
computer program denies you your request for say, food stamps, or denies you
the right to get on an airplane because of the spelling of your name?

Numerous examples of programmers inadvertently making policy through
automated legal systems are provided.  A selected quote from the text," The
rulemaking power that programmers inadvertently wield thus defies the
democratic origins and purposes of delegation."

Citron's legal paper reminds me of the "in joke" of corporate department
decision-making that for any meetin the secretary who takes the minutes
wields the greatest power.

Lessig's "Code is Law", indeed.

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886  781-981-5767  http://www.haystack.mit.edu

UK conservatives attempting to erase their Internet history

  "The Conservative Party has attempted to erase a 10-year backlog of
  speeches from the Internet, including pledges for a new kind of
  transparent politics the prime minister and chancellor made when they were
  campaigning for election.  Prime minister David Cameron and chancellor
  George Osborne campaigned on a promise to democratise information held by
  those in power, so people could hold them to account. They wanted to use
  the Internet transform politics.  But the Conservative Party has removed
  the archive from its public facing website, erasing records of speeches
  and press releases going back to the year 2000 and up until it was elected
  in May 2010.  It also struck the record of their past speeches off
  Internet engines including Google, which had been a role model for Cameron
  and Osborne's "open source politics".  And it erased the official record
  of their speeches from the Internet Archive, the public record of the net
 —with an effect as alarming as sending Men in Black to strip history
  books from a public library and burn them in the car park."
    http://j.mp/1bpaKum  (*Computer Weekly* via NNSquad)

PGN asked out of band:
> ... and how widely is all this stuff mirrored elsewhere?

LW replied:
It's going to be around, certainly, but perhaps not as widely as one
might suppose, and perhaps from less authoritative sources—and if
they succeed in pulling the major search engine links, then it becomes
harder to find in any case, of course.

NSA Admits That Edward Snowden Stole Up to 200,000 Documents

  [via Dave's IP distribution]
http://gizmodo.com/nsa-admits-that-edward-snowden-stole-up-to-200-000-docu-1464703198

It's been nearly half a year since the first revelations from Edward
Snowden's leak made it into the press, but until now, we've been in the dark
about exactly how big that leak was. Well, ladies and gentlemen, NSA
Director General Keith Alexander is finally shining a light in that
direction.

On Halloween of all days, Alexander told a private gathering of foreign
affairs experts that Snowden didn't leak hundreds of documents and he didn't
leak thousands of documents. He potentially leaked hundreds of thousands of
documents. "I wish there was a way to prevent it," said the soon-to-retire
NSA chief. "Snowden has shared somewhere between 50 (thousand) and 200,000
documents with reporters. These will continue to come out."

By these, Alexander means reports, revelations, scoops—whatever you want
to call the earthshaking stories that Snowden's documents so far have
spawned. It's tough to tell how many have already been put into play, but
the idea that there are almost 200,000 of them still out there suggests that
a number of bombshells are still to land. Evidently, U.S. officials have
known the scale of the leak for months now—which might explain why
they've been so eager to bring Snowden in. [Reuters]

Hack of MacRumors forums exposes password data for 860,000 users (Dan Goodin)

Dan Goodin, Ars Technica, 12 Nov 2013
Assume your password is known, site's top brass tells account holders.

MacRumors user forums have been breached by hackers who may have acquired
cryptographically protected passwords belonging to all 860,000 users, one of
the top editors of the news website ...
http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-password-data-for-860000-users/
http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/

"Facebook forces some users to reset passwords because of Adobe data breach" (Lucian Constantin)

Lucian Constantin | InfoWorld, 12 Nov 2013
Users whose Adobe online log-in credentials were exposed and used the
same passwords on Facebook will need to change them
http://www.infoworld.com/d/security/facebook-forces-some-users-reset-passwords-because-of-adobe-data-breach-230677

Apple takes strong privacy stance in new report, publishes rare 'warrant canary' (Cyrus Farivar)

  [Via Dave Farber's IP.  Dave comments: “An interesting approach.'']

Cyrus Farivar, Ars Technica, 5 Nov 2013
Apple has never received an order under Section 215 of the USA Patriot Act."
http://arstechnica.com/tech-policy/2013/11/apple-takes-strong-privacy-stance-in-new-report-publishes-rare-warrant-canary/>

Apple has become one of the first big-name tech companies to use a novel legal tactic to indicate whether the government has requested user information in conjunction with a gag order. Known as a “warrant canary,” this language is encapsulated on Apple's fifth page of its new transparency report (PDF), which was published on Tuesday.

“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge an order if served on us,” the company wrote, referring to the provision of federal law that compels businesses to hand over business records to American authorities, often under gag order.

Interestingly, Apple did not mention Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act, which compels companies to share data on foreigners and provides the legal basis for the National Security Agency's PRISM program.

Warrant canaries work like this: a company publishes a notice saying that a warrant has not been served as of a particular date. Should that notice be taken down, users are to surmise that the company has indeed been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie. The only problem is that warrant canaries have yet to be fully tested in court.

"If it's really committed to challenging the gag order, it has a ton of resources to apply, and they're a good bet," Neil Richards, a law professor at Washington University in St. Louis, wrote to Ars on Twitter. "Challenging the 215 gag is as much [a function] of resources and commitment as it is a tidy legal [question]. If they succeed, I'll buy a Mac!"

The rest of the report argues that Apple is very privacy minded in terms of
product design and in terms of its legal response to law enforcement.

“When we receive such a demand, our legal team carefully reviews the
order. If there is any question about the legitimacy or scope of the court
order, we challenge it. Only when we are satisfied that the court order is
valid and appropriate do we deliver the narrowest possible set of
information responsive to the request," the company added.

Apple also takes a not-so-subtle dig at other tech companies like Google,
Facebook, and Twitter, which have issued similar transparency reports.

Perhaps most important, our business does not depend on collecting personal
data. We have no interest in amassing personal information about our
customers. We protect personal conversations by providing end-to-end
encryption over iMessage and FaceTime. We do not store location data, Maps
searches, or Siri requests in any identifiable form.

In addition, Apple released the figures of law enforcement requests by
American and other national authorities worldwide. As earlier data from
other companies has shown, American requests dwarf all others. Apple is also
forbidden, as are other companies, from breaking out local law enforcement
cases when compared to national security or federal law enforcement
situations, which is why it must be released as a range of numbers rather
than as a single number.

In comparison to the “1,000 to 2,000” requests that Apple received from
American law enforcement, the next highest came from the United Kingdom,
with 127 requests across 141 accounts. Apple complied with handing over data
in 51 of those accounts, objecting to data sharing for 79 accounts, and
outright denying compliance for 46 accounts. [...]

[snip]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>

EFF Files 22 Firsthand Accounts of How NSA Surveillance Chilled the Right to Association

Advocacy Organizations Seek Immediate Ruling on the
Legality of the NSA's Mass Collection of Telephone Records
Electronic Frontier Foundation Media Release, 7 Nov 2013, davidg@eff.org
David Greene, Senior Staff Attorney, Electronic Frontier Foundation

San Francisco - The Electronic Frontier Foundation (EFF) has provided a
federal judge with testimony from 22 separate advocacy organizations
detailing how the National Security Agency's (NSA) mass telephone records
collection program has impeded the groups' work, discouraged their members
and reduced the numbers of people seeking their help via hotlines. The
declarations accompanied a motion for partial summary judgment filed late
Wednesday, in which EFF asks the court to declare the surveillance illegal
on two levels--the law does not authorize the program, and the Constitution
forbids it.

In First Unitarian Church of Los Angeles v. NSA, EFF represents a diverse
array of environmentalists, gun-rights activists, religious groups,
human-rights workers, drug-policy advocates and others that share one major
commonality: they each depend on the First Amendment's guarantee of free
association.  EFF argues that if the government vacuums up the records of
every phone call--who made the call, who received the call, when and how
long the parties spoke--then people will be afraid to join or engage with
organizations that may have dissenting views on political issues of the
day. The US government acknowledged the existence of the telephone records
collection program this summer, after whistleblower Edward Snowden leaked a
copy of a Foreign Intelligence Surveillance Court order authorizing the mass
collection of Verizon telephone records.

"The plaintiffs, like countless other associations across the country, have
suffered real and concrete harm because they have lost the ability to assure
their constituents that the fact of their telephone communications between
them will be kept confidential from the federal government," EFF Senior
Staff Attorney David Greene said.  "This has caused constituents to reduce
their calling. This is exactly the type of chilling effect on the freedom of
association that the First Amendment forbids."

In today's motion, EFF asks the US District Court for the Northern District
of California to review the undisputed evidence at hand and rule that the
NSA's "Associational Tracking Program" is not only unconstitutional, but not
authorized under Section 215 of the USA PATRIOT ACT, the law the government
has so far used to justify its surveillance.

The statute authorizes the government to collect information only if the
information "is relevant to an authorized investigation."  Because the
government collects the records of every telephone call made to, from and
within the United States, the vast majority of the records it collects are
plainly irrelevant.

"Section 215 is a simple statute designed to give the FBI something like the
subpoena power available in criminal investigations," attorney Thomas Moore,
an EFF special counsel, said. "It was not intended to authorize the dragnet
surveillance the NSA has undertaken.  A government of the people, by the
people, and for the people should not be spying on the people."

The motion could be argued as early as February 2014.

For the motion for partial summary judgment:
https://www.eff.org/document/plaintiffs-motion-partial-summary-judgment-0

For the declarations:
https://www.eff.org/document/all-plaintiffs-declarations

For this release:
https://www.eff.org/press/releases/eff-files-22-firsthand-accounts-how-nsa-surveillance-chilled-right-association

 [Truncated for RISKS, but worth reading in its entirety..  PGN]

LexisNexis helping police stake out social media

http://j.mp/17vaVIR  (Ars Technica via NNSquad)

  "Local law enforcement is getting the kind of technological boost that
  used to be limited to three-letter agencies thanks to Web-based software
  services that mine social media for intelligence. At last month's
  International Association of Chiefs of Police (IACP) conference in
  Philadelphia, LexisNexis showed off a new tool it will bundle with its
  research service for law enforcement agencies-one that will help them
  "stake out" social media as part of their criminal investigations.  Called
  Social Media Monitor, the cloud-based service will watch social networks
  for comments and activities that might offer clues to crimes in the
  physical world. With direct connections into a variety of social media
  services' feeds, it will help police plow through Twitter and Facebook in
  search of evidence that could lead to arrests."

I wonder how much law enforcement resources might end up being diverted
by people purposely planting false leads and rickrolls?  LW

FBI deems PhD thesis a national security concern

Meet the Punk Rocker Who Can Liberate Your FBI File

Ryan Shapiro's technique is so effective at unburying sensitive documents,
the feds are asking the courts to stop him.

http://www.motherjones.com/politics/2013/11/foia-ryan-shapiro-fbi-files-lawsuit

notsp LG Smart TV logging everything to a website

http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

  In fact, there is an option in the system settings called "Collection of
  watching info:" which is set ON by default.  This setting requires the
  user to scroll down to see it and, unlike most other settings, contains no
  "balloon help" to describe what it does.

  At this point, I decided to do some traffic analysis to see what was being
  sent.  It turns out that viewing information appears to be being sent
  regardless of whether this option is set to On or Off. [...]

  This information appears to be sent back unencrypted and in the clear to
  LG every time you change channel, even if you have gone to the trouble of
  changing the setting above to switch collection of viewing information
  off.

The television also logs filenames on attached USB drives. A letter to
LG's UK offices produced a particularly unsympathetic response with the
brush-off of:

  The advice we have been given is that unfortunately as you accepted the
  Terms and Conditions on your TV, your concerns would be best directed to
  the retailer.

Doesn't sound very "Life's Good" (LG ad slogan) to me.

Hoping to avert "collision" with disaster, Microsoft retires SHA1

After 2016, Microsoft will stop accepting the collision-prone crypto algorithm.

Dan Goodin, Ars Technica, 12 Nov 2013

Microsoft is retiring two widely used cryptographic technologies that are
growing increasingly vulnerable to attacks that seemed unlikely just a
decade ago.

The company's software will stop recognizing the validity of digital
certificates that use the SHA1 cryptographic algorithm after 2016, officials
said on Tuesday. SHA1 is widely used to underpin secure socket layer (SSL)
and transport layer security (TLS) certificates that authenticate websites
and encrypt traffic passing between their servers and end users. SHA1-based
certificates are also used to digitally verify that specific software
applications are legitimate and not imposter programs or programs that have
been tampered with to include hidden backdoors. ...

http://arstechnica.com/security/2013/11/hoping-to-avert-collision-with-disaster-microsoft-retires-sha1/

"Adobe patches critical vulnerabilities in Flash Player, ColdFusion" (Lucian Constantin)

Lucian Constantin, InfoWorld, 13 Nov 2013
The vulnerabilities could allow unauthorized remote code execution or
remote read access
http://www.infoworld.com/d/security/adobe-patches-critical-vulnerabilities-in-flash-player-coldfusion-230772

"'Blurry fonts' bug KB 2670838 persists with IE11 and Windows 7" (Woody Leonhard)

Woody Leonhard | InfoWorld, 18 Nov 2013
A six-month-old 'fuzzy fonts' bug that affected Firefox and Chrome is
still around—and may now affect Windows users who upgrade to IE11
http://www.infoworld.com/t/microsoft-windows/blurry-fonts-bug-kb-2670838-persists-ie11-and-windows-7-231035

Re: An App That Saved 10,000 Lives (O'Leary, RISKS-27.54)

Bruce Horrocks takes a rather literalist approach to analyzing the story
of a Web site that answers medical questions.  And although I agree that
this kind of promotional press release should be viewed with skepticism,
I also think there might be some truth in between the hype and the
literalism.  (In particular, I think it's going rather far to take the
word "her" to imply that all the saved lives were female.)

It seems likely to me that the press release intended to imply that 10K
people have said that the site saved their lives.  And is that
implausible?  Note that there's a difference between the users *saying*
that site was life-saving and lives actually being saved.  I suspect
that if you survey a random million people, you'll easily find 10K
(that's only one percent) who think their lives were saved by prayer, or
a fortune cookie, or getting a dog.

As to the number of queries and answers, without visiting the site in
question one can safely guess that (a) not every answer comes from a
doctor, (b) it doesn't have to take five minutes--even on average--to
answer a question, and (c) not every question necessarily produces an
answer.

And as to the number of users, I frequent a photography site where some
individuals have over 40K postings.  We know that hypochondria is a real
phenomenon, and we know that there are some lay people who are very
eager to show off their knowledge even if its' not justified.  So I
think it's rather RISKy to try to make a seat-of-the-pants guess at any
site statistics without knowing a few more details.

    Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/

Clifford Nass: Obituary

Today's *Telegraph* has an obituary of Clifford Nass:
http://www.telegraph.co.uk/news/obituaries/10433894/Clifford-Nass-Obituary.html

Clifford Nass was a sociologist who argued that digital multitasking makes
us less sociable, less efficient and less clever.  ... Far from making
people sharper, jumping around from emailing to texting to posting on social
media can scramble the brain, Nass concluded. “People who multitask all
the time show worse thinking abilities in every dimension that we know
of,'' [...]

http://www.telegraph.co.uk/news/obituaries/10433894/Clifford-Nass-Obituary.html

Please report problems with the web pages to the maintainer