The RISKS Digest
Volume 27 Issue 62

Monday, 25th November 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Massive cargo plane that landed at wrong Kansas airport finally makes it to right one
Dylan Stableford
Repeated attacks hijack huge chunks of Internet traffic
Dan Goodin
Subject: Sweden to give police and others realtime access to citizens' phone, e-mail, more
NNSquad
US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data
*The Guardian*
US senators say there's 'no evidence' bulk metadata surveillance is useful
Cyrus Farivar via Dewayne Hendricks
As if there weren't enough reasons to hate the wireless carriers
DV Henkel-Wallace
Op-ed: Lavabit's founder responds to cryptographer's criticism
Ladar Levison
"Jailbreak a phone, go to jail: Copyright law, the TPP way"
Robert X. Cringely via Gene Wirchenko
Computer Scientists Not Totally Clueless About Passwords
Dan Goodin
"GitHub bans weak passwords after brute-force attack results in compromised accounts"
Lucian Constantin
Web Companies Slam Ruling In Libel Case [as well they should
Lauren Weinstein
Hackers actively exploiting JBoss vulnerability to compromise servers
Lucian Constantin via Gene Wirchenko
Germany threatens to fine and/or jail Carl Malamud for doing his usual thing
Lauren Weinstein
Metadata vs. data: the real issue
Geoff Kuenning
HP sending *styrofoam* junk mail
Joe Touch via Dave Farber
Alternate definition of GIGO
Paul Wexelblat
Re: UK conservatives attempting to erase their Internet history
Scott Miller
Info on RISKS (comp.risks)

Massive cargo plane that landed at wrong Kansas airport finally makes it to right one (Dylan Stableford)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 21 Nov 2013 9:27:00 PST
A Boeing 747 LCF Dreamlifter bound from JFK to McConnell Air Force Base in
Kansas landed by mistake at the much smaller Jabara Airport about 12 miles
to the north, with a runway considered 3000 feet too short for a normal
takeoff for that aircraft.

  [If you build it, they will come—`out in left field', and laboriously
  wind up in (the) `right field'?  PGN]

http://news.yahoo.com/dreamlifter-cargo-plane-wrong-airport-wichita-135024064.html
http://news.yahoo.com/gigantic-plane-stuck-tiny-airport-153357709.html


Repeated attacks hijack huge chunks of Internet traffic (Dan Goodin)

<*Dewayne Hendricks>
Wednesday, November 20, 2013
Dan Goodin, Ars Technica, 20 Nov 2013
Man-in-the-middle attacks divert data on scale never before seen in the wild.
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/

Huge chunks of Internet traffic belonging to financial institutions,
government agencies, and network service providers have repeatedly been
diverted to distant locations under unexplained circumstances that are
stoking suspicions the traffic may be surreptitiously monitored or modified
before being passed along to its final destination.

Researchers from network intelligence firm Renesys made that sobering
assessment in a blog post published Tuesday. Since February, they have
observed 38 distinct events in which large blocks of traffic have been
improperly redirected to routers at Belarusian or Icelandic service
providers. The hacks, which exploit implicit trust placed in the border
gateway protocol used to exchange data between large service providers,
affected "major financial institutions, governments, and network service
providers" in the US, South Korea, Germany, the Czech Republic, Lithuania,
Libya, and Iran.

The ease of altering or deleting authorized BGP routes, or of creating new
ones, has long been considered a potential Achilles Heel for the Internet.
Indeed, in 2008, YouTube became unreachable for virtually all Internet
users after a Pakistani ISP altered a route in a ham-fisted attempt to block
the service in just that country. Later that year, researchers at the Defcon
hacker conference showed how BGP routes could be manipulated to redirect
huge swaths of Internet traffic. By diverting it to unauthorized routers
under control of hackers, they were then free to monitor or tamper with any
data that was unencrypted before sending it to its intended recipient with
little sign of what had just taken place.

"This year, that potential has become reality," Renesys researcher Jim Cowie
wrote. "We have actually observed live man-in-the-middle (MitM) hijacks on
more than 60 days so far this year. About 1,500 individual IP blocks have
been hijacked, in events lasting from minutes to days, by attackers working
from various countries."

At least one unidentified voice-over-IP provider has also been targeted. In
all, data destined for 150 cities have been intercepted. The attacks are
serious because they affect the Internet equivalents of a US interstate that
can carry data for hundreds of thousands or even millions of people.  And
unlike the typical BGP glitches that arise from time to time, the attacks
observed by Renesys provide few outward signs to users that anything is
amiss.

"The recipient, perhaps sitting at home in a pleasant Virginia suburb
drinking his morning coffee, has no idea that someone in Minsk has the
ability to watch him surf the Web," Cowie wrote. "Even if he ran his own
traceroute to verify connectivity to the world, the paths he'd see would be
the usual ones. The reverse path, carrying content back to him from all over
the world, has been invisibly tampered with."

Guadalajara to Washington via Belarus

Renesys observed the first route hijacking in February when various routes
across the globe were mysteriously funneled through Belarusian ISP
GlobalOneBel before being delivered to their final destination. One trace,
traveling from Guadalajara, Mexico, to Washington, DC, normally would have
been handed from Mexican provider Alestra to US provider PCCW in Laredo,
Texas, and from there to the DC metro area and then, finally, delivered to
users through the Qwest/Centurylink service provider. According to Cowie:

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who
is advertising a false Belarus route, having heard it from Russia's
TransTelecom, who heard it from their customer, Belarus Telecom. Level3
carries the traffic to London, where it delivers it to Transtelecom, who
takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the
traffic and then sends it back out on the `clean path' through Russian
provider ReTN (recently acquired by Rostelecom). ReTN delivers it to
Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands
it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.


Sweden to give police and others realtime access to citizens' phone, e-mail, more (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Wed, 20 Nov 2013 22:39:49 -0800
  "Swedish citizens will get all their phone calls and e-mail traffic
  wiretapped in real time not just by the Swedish NSA branch, but also by
  police, customs, the tax authority, and others. These plans were revealed
  today by the Ny Teknik magazine, sending shockwaves among civil rights
  activists. This follows a previous law change that gave the Swedish NSA
  branch, the FRA, realtime access to all Internet traffic that crossed the
  country borders - effectively wiretapping everybody warrantlessly all the
  time."
    http://j.mp/I67Qnu  (Falkvinge)
http://falkvinge.net/2013/11/19/swedish-regime-to-give-police-customs-tax-authorities-realtime-access-to-citizens-phone-mail-more/


US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data

Dave Farber <dave@farber.net>
Thu, 21 Nov 2013 08:36:40 -0500
http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data


US senators say there's 'no evidence' bulk metadata surveillance is useful (Cyrus Farivar)

via Dave Farber
Wednesday, November 20, 2013
Cyrus Farivar, 19 Nov 2013
http://arstechnica.com/tech-policy/2013/11/us-senators-say-theres-no-evidence-bulk-metadata-surveillance-is-useful/

Sen. Mark Udall (D-CO) and others join as amici to lawsuit filed against
NSA.  As we reported back in July 2013, the Electronic Frontier Foundation
and its allies filed a new federal lawsuit challenging government spying in
the wake of the Snowden leaks.

This case, First Unitarian Church v. NSA, challenges the government's
collection of telephone call information, saying the practice violates the
First, Fourth, and Fifth Amendments of the United States Constitution. The
complaint states that Verizon, AT&T, and Sprint all participate in the
government's collection of data, including originating and terminating phone
numbers, trunk identifiers, calling card numbers, and time and duration of
calls.

Now, the First Unitarian Church and its fellow plaintiffs have new allies in
three United States senators who have been at the forefront of surveillance
policy reform. In a new amicus brief filed on Tuesday, Senators Mark Udall
(D-CO), Ron Wyden (D-OR), and Martin Heinrich (D-NM) say that they “have
seen no evidence that the bulk collection of Americans' phone records has
provided any intelligence of value that could not have been gathered through
less intrusive means.'' In this case, the plaintiffs argue that the
National Security Agency's collection of phone data is unconstitutional, not
just because it affects their rights to be free of illegal searches but
because it affects their free speech rights as well. The lawsuit alleges
that the government is impinging on First Amendment rights of activist
groups to communicate anonymously, as well as "the right to associate
privately and the right to engage in political advocacy free from government
interference."

The new brief critiques several prominent cases that government officials
have used to justify their spying program, including the Najibullah Zazi
case and the Basaaly Moalin case. Zazi pleaded guilty in 2010 to an
attempted bombing of the New York City subway system and is scheduled for
sentencing in February 2014. Moalin's attorneys continue to challenge the
government's case. The government has also argued that Khalid al-Mihdhar,
one of the September 11, 2001 hijackers who had been living in the United
States, could have been identified earlier with the bulk phone records
program in place. ...

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>


As if there weren't enough reasons to hate the wireless carriers

"DV Henkel-Wallace" <gumby@henkel-wallace.org>
Nov 19, 2013 2:41 PM
You are probably aware that some DAs are pushing for phones to support a
"kill switch" to reduce phone theft.

According to today's *The New York Times*, although the phone manufacturers
are willing, the carriers are not.  SF's DA says, "the carriers are
concerned that the software would eat into the profit they make from the
insurance programs many consumers buy to cover lost or stolen phones."

Interestingly, Apple (whose customer is the end user, not the carrier) had
no problem adding this feature.  So now the carriers are hurting not only
their customers but their vendors too.

http://bits.blogs.nytimes.com/2013/11/19/carriers-reject-a-kill-switch-for-preventing-cellphone-theft/

  [Gene Wirchenko noted Martyn Williams, InfoWorld Home, 21 Nov 2013
  Law enforcement officials in New York and San Francisco called the
  carriers' response 'highly disturbing'.  PGN]
http://www.infoworld.com/d/mobile-technology/mobile-carriers-slammed-rejecting-smartphone-kill-switch-231373


Op-ed: Lavabit's founder responds to cryptographer's criticism (Ladar Levison)

"Cipher Editor" <cipher-editor@ieee-security.org>
Fri, 22 Nov 2013 14:30:04 -0700
http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/
Ladar Levison, Ars Technica, 7 Nov 2013

"Ladar Levison, who shut down his secure e-mail service under US government
pressure, has learned a lot."  His vision was protection for e-mail "at rest"
in a way that would make government search warrants useless.  Instead, he
got hit with a demand for the system's "data in transit" keys, implying a
network surveillance capability that caught him unawares.


"Jailbreak a phone, go to jail: Copyright law, the TPP way" (Robert X. Cringely)

Gene Wirchenko <genew@telus.net>
Thu, 21 Nov 2013 09:43:37 -0800
Robert X. Cringely, InfoWorld, 21 Nov 2013
Even more examples of ill-informed thinking lurk in the Trans-Pacific
Partnership, the SOPA/CISPA/PIPA redux
http://www.infoworld.com/t/cringely/jailbreak-phone-go-jail-copyright-law-the-tpp-way-231331


Computer Scientists Not Totally Clueless About Passwords (Dan Goodin)

"Cipher Editor" <cipher-editor@ieee-security.org>
Fri, 22 Nov 2013 14:30:04 -0700
Dan Goodin, Ars Technica , 8 Nov 2013

http://arstechnica.com/security/2013/11/its-official-computer-scientists-pick-stronger-passwords/

"It's official: Computer scientists pick stronger passwords.  Landmark study
says people in business school choose weakest passwords."

While it seems unsurprising that computer scientists, on the average, choose
slightly better passwords than their peers in the arts, it is surprising
that those in the arts surpass those in business school.  Apparently the
profit motive is insufficient.


"GitHub bans weak passwords after brute-force attack results in compromised accounts" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 21 Nov 2013 11:06:48 -0800
Lucian Constantin, InfoWorld, 20 Nov 2013
Some GitHub accounts have had their passwords, access tokens, and SSH
keys reset
http://podcasts.infoworld.com/d/security/github-bans-weak-passwords-after-brute-force-attack-results-in-compromised-accounts-231273


Web Companies Slam Ruling In Libel Case [as well they should

Lauren Weinstein <lauren@vortex.com>
Fri, 22 Nov 2013 08:26:25 -0800
  The Web companies say in their papers that Bertelsman interpreted the
  Communications Decency Act too narrowly. "Virtually every website includes
  features that invite and encourage users to enter particular types of
  content," the companies argue. "A site devoted to reviews of restaurants
  or other businesses might well have specific language explaining the value
  and importance readers place on 'negative' reviews and soliciting users to
  submit details of their negative experiences with a business."  The
  companies add that all Web sites that invite negative reviews or contents
  could lose their immunity for libel, under Bertelsman's view of the law.
    http://j.mp/1bXYuEZ  (Mediapost via NNSquad)


Hackers actively exploiting JBoss vulnerability to compromise servers (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 19 Nov 2013 14:57:06 -0800
Lucian Constantin, InfoWorld, 18 Nov 2013
Hackers exploit exposed JBoss management interfaces and invokers to
install Web shells on servers
http://www.infoworld.com/d/security/hackers-actively-exploiting-jboss-vulnerability-compromise-servers-231091


Germany threatens to fine and/or jail Carl Malamud for doing his usual thing

Lauren Weinstein <lauren@vortex.com>
Fri, 22 Nov 2013 08:37:06 -0800
  One of the most important public safety laws in Europe is Dir.
  2001/95/EC, which regulates general product safety.  Public.Resource.Org,
  in our ongoing quest to make legally-mandated public safety codes
  available, purchased the German instantiation of 40 of these essential
  codes and made them available on the Internet. Every country in the EU is
  required to implement and publish these standards.  "Imagine our surprise
  when we were served notice to appear in Hamburg District Court in
  Germany."  http://j.mp/1bXZSr4 (Boing Boing via NNSquad)


Metadata vs. data: the real issue (via Dave Farber's IP)

"Geoff Kuenning" <geoff@cs.hmc.edu>
Nov 21, 2013 4:21 AM
In recent months, much has been about the NSA's collection of phone dialing
records and similar information.  The government is quick to label what they
collect as "metadata", even though that is something of a misnomer in the
current situation.  The follow-on to that characterization is the claim that
metadata doesn't threaten privacy, because the actual *content* of phone
calls, texts, and e-mails remains hidden.

Many people have pointed out that because large amounts of metadata can
reveal important information, it is itself a privacy threat.  And they're
correct: for example, in the last few days I've searched "Munich weather"
several times.  It doesn't take much insight to figure out what's in my
immediate future.

But what the government's argument (quite deliberately) glosses over is
another critical difference between metadata and raw data: metadata is
designed for computer processing.  Anybody who has used a voice recognition
or voice transcription system knows how hard it is to successfully eavesdrop
on millions of phone calls simultaneously.  But the metadata from those
millions of calls can easily filter out a few hundred that are then passed
to humans for detailed snooping.

And *that* is why the collection of metadata is a problem.

  Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/
  Statistics don't bore people, people bore people.


HP sending *styrofoam* junk mail

via Dave Farber
Wednesday, November 20, 2013
Today I received a package from HP, advertising their new ZBook family of
laptop computers.

That itself would be unremarkable. What was remarkable was the packaging:

  - a 13" x 9"x 0.75" chunk of styrofoam, inside a
  - paper box and brochure, wrapped in
  - "shrinkwrap" plastic

I appreciate their intent—to demonstrate the size of their computer by
sending me something of the same dimension. Given the dimensions are
basically the same as most low-end laptops for the past 15 years, that seems
just a waste of time.

What is more disconcerting is *shipping* styrofoam that has no functional
use (corrugated paper would have worked equally well).

This wins the wasted packaging award IMO. I guess HP isn't all that
concerned about environmental issues, despite having a web page dedicated
to claiming otherwise:

http://www8.hp.com/us/en/hp-information/environment/

I'll let Consumer Reports know (they highlight cases inside the back cover
of every issue), but I thought this list might find this interesting too.


Alternate definition of GIGO (Re: Epstein, RISKS-27.61)

Paul Wexelblat <wex@cs.uml.edu>
Thu, 21 Nov 2013 10:21:47 -0500
Very old, fairly common alternate definition of GIGO is Garbage In, Gospel
Out.  As when the electric company insists that you used $113,047.15 of
electricity last month, "because the computer says so".


Re: UK conservatives attempting to erase their Internet history (RISKS-27.61)

"Scott Miller" <SMiller@unimin.com>
Wed, 20 Nov 2013 11:36:01 -0500
All one must do to retroactively remove the entire history of a web page (or
entire domain) from the so-called Wayback Machine is publish a "robots.txt"
directive under the appropriate url? Is that the correct interpretation
here? If so, I'm very disappointed with archive.org. It's one thing to honor
"robots.txt" prospectively, it's quite another to allow its use to
effectively erase content after the fact. To me, this renders the Internet
Archive essentially useless. On further investigation, the retroactive
attribute is confirmed by the IA FAQ, and Alexa Internet seems to be the
culprit. Not that my conclusions about IA are altered in any way by that
finding...

Please report problems with the web pages to the maintainer

x
Top