The RISKS Digest
Volume 27 Issue 73

Tuesday, 28th January 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Will non-profit foundations step up to save the Internet?
Dan Gillmor via Dewayne Hendricks
Coca-Cola laptop breach common failure of encryption/security basics Robert Westervelt via Monty Solomon)
????
Why is the US a decade behind Europe on 'chip and pin' cards?
Heather Long via Dewayne Hendricks
DV Henkel-Wallace
Daniel Weitzner
Like mobsters dividing turf, the giant ISPs talk about dividing up the country into fiefdoms
Ars Technica via NNSquad
Re: Software licensing as information leak
Michael Black
STAMP Workshop 2014 Registration
Nancy Leveson
REVIEW: "Rainbows End", Vernor Vinge
Rob Slade
Info on RISKS (comp.risks)

Will non-profit foundations step up to save the Internet? (Dan Gillmor)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Monday, January 27, 2014
Dan Gillmor, *The Guardian*, 24 Jan 2014
A few corporations and government are strangling democratized technology.
We have to fight back, but it takes money.

http://www.theguardian.com/commentisfree/2014/jan/24/save-the-open-internet-foundations

The best foundations and philanthropies exist to address market failure,
working to solve problems that business and government ignore or make
worse. Andrew Carnegie funded public libraries in America. Bill and Melinda
Gates are working to save lives in the developing world. The Ford Foundation
puts social justice at the core of its programs.

Now it's time for our major foundations and philanthropists to address an
impending new failure. They can help save the kinds of open, decentralized
systems that gave us personal computing and the Internet.

Like a python that suffocates its prey, the forces of centralization --
corporate and governmental—are inexorably strangling democratized
technology and communications. They have power, and they have money, and
they're not even slightly interested in allowing tomorrow's technology and
communications to be controlled by the users, because that would threaten
their power and profits. They don't do this because they necessarily have
evil goals. Rather, like the python, it is in their nature.

I'm hardly the first to notice any of this. Far-seeing people have been
warning for years about the way users of technology and communications have
been herded—often willingly—into various kinds of walled gardens and
centralized services. Companies like Facebook, Google, Apple and Microsoft
have built dominant positions in key areas of the overall ecosystem by
offering genuine value. Governments create or permit oligopolies, even
monopolies, in telecommunications service; and politicians fan public fears
of violence and terrorism so they can spy on, if not lock down, our
communications.

The result: the devices we buy are increasingly controlled by the sellers,
not us. What we say and do is increasingly recorded. Innovation moves from
the edge of networks to the center, because we need permission from the ones
in control.

It's not a lost cause, not yet. A number of efforts, some longstanding and
others fledgling, are under way in the US and around the world to alert
people to what's at stake. Activist groups such as the Electronic Frontier
Foundation, among a number of others, work hard to get the public's
attention.

The EFF and others are also trying to do something about the situation,
beyond talking, by working on technological measures to boost security and
-- this is key—keep user control at the edges, by effectively
re-decentralizing. These efforts range from the decades-old free software
movement (often called "open source") to the more recent "Indie Web" and
Open Technology Instituteprojects. In an upcoming column I'll talk in more
detail about some of the newer technological initiatives.

However useful they are, they may well be over-matched on this most tilted
of playing fields. Which is where foundations enter the picture. Here's my
plea to them:

First, direct some resources toward education. Help the public understand
the issues. This is necessary because on issue after issue, major media tend
to reflect corporate and governmental values, not the public's.  Copyright,
for example, has become a major control issue, with Hollywood and its allies
working constantly for ever-tougher laws restricting access to and use of
copyrighted material, and using existing laws to thwart innovative new
services that threaten their business model. The major TV networks' news
programs have barely addressed copyright, because they are part of the
cartel that wants more control.  [...]


Coca-Cola laptop breach common failure of encryption/security basics

Monty Solomon <monty@roscom.com>
Tue, 28 Jan 2014 02:14:48 -0500
Robert Westervelt, CRN, 27 Jan 2014  [Re: previous item in RISKS-27.72. PGN]

Coca-Cola is notifying employees, contractors and people associated with its
suppliers following a data breach at its Atlanta headquarters that resulted
in the theft of laptops and information exposure on at least 74,000 people.

The laptops, which have been recovered, were stolen by a former employee,
according to the Wall Street Journal, which first reported the security
incident Monday. A Coca-Cola spokesperson did not return repeated requests
from CRN for a comment on Monday. Coca-Cola told the newspaper that the
laptop was not encrypted and contained the names, Social Security numbers
and addresses of the individuals and included other details, such as
driver's license numbers, compensation and ethnicity.

The firm said the laptops were stolen by an employee who was assigned to
properly dispose of the equipment. The newspaper reported that Coca-Cola is
sending out notification letters to 18,000 people whose names and Social
Security numbers were found on the laptops as well as 56,000 people who had
other personal information potentially exposed. ...

http://www.crn.com/news/security/240165711/coca-cola-laptop-breach-a-common-failure-of-encryption-security-basics.htm


Why is the US a decade behind Europe on 'chip and pin' cards? (Heather Long)

Dewayne Hendricks <dewayne@warpspeed.com>
Tuesday, January 28, 2014
Heather Long, *The Guardian*, 27 Jan 2014
Perhaps the Target data breach involving 100m credit and debit cards will
finally wake up the US on its outdated technology

http://www.theguardian.com/commentisfree/2014/jan/27/target-credit-card-breach-chip-pin-technology-europe

If you live in the US, you probably heard about the 100m credit and debit
card numbers that were stolen from Target's databases recently. (Target
initially stated 40m cards were at risk and then revised the figure up).

While Target tries to limit the damage (they recently sent out an email
offering free credit monitoring), the bigger question people are rightly
asking is why is the US a decade behind Europe on issuing safer "chip and
pin" credit and debit cards? How did we let it get this bad?

I remember arriving in the UK for graduate school in 2004 and being issued
credit and debit cards after opening a British bank account. My American
colleagues and I were fascinated by these pieces of plastic. They were black
and red - we called them "Darth Maul cards" after the Star Wars character -
and they had microchips embedded in them, something few of us had ever seen
before. It was relatively new technology at the time, used to protect
against fraud. It's now in place across Europe (and beyond) and has greatly
reduced data theft (pdf).

Yet here we are in 2014 and America, a supposed leader in all things
financial, has yet to implement this technology (more commonly referred to
on this side of the pond as EMV or "smart cards", which only reinforces that
the US is still in the "dumb card" era). Some question whether chip and pin
would have stopped the Target case entirely, but it sure would have made
using the stolen data a lot harder.

Things are starting to change - at least for high-end Americans. A number of
banks are quietly rolling out smart cards. Citi and Chase, for example,
offer several premier credit cards with chip and pin, but only for certain
accounts. Curiously, HSBC, one of the UK's leading banks that has issued
chip and pin cards in Europe for years, does not give them out yet to
American customers as "standard practice", according to a spokesman.

So what's keeping the US in the "dumb card" era?

1. Scale

Sometimes size isn't a plus. The US has over 10m credit card terminals and
1.2bn cards, according to Smart Card Alliance, an industry group that tries
to educate and push for the widespread adoption of this technology in the
US. The Alliance estimates that less than 2% of Americans have smart cards.
It's difficult to get such a large market to adopt. As the Wall Street
Journal reported last week, Target actually tried to roll out smart cards
from 2001-04, but the rest of the market didn't follow.

2. Who pays for the updates?

The credit card market in the US is complex (pdf). You have retailers, big
banks and then card associations like Visa and Mastercard. So you have to
get three sectors of the market to work together to implement any new
technology. US retailers and credit card companies have been at war for
years over who pays what transaction fees. Now they're trying to sort out
who will pay for the estimated $8bn costs (pdf) for chip and pin technology.

3. The US has low fraud rates

America has strong legal protections for people whose credit cards numbers
are stolen and historically low fraud rates compared to the rest of the
world, so there was a "what's the problem?" mentality here. Randy
Vanderhoof, executive director of the Smart Card Alliance also says, "There
is not the equivalent of the UK Card Association in the US to set policy and
require all stakeholders to act. It has been a challenge to get everyone to
agree on much of anything when it comes to payments and who pays the cost
and where the fraud savings will be realized."


Why is the US a decade behind Europe on 'chip and pin' cards?

*DV Henkel-Wallace* <gumby@henkel-wallace.org>
Tuesday, January 28, 2014
It's more like two decades—10 years ago is merely when that author first
saw a chip card.  The chip and pin infrastructure was fully built out even
in small villages in France, Germany, Holland etc almost twenty years ago.
I don't remember if those machines even supported a swipe card since I
always used a pin.

My guess is that it will never happen in the US for a couple of reasons.

One reason is the way risk is apportioned: in the States the legal structure
forces most of the liability onto the card issuers, so there's little
substantive risk in handing the card to a waiter who takes it out of view.
I would never do the same with my European credit cards.  So why bother to
change?

The second is that any shift will follow the example of the smart phones.
Until the iphone came out, the US mobile infrastructure was also a decade or
two behind Europe (I had a friend who would whistle the Flinstones song
whenever I would pull out a mobile phone in the US).  The US got the crappy
old phones, most of which were made by European manufacturers.  The iPhone
went off like a bomb in that market and now much of the innovation flows the
other way.  It's more likely that a Square-like player will manage to
reimagine the payment infrastructure and skip to a new generation.

PS: I got Silicon Valley Bank to issue me a card with a chip in it but it
came with no PIN!  *facepalm*


Why is the US a decade behind Europe on 'chip and pin' cards?

*Daniel Weitzner* <djweitzner@csail.mit.edu>
Tuesday, January 28, 2014
    [From Dave Farber's IP distribution]

We should look at the choice of anti-fraud techniques (whether through
chip-and-pin in the EU or statistical anomaly detection in the US) as a
decision about what kind of insurance banks and payment processors chose to
buy. Both statistical anti-fraud scoring and chip and pin cost money to
implement. No doubt the cost of phone calls originally factored into this
decision, as Peter suggests. I would probably give more weight to the legal
liability for loss that the banks face. European card processors and banks
face lower liability for fraud loses because a larger portion of payment
transactions in Europe are debit payments rather credit transactions. In
this case, the customer bears the lion share of the risk of loss. And my
understanding is that even with credit transactions, the banks bear less
risk than they do in the US.

As US banks bear a greater risk, it seems logical to infer that they've
decided (correctly or not) that they can insure against risk more
efficiently with statistical techniques than with hardened hardware tokens.
Perhaps this calculation will change with these new breed of attacks, but
it's not obvious to me that one or another technique is necessarily superior
from a cost perspective. The statistical anomaly detection used in the US
systems is quite remarkable application of large-scale neural network
techniques in generating risk scores based on purchasing habits. My
understanding is that they are able to general risks score on every single
transaction in more or less the same amount of time as it takes to transmit
the transaction from merchant to acquiring bank to issuing bank. Another
huge but unsung success for the AI community. :-) We'll leave for another
day the interesting privacy questions about this fraud scoring using
personal financial data.

Daniel J. Weitzner, Director, MIT CSAIL Decentralized Information Group
Massachusetts Institute of Technology   http://dig.csail.mit.edu/


Like mobsters dividing turf, the giant ISPs talk about dividing up the country into fiefdoms

Lauren Weinstein <lauren@vortex.com>
Mon, 27 Jan 2014 15:42:54 -0800
Comcast and Charter want to split up Time Warner's cable markets
http://j.mp/1d5gPN1  (Ars Technica via NNSquad)

  Comcast and Charter are working out a deal in which Charter would acquire
  Time Warner Cable (TWC) and then sell some of those assets to Comcast.
  Previously, Charter offered to buy Time Warner for $61.3 billion or $37.3
  billion excluding TWC's debt. Time Warner management rejected the amount,
  but Charter is attempting to push an acquisition through by appealing to
  shareholders.  Today, Bloomberg reported that Comcast "is near a deal to
  buy New York City, North Carolina, and New England cable assets from
  Charter Communications Inc. if shareholders approve Charter's takeover bid
  for Time Warner Cable Inc."

 - - -

In most industries, this sort of activity would be viewed as illegal
restraint of trade. That these firms are so openly talking about divvying up
the universe of captive Internet users (that's you and me—though these
companies are clearly interested in our dollar value only, not in providing
robust Internet services per say) is not only shameful, but a vivid
illustration of how the U.S. Internet access industry has become an
effective monopoly in all but name. They sound like mobsters splitting up
cities for numbers rackets, prostitution, and heroin sales. Disgraceful.


Re: Software licensing as information leak (Maziuk, RISKS-27.72)

"Michael Black" <mdblack98@yahoo.com>
Tue, 28 Jan 2014 07:06:06 -0600
Here's a risk related to NMR spectra.  I worked in this field for quite a
while and we had similar programs that would "best fit" the data.  Problem
is."best fit" is a lie.or at least not the whole truth.

The process is called multiple linear (or non-linear) regression.  At first
blush this process looks very straight forward much like a binary bit
system.  Either some combo of bits is present or not.  The problem is all
the overlapping items and noise.

Anybody that gives "best fit" from one of these systems needs to be sent to
the broom closet.  One huge problem is the library used for doing the fit.if
the library does not cover the universe of things that emit you are doing a
woefully incomplete job.  And nobody uses a complete library that I know of.
They usually use the things they expect to see or some superset of that.

The only way to do this job is "all possible combinations" with a
statistical test for fit and then rank order the results.  We had a
statistician from PNL that created such a system for us and in his results
you could see the "truth" in the answers (for known ground truth) whereas
the "best fit" people almost always produced the wrong answer.  I wish I
still had that software as there was a trick to the all possible
combinations solution.


STAMP Workshop 2014 Registration

Nancy Leveson <leveson.nancy8@gmail.com>
Mon, 27 Jan 2014 20:27:17 -0500
*Third MIT STAMP/STPA Workshop*, MIT, Cambridge, Mass., 25-27 March,

STAMP is a new accident causality model based on systems theory and systems
thinking described in Nancy Leveson's book *Engineering a Safer World*.
STAMP integrates into engineering analysis the causal factors in our
increasingly complex systems such as software, human-decision making and
human factors, new technology, social and organizational design, and safety
culture.

STPA is a powerful new hazard analysis technique based on STAMP while CAST
is the equivalent for accident/incident analysis. These tools are now used
globally in almost every industry.  This free workshop will provide
attendees with the opportunity to learn how to use these new tools, to meet
with users and to hear about applications, evaluations, and the latest
developments in this powerful new approach to system safety engineering.

This year, the workshop will include a parallel half-day session on the
application of STAMP to security. Presentations will span the application
areas of automotive, aeronautics, air transportation (NextGen), railroads,
medicine, petrochemicals, etc. and will include presentations of three sets
of tools that are being developed (at the University of Stuttgart, Volpe
National Transportation Research Center, and MIT) to support STPA.  You do
not need to make a presentation in order to attend, you can just listen.

Information about special rates on hotels and other aspects of the meeting
will be posted on http://psas.scripts.mit.edu/home/

If you are interested in attending, we would appreciate it if you would
register that interest. It's free, but we need to obtain appropriate space
at MIT and want to avoid another big surprise like the first year when we
expected 50 and 250 showed up. The registration list will also help us with
planning and with detailed announcements about the workshop as I do not want
to spam people with multiple unwanted emails. Registration can be done at:

https://docs.google.com/forms/d/1kFTrXiqxfhscdt0f0o4bRTit_CD8Czs6n7g1PaaHxsQ/viewform

Prof. Nancy Leveson, Aeronautics and Astronautics and Engineering Systems
MIT, 77 Mass. Ave., Cambridge, MA 02142 1-617-258-0505 http://sunnyday.mit.edu

  [Note: The latest Inside Risks article, by Nancy Leveson and William Young,
  An Integrated Approach to Safety and Security Based on System Theory,
  is in the February 2014 CACM, and now on the Inside Risks website:
    http://www.csl.sri.com/neumann/insiderisks.html#232
  PGN]


REVIEW: "Rainbows End", Vernor Vinge

Rob Slade <rmslade@shaw.ca>
Tue, 28 Jan 2014 14:04:03 -0800
BKRNBSND.RVW   20130525
"Rainbows End", Vernor Vinge, 2006, 0-312-85684-9, U$25.95/C$34.95
%A   Vernor Vinge
%C   175 Fifth Avenue, New York, NY  10010
%D   2006
%G   0-312-85684-9
%I   Tor Books/Tom Doherty Assoc.
%O   U$25.95/C$34.95 pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0312856849/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0312856849/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0312856849/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   364 p.
%T   "Rainbows End"

It is always a pleasure to read something from Vinge.  His characters are
interesting, his plots sufficiently convoluted, and his writing clear and
flowing.  In addition, for the geek, his understanding of the technology is
realistic and fundamental, which makes a change from so many who merely
parrot jargon they do not comprehend.

Of course, this is future technology we are talking about, so none of it is
(currently) real.  But it could be, without the wild flights of illogic that
so abound in fiction.

In this book, we have a future with interconnectedness around the globe.  Of
course, this means that there are dangers, in regard to identity and
authentication.  The new technology protects against these dangers with a
Secure Hardware Environment.  (Or SHE, and, since the DHS mandates that
everyone must use it, does that make it SHE-who-must-be-obeyed?)

Encryption is, of course, vital to the operations, and so is used a lot,
often in multiple layers.  It is probably a measure of the enjoyability of
Vinge's work that I really didn't take note of the fact that two of the
characters were named Alice and Bob.  Not, that is, until late in the
volume, when the author also briefly introduces a character named Eve
Mallory.

copyright, Robert M. Slade   2013   BKRNBSND.RVW   20130525
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org

  [Note the presumably intentional ambiguity between Rainbow's End (nounal)
  and Rainbows End (verbal), with Vernor taking Revinge on Alice and Bob.
  PGN]

Please report problems with the web pages to the maintainer

x
Top