The RISKS Digest
Volume 27 Issue 92

Tuesday, 13th May 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Analysis of Estonia's e-voting system reveals—a mess
Lauren Weinstein
Greenwald: how the NSA tampers with US-made Internet routers
Henry Baker
"Microsoft extends Windows 8.1 Update/KB 2919355 deadline"
Woody Leonhard via Gene Wirchenko
"Government agencies still vulnerable to Heartbleed, study says"
Andrew Brooks via Gene Wirchenko
LAX ATC failure caused by memory shortage
Alwyn Scott and Joseph Menn
"With the Internet of things, smart buildings pose big risk"
Jaikumar Vijayan via Gene Wirchenko
European court says Google must respect 'right to be forgotten'
Reuters via Lauren Weinstein
Re: Federal court overturns Google v. Oracle decision
Dennis E. Hamilton
Re: Reading, Writing, Arithmetic—and Coding
Re: Saudi blogger
Ian Halliday
Re: Federal Agents Seek to Loosen Rules on Hacking Computers
Alister Wm Macintyre
Re: The perils of PayWave
Joe Keane
Announcing ACM's new Special Interest Group on Logic and Computation: SIGLOG
Prakash Panangaden
Info on RISKS (comp.risks)

Analysis of Estonia's e-voting system reveals—a mess

Lauren Weinstein <>
Mon, 12 May 2014 16:21:13 -0700 [via NNSquad] (Re: second item in RISKS-27.90)

  "Estonia is the only country in the world that relies on Internet voting
  in a significant way for legally-binding national elections—up to 25%
  of voters cast their ballots online. This makes the security of the system
  of interest to technologists and voters the world over. As international
  experts on e-voting security, we decided to perform an independent
  evaluation of the system, based on election observation, code review, and
  laboratory testing.  What we found alarmed us. There were staggering gaps
  in procedural and operational security, and the architecture of the system
  leaves it open to cyberattacks from foreign powers, such as Russia. These
  attacks could alter votes or leave election outcomes in dispute. We have
  confirmed these attacks in our lab—they are real threats. We urgently
  recommend that Estonia discontinue use of the system."

Greenwald: how the NSA tampers with US-made Internet routers

Henry Baker <>
Mon, 12 May 2014 19:02:53 -0700
FYI—Domestic U.S. Internet users shouldn't feel slighted, however; their
ISP's have also pre-installed NSA-accessible backdoors into the routers
supplied to them by their ISP's (Verizon, in my case).  Needless to say,
what's good for the goose is good for the gander; these ISP-supplied
backdoors can be easily hacked by criminals.

Glenn Greenwald: how the NSA tampers with US-made Internet routers

The NSA has been covertly implanting interception tools in US servers
heading overseas—even though the US government has warned against using
Chinese technology for the same reasons, says Glenn Greenwald, in an extract
from his new book about the Snowden affair, No Place to Hide.

Glenn Greenwald, *The Guardian*, Monday 12 May 2014

For years, the US government loudly warned the world that Chinese routers
and other Internet devices pose a "threat" because they are built with
backdoor surveillance functionality that gives the Chinese government the
ability to spy on anyone using them.  Yet what the NSA's documents show is
that Americans have been engaged in precisely the activity that the US
accused the Chinese of doing.

The drumbeat of American accusations against Chinese Internet device
manufacturers was unrelenting.  In 2012, for example, a report from the
House Intelligence Committee, headed by Mike Rogers, claimed that Huawei and
ZTE, the top two Chinese telecommunications equipment companies, "may be
violating United States laws" and have "not followed United States legal
obligations or international standards of business behaviour".  The
committee recommended that "the United States should view with suspicion the
continued penetration of the US telecommunications market by Chinese
telecommunications companies".

The Rogers committee voiced fears that the two companies were enabling
Chinese state surveillance, although it acknowledged that it had obtained no
actual evidence that the firms had implanted their routers and other systems
with surveillance devices.  Nonetheless, it cited the failure of those
companies to cooperate and urged US firms to avoid purchasing their
products: "Private-sector entities in the United States are strongly
encouraged to consider the long-term security risks associated with doing
business with either ZTE or Huawei for equipment or services.  US network
providers and systems developers are strongly encouraged to seek other
vendors for their projects.  Based on available classified and unclassified
information, Huawei and ZTE cannot be trusted to be free of foreign state
influence and thus pose a security threat to the United States and to our

The constant accusations became such a burden that Ren Zhengfei, the
69-year-old founder and CEO of Huawei, announced in November 2013 that the
company was abandoning the US market.  As Foreign Policy reported, Zhengfei
told a French newspaper: "'If Huawei gets in the middle of US-China
relations,' and causes problems, 'it's not worth it'."

But while American companies were being warned away from supposedly
untrustworthy Chinese routers, foreign organisations would have been well
advised to beware of American-made ones.  A June 2010 report from the head
of the NSA's Access and Target Development department is shockingly
explicit.  The NSA routinely receives—or intercepts—routers, servers
and other computer network devices being exported from the US before they
are delivered to the international customers.

The agency then implants backdoor surveillance tools, repackages the devices
with a factory seal and sends them on.  The NSA thus gains access to entire
networks and all their users.  The document gleefully observes that some
“SIGINT tradecraft is very hands-on (literally!).''

Eventually, the implanted device connects back to the NSA.  The report
continues: "In one recent case, after several months a beacon implanted
through supply-chain interdiction called back to the NSA covert
infrastructure.  This call back provided us access to further exploit the
device and survey the network."

It is quite possible that Chinese firms are implanting surveillance
mechanisms in their network devices.  But the US is certainly doing the

Warning the world about Chinese surveillance could have been one of the
motives behind the US government's claims that Chinese devices cannot be
trusted.  But an equally important motive seems to have been preventing
Chinese devices from supplanting American-made ones, which would have
limited the NSA's own reach.  In other words, Chinese routers and servers
represent not only economic competition but also surveillance competition.

"Microsoft extends Windows 8.1 Update/KB 2919355 deadline" (Woody Leonhard)

Gene Wirchenko <>
Tue, 13 May 2014 09:06:14 -0700
Woody Leonhard | InfoWorld, 12 May 2014
With one day to go before Black Tuesday patches, Microsoft didn't so much
blink as bow to the reality that users have been unable to install Windows
8.1 Update.

"Government agencies still vulnerable to Heartbleed, study says" (Andrew Brooks)

Gene Wirchenko <>
Tue, 13 May 2014 09:20:36 -0700
Andrew Brooks, *IT Business*, 12 May 2014

opening text:

The Heartbleed OpenSSL bug just refuses to die. Now it looks as if the
measures many web sites, including some belonging to Canadian provincial and
federal governments, may still be at risk despite being "fixed."

That's according to a new study published last Friday by Internet services
company Netcraft Ltd. The study claims that while websites patched
vulnerable OpenSSL installations after Heartbleed was exposed early in
April, replacing their SSL certificates and revoking the old ones, some
actually re-used the same potentially compromised private key in the new

LAX ATC failure caused by memory shortage

Henry Baker <>
Mon, 12 May 2014 18:30:22 -0700
FYI—While "memory shortage" was the presenting problem, apparently *no*
amount of additional memory could have satisfied the search over an
*infinite* number of altitudes, so the "cause" was an actual software _bug_,
not merely "memory shortage", per se.

An interesting question is: "what would have happened had this U-2 flight
simply not been entered into the ERAM system in the first place?"  Or did
entering this additional data actually make things worse?  The
data-not-entered case would presumably be exercised for a rogue drone
(perhaps a panga/smuggling drone if in the L.A. area) flight.

Alwyn Scott and Joseph Menn, Reuters, 12 May 2014
Exclusive: Air traffic system failure caused by computer memory shortage

A common design problem in the U.S. air traffic control system made it
possible for a U-2 spy plane to spark a computer glitch that recently
grounded or delayed hundreds of Los Angeles area flights, according to an
inside account and security experts.

In theory, the same vulnerability could have been used by an attacker in a
deliberate shut-down, the experts said, though two people familiar with the
incident said it would be difficult to replicate the exact conditions.

The error blanked out a broad swath of the southwestern United States, from
the West Coast to western Arizona and from southern Nevada to the Mexico

As aircraft flew through the region, the $2.4 billion system made by
Lockheed Martin Corp, cycled off and on trying to fix the error, triggered
by a lack of altitude information in the U-2's flight plan, according to the
sources, who were not authorized to speak publicly about the incident.

No accidents or injuries were reported from the April 30 failure, though
numerous flights were delayed or canceled.

Lockheed Martin said it conducts "robust testing" on all its systems and
referred further questions about the En Route Automation Modernization
(ERAM) system to the Federal Aviation Administration.

FAA spokeswoman Laura Brown said the computer had to examine a large number
of air routes to "de-conflict the aircraft with lower-altitude flights".
She said that process "used a large amount of available memory and
interrupted the computer's other flight-processing functions".

The FAA later set the system to require altitudes for every flight plan and
added memory to the system, which should prevent such problems in the
future, Brown said.


When the system went out, air traffic controllers working in the regional
center switched to a back-up system so they could see the planes on their
screens, according to one of the sources.

Paper slips and telephones were used to relay information about planes to
other control centers.

The ERAM system failed because it limits how much data each plane can send
it, according to the sources.  Most planes have simple flight plans, so they
do not exceed that limit.

But a U-2 operating at high altitude that day had a complex flight plan that
put it close to the system's limit, the sources said.

The plan showed the plane going in and out of the Los Angeles control area
multiple times, not a simple point-to-point route like most flights, they

The flight plan did not contain an altitude for the flight, one of the
sources said.  While a controller entered the usual altitude for a U-2 plane
- about 60,000 feet - the system began to consider all altitudes between
ground level and infinity.

The conflict generated error messages and caused the system to begin cycling
through restarts.

"The system is only designed to take so much data per airplane," one of the
sources said.  "It keeps failing itself because it's exceeded the limit of
what it can do."


The sources said the circumstances would be difficult for an attacker to
mimic, since they involved a complex flight plan, an altitude discrepancy
and an input from the controller that added to the flight plan data.

Former military and commercial pilots said flight plans are generally
carefully checked and manually entered into the air traffic control
computers, which are owned by the FAA.

"It would be hard to replicate by a hostile government, but it shows a very
basic limitation of the system," said a former military and commercial

Cyber-attacks on aviation have been an area of increased concern for
intelligence officials, who said earlier this year they will set up a new
center in Maryland for sharing information on detected and possible threats.

Security experts said that from the description by insiders, the failure
appeared to have been made possible by the sort of routine programming
mistake that should have been identified in testing before it was deployed.

"That's when you put in values anywhere that a human could put in a number,
like minus one feet, or a million feet, to see what that would do," said
Jeff Moss, founder of the Black Hat and Def Con security conferences and an
advisor to the Department of Homeland Security.

While it might be logical to limit the amount of data associated with one
flight plan, anything exceeding that amount should not be able to render the
system useless, they said.

Though they welcomed the FAA's assurance that a fix was being rolled out,
they said the incident suggested that similar failures could be found.

"If it's now understood that there are flight plans that cause the automated
system to fail, then the flight plan is an 'attack surface,'" said Dan
Kaminsky, co-founder of the White Ops security firm and an expert in attacks
based on over-filling areas of computer memory.

"It's certainly possible that there are other forms of flight plans that
could cause similar or even worse effects," Kaminsky said.  "This is part of
the downside of automation."

Moss said many hackers have been studying aspects of a new $40 billion air
traffic control system, known as NextGen, which encompasses ERAM, including
its reliance on Global Positioning System data that could be faked.

At least two talks at this summer's Def Con will look at potential
weaknesses in the system.

"It's very over-budget and behind schedule, so it doesn't surprise me that
it's got some bugs - it's the way it presented itself" that's alarming, Moss

But air traffic controllers and pilots said ERAM is a vast improvement over
past systems and that it is needed to fit growing plane traffic into the
airspace safely.

Nate Pair, president of the Los Angeles Center for the National Air Traffic
Controllers Association, said it was remarkable that ERAM was restored less
than an hour after the outage, limiting the effect on travelers.

"We were completely shut down and 46 minutes later we were back up and
running," Pair said.

"That could have easily been several hours and then we would have been into
flight delays for days because of the ripple effects."

(Reporting by Alwyn Scott and Joseph Menn; Editing by John Pickering and
Sophie Hares)

"With the Internet of things, smart buildings pose big risk" (Jaikumar Vijayan)

Gene Wirchenko <>
Tue, 13 May 2014 11:07:06 -0700
Jaikumar Vijayan | Computerworld, 13 May 2014
As buildings get more automated, they raise new security risks

Interesting paragraph:

  "The massive data theft at Target for instance, started with someone
  finding a way into the company's network using the access credentials of a
  company that remotely maintained the retailer's heating, ventilation and
  air conditioning (HVAC) system. In Target's case, the breach appears to
  have happened because the company did not properly segmelol! nt its data

Why interesting?

 1) Building control systems can be used to make attacks on other systems.
 2) Where did that "lol! " come from?  (Is this a risk of keyboard macros?)

European court says Google must respect 'right to be forgotten'

Lauren Weinstein <>
Tue, 13 May 2014 08:38:57 -0700
  "Internet companies can be made to remove irrelevant or excessive personal
   information from search engine results, Europe's top court ruled on
   Tuesday in a case pitting privacy campaigners against Google.  The Court
   of Justice of the European Union (ECJ) upheld the complaint of a Spanish
   man who objected to the fact that Google searches on his name threw up
   links to a 1998 newspaper article about the repossession of his home."
   (Reuters via NNSquad)

I can't begin to express what a bogus, inane, and utterly impractical
decision this is. Beyond ludicrous. Luckily, it means very little
without domestic government ratifications, and hopefully that won't
happen. More info? - See: "The 'Right to Be Forgotten': A Threat We
Dare Not Forget" -

(I'm a consultant to Google. My postings are speaking only for myself,
not for them.)

Re: Federal court overturns Google v. Oracle decision (RISKS-27.90)

"Dennis E. Hamilton" <>
Mon, 12 May 2014 18:58:08 -0700
Essential references:

Q&A from someone who has followed these cases carefully.

Short appellate judgment followed by careful background analysis.

By the numbers:

1. There is no new precedent here.  The particular copyright condition at
   issue applies to all literary works, with no exception for software.

2. It is not about using (that is, exercising operations through) an API.
   It is about the definition of APIs and it is specific to the nature of
   what are called APIs for Java.  The ruling navigates this very clearly.

3. It is not about implementations behind APIs, but the definitional
   material.  Google had already been found to have infringed a particular
   little bit of an implementation, but that was not reversed.  Google had
   also claimed, in the original trial, that having independent
   implementations provided a fair-use defense.  The appellate court is
   none of that.

3. The court didn't overturn the decision so much as remand it for retrial
   based on an error of law made by the original judge.  Only one part has
   been overturned.  It is a material part, because it increase
   infringements that Google has been found to have made.

4. In the original trial, Google was found to have infringed the copyright
   on the Java API descriptions that they appropriated for Dalvek.  This was
   not about individual method names or signatures.  It was not about
   implementations behind the APIs.  It was about the sequence, structure,
   and organization (SSO) of the full sets of definitions that were taken

5. After the jury deliberations, the original judge ruled that copyright did
   not extend to the Java API SSO, so those infringements were irrelevant.
   In addition, the original jury, on finding, then deliberated on whether
   or not the Google infringement constituted fair use.  The jury was hung
   on that matter.  But, because of the elimination of any SSO copyright by
   judicial decree, there was no point in doing anything about it.

6. The appellate court ruled that the original ruling about SSO was in
   error.  SSO is subject to copyright, even when the individual elements
   are not themselves copyrightable or the original creation of the creator
   the SSO.  This is long-standing in copyright law and precedent.  The
   decree from the appellate court explains all this in meticulous detail in
   the lengthy Background material.

7. Since infringement has already been determined at a jury trial, the
   reversal has that infringement stand and be material.  Now the question
   is whether the infringement constitutes fair use.  This will be
   determined at retrial unless the parties manage to settle in the

8. Important thing to always remember.

8.1 Fixations of original works of creation of their authors are
automatically copyrighted.  It subsists in the copyrightable subject matter
whether claimed or not, whether the exclusive rights of copyright holders
are exercised or not.  (Copyright does not extend to portions that are not
the creation of the author, and might be subject to copyright of others.
Also, not everything in an original work is eligible for copyright.  The
details of all that are in the copyright code and the precedents around it.)

8.2 The fair use doctrine is more than a doctrine.  It is a matter of law
enshrined in the US Copyright Code.  However, fair use is irrelevant except
in the case of infringement.  And fair use is determined only by a court
after infringement is determined.  The background material in the appellate
ruling suggest that Google is on shaky ground with regard to passing
unscathed through the litmus tests for fair use.  But they did not rule on
that.  They left that to be settled at retrial.

8.3 It is important to appreciate that the copyright of software is subject
to exactly the same conditions as literary works of any kind.  The special
treatment of software in copyright law has to do with backups, ephemeral
copies, and perhaps DRM to the extent that it might be applicable.  Also,
the derived binaries, not just the source, are considered to be protected by
the same copyright.  Those are the only special cases that come to mind.

Re: Reading, Writing, Arithmetic—and Coding (RISKS-27.91)

Wols Lists <>
Tue, 13 May 2014 02:04:31 +0100
PGN wrote:
> Computer literacy is essential, but once again we need to dust off the old
> Einstein dictum: Everything should be made as simple as possible, but no
> simpler. [...]

This drives me mad where databases are concerned.  I'm well known in certain
theatres as being very anti RDBMSs.  The problem is that relational theory
is very helpful in data analysis. But it simplifies everything too much!

When you look at things AS A MATHEMATICIAN, first normal form is chock full
of duplication (isn't that forbidden by relational theory :-), and seriously
muddles data and metadata. Given that most data comes as lists and, being
set based, relational cannot store lists it's pretty easy to come up with an
engineering proof that relational databases MUST, BY DESIGN, be horribly

It's unfortunately that typical human failing, that when people are
confronted with evidence that maths and reality don't agree, they prefer to
believe that it's reality that's wrong, not their theory.

(Would YOU try to explain biology in terms of quarks and leptons? And yet,
with first normal form, that's exactly equivalent to how relational
proponents try and explain extremely complex computer systems!)

Re: Saudi blogger RISKS 27.90

Ian Halliday <>
Tue, 13 May 2014 21:24:08 +0100
It's a fairly draconian punishment, but I was unconvinced that a million
riyals was really worth $266,133,000. ... [Maybe $266,133?]

Risk: journalists or risk people offering exchange rates without standing
back and saying: does this sound right?

Ian W Halliday, BA Hons, SA Fin, MBCS  +44 772 546 2965 (GMT+1)

  [The original message was a week old.  At the moment, 1 U.S. Dollar   3.75 Saudi Riyals, so 1M riyals are worth $266,666.666 (unrounded) today,
  roughly $533 more than a week ago.  Perhaps announcement of the penalty
  is driving the Rial UP???  PGN]

Re: Federal Agents Seek to Loosen Rules on Hacking Computers (Baker, RISKS-27.90)

"Alister Wm Macintyre" <>
Mon, 12 May 2014 16:23:47 -0500
Police violent raid-style break-ins, at wrong address of innocent people,
are more frequent than many people realize.  USA incidents are mapped at
CATO's Police Misconduct site.  <>
Select Maps > Botched Paramilitary Police Raids <>.

When they happen, authorities typically say it was a once in a million fluke
accident.  We have had thousands of these incidents.

When crooks see the cops coming, they know how to react: surrender or die.

When innocent homes are invaded, sometimes they think it is a home invasion
by crooks, and they react in such a way that they can get seriously maimed
by the police.

These "accidents" indicate something is wrong with whatever systems are used
to determine home or business of suspects.

Opponents, of the latest schemes, could maybe use this evidence as part of
the argument that the latest scheme is flawed, and thus shed more light on
this scandal.

<<FYI—These break-ins are the electronic equivalent of FBI raids lobbing
tear gas and kicking down doors with automatic weapons drawn.  Inevitably,
there are some percentage of break-ins at the wrong address of innocent

Alister William Macintyre (Al Mac)

Re: The perils of PayWave (O'Keefe, RISKS-27.90)

Joe Keane
Tue, 13 May 2014 00:45:17 +0000 (UTC)
This always baffles me, because it seems that the people are not considering
that a person may have more than one card.

such as

* bank card, that debits your checking account
* 'stupid' credit card, for buying lunch, et cetera
* 'better' credit card, that you only use for big things
* a card for Internet shopping, that you load up right before you use it
* a card for things that you want to charge to your employer
* a card for things you'd rather most people not know about
  (that must be buying drugs or hiring prostitutes)

In the old days, you would put a card into a machine or even type in the
numbers.  If you used the wrong one, it is clearly your fault for being
dumb.  Now you don't know.  What could go wrong?

Announcing ACM's new Special Interest Group on Logic and Computation (SIGLOG)

Prakash Panangaden <>
Tue, 13 May 2014 15:42:55 -0400
I am delighted to announce the formation of a new special interest group
focused on logic and computation. The new SIG will be called SIGLOG. The
officers are: Luke Ong (vice-Chair), Natarajan Shankar (Treasurer),
Alexandra Silva (Secretary) and I will serve as its first Chair. The
officers will be assisted by an executive committee and an advisory
committee. The formation of this SIG has taken a long time with a lot of
effort put in by many people. The idea of such a SIG was first mooted in
2007 by Moshe Vardi and Dana Scott and the first draft proposals were
written by Vardi with input from Martin Abadi, Rajeev Alur and Phokion

For a long time the logic and computation community has functioned without a
unifying organization. It has, nevertheless, grown in numbers and diversity
and there are now many conferences that testify to the vitality of the
community. Indeed the FLoC cluster of conferences this Summer in Vienna is
expected to attract 1500 participants. There are, however, many ways in
which a community-wide organization can serve the community that a
single-conference-based organization cannot.

SIGLOG aims to serve a broad range of interests. The flagship conference
will be the ACM-IEEE Symposium on Logic in Computer Science. SIGLOG will
actively seek association agreements with other conferences in the field. A
SIGLOG newsletter is planned to be published quarterly in an electronic
format with community news, technical columns, members' feedback, conference
reports, book reviews and other items of interest to the community. An
important activity of SIGLOG will be advocating for the importance of logic
in the undergraduate computer science curriculum.  Another important
activity will be the establishment of prizes to recognize the outstanding
contributions made by leading members of the community. Several members of
the community have won Turing prizes, but there is room for much more
recognition, especially for younger researchers. SIGLOG will collaborate
closely with EATCS and EACSL as well as other organizations, for example the
Gödel Society. SIGLOG will maintain close ties with the ACM Transactions
on Computational Logic. The upcoming Federated Logic Conferences in Vienna
(part of the Vienna Summer of Logic) will feature a SIGLOG launch event.

SIGLOG seeks to be an inclusive and diverse organization. We are committed
to encouraging the participation of women in computing and are pleased to
note that there are many outstanding women leaders in the research areas
covered by SIGLOG. We actively seek members from all geographical regions
and from a broad variety of research interests.

It is possible to join SIGLOG as soon as today by filling the form at .  One can join SIGLOG
without joining ACM (the SIGLOG membership fee is $25 and $15 for students).

Prakash Panangaden

  [This new ACM Special Interest Group could be of considerable value to
  RISKS readers with backgrounds or interest in formal methods.  PGN]

Please report problems with the web pages to the maintainer