The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 04

Wednesday 24 October 2012


Alaska Airlines: Operations returning to normal
Doug Esser via Paul Saffo
Apps Alert the Doctor When Trouble Looms
John Karabaic
Error and Fraud at Issue as Absentee Voting Rises
Adam Liptak via PGN
Online schools face backlash as states question results
Stephanie Simon via Monty Solomon
A network scientist examines the lifespan of a fact
Slate via Lauren Weinstein
UK launching "virtual ID card" system / critics fear it's an instant target
Lauren Weinstein
Microsoft robo-DMCA takedown orders run amok
Torrent Freak via LW
Cyberattacks continue to affect U.S. banks
Nicole Perlroth via LW
DDoS attacks on major US banks are no Stuxnet: here's why
ars technica
Another bank software problem
Martyn Thomas
McAfee, Trust Guard certifications can make websites *less* safe
ars technica via LW
The Risks of Bad Mapping
Gene Wirchenko
Support your right to own a 3D printer!
Mark Thorson
Don't just throw your old hard drives into the trash
Jim Reisert
"Phony Facebook application security tests? Say it ain't so, Zuckerberg
Gene Wirchenko
"Windows 8 pirates: No noose is good noose"
Cringely via Gene Wirchenko
"Hackers exploit Skype API to infect Windows PCs"
Ted Samson via GW
Misconduct Widespread in Retracted Science Papers, Study Finds
Carl Zimmer via Monty Solomon
Penn—Hackers leak personal info of students, employees and alums
Dave Farber
Re: Risks of linking information from Facebook leads to bigamy charges
Amos Shapir
Re: The Anti-Cloud?
Scott Miller
Re: Security experts not understanding security risks
Neil McKellar
Re: "Fake sign causes real outage"
Gene Wirchenko
Re: Mac calendar spam invites
Ed Ravin
REVIEW: "Learning from the Octopus", Rafe Sagarin
Rob Slade
Info on RISKS (comp.risks)

Alaska Airlines: Operations returning to normal (Doug Esser)

Paul Saffo <>
Mon, 8 Oct 2012 20:54:16 -0700
Alaska Airlines said flights were running close to normal late Monday after
a fiber-optic outage shut down its ticketing system for more than four
hours, causing the airline and its regional carrier to cancel 78 flights
(roughly 10 percent of their daily flights), affecting nearly 7,000 customers.

More than 130 other flights departed during the disruption, but some were
delayed for as long as four hours, the airline said.  "Flights are running
real close to schedule right now in all major cities. We expect tomorrow to
be back on track completely," airline spokeswoman Marianne Lindsey said
Monday evening. Most affected were Alaska's hub cities of Seattle, Portland,
Ore., Los Angeles, Anchorage, Alaska, and the San Francisco area.

The problems were caused by a combination of two cut cables in Sprint's
fiber-optic network.  One occurred at a construction site along railroad
tracks between Chicago and Milwaukee and the other was somewhere between
Portland and Seattle.  The Chicago-Milwaukee cable was cut accidentally due
to some kind of work or maintenance, The second cut involved an aerial cable
that runs along power lines.  "Typically if there's just one cut, traffic
reroutes automatically," Davis said. "Because there were two cuts within
hours of each other, it caused this disruption."
[Source: Doug Esser, Associated Press, 8 Oct 2012; PGN-ed]

Read more:

Apps Alert the Doctor When Trouble Looms

John Karabaic <>
Tue, 9 Oct 2012 08:54:45 -0400
Part of a wonderful NYTimes Science Times focus on IT in medicine [9 Oct
2012], this article goes into more depth on apps that have more risks of
false positives and privacy issues.

New technology uses standard features on smartphones—GPS and movement
tracking—to monitor a patient's behavior and alert the doctor when
something seems out of order.  *The New York Times*

Error and Fraud at Issue as Absentee Voting Rises (Adam Liptak)

"Peter G. Neumann" <>
Sun, 7 Oct 2012 10:10:17 PDT
  Every problem that we have in our election system is magnified 10k times
  in absentee voting.  At that point in the process, all eyes and all sides
  have one thing to focus on—absentee ballots.  There are some problems
  that are unique to absentee voting—major one being the voter is not
  present to work through any issues with the election officials - but there
  are many of the same problems we have with all of the other modes of
  voting.  Adam Liptak, *The New York Times*, front page, 7 Oct 2012

Online schools face backlash as states question results (Stephanie Simon)

Monty Solomon <>
Wed, 3 Oct 2012 16:42:17 -0400
Stephanie Simon, Reuters, 3 Oct 2012

Virtual public schools, which allow students to take all their classes
online, have exploded in popularity across the United States, offering what
supporters view as innovative and affordable alternatives to the
conventional classroom.

Now a backlash is building among public officials and educators who question
whether the cyber-schools are truly making the grade.

In Maine, New Jersey and North Carolina, officials have refused to allow new
cyber-schools to open this year, citing concerns about poor academic
performance, high rates of student turnover and funding models that appear
to put private-sector profits ahead of student achievement.

In Pennsylvania, the auditor general has issued a scathing report calling
for revamping a funding formula that he said overpays online schools by at
least $105 million a year. In Tennessee, the commissioner of education
called test scores at the new Tennessee Virtual Academy "unacceptable."

And in Florida, state education officials are investigating a virtual school
after it was accused of hiring uncertified teachers; in the past two weeks
two local school boards in the state have rejected proposals for virtual

Some states, including Michigan, Indiana and Louisiana, are still moving
aggressively to embrace online schools. But the anger and skepticism
elsewhere is striking, in part because some of it comes from people who have
ardently supported opening the public school system to competition. ...

A network scientist examines the lifespan of a fact

Lauren Weinstein <>
Fri, 5 Oct 2012 20:54:55 -0700
  "The Harvard network scientist and pop theorist Samuel Arbesman stokes our
  fears of information on the cover of his recent book, The Half-Life of
  Facts: Why Everything We Know Has an Expiration Date.  Watch out, that
  title says: The truth is melting! But the argument that Arbesman lays out
  (in a set of loosely connected anecdotes and essays) works to do the
  opposite. He uses math as a medication for this anxiety, to keep us calm
  in the face of shifting knowledge. His book works like a
  data-beta-blocker: By fitting fickle truths to models and equations, it
  promises a way to handle life's uncertainty and keep abreast of "the
  vibrations in the facts around us." In the end, though, the prescription
  runs afoul of a more fundamental ambiguity: What does it mean to call a
  fact a fact to start with?"  (Slate via NNSquad)

UK launching "virtual ID card" system / critics fear it's an instant target

Lauren Weinstein <>
Thu, 4 Oct 2012 09:49:30 -0700
  "The Government will announce details this month of a controversial
  national identity scheme which will allow people to use their mobile
  phones and social media profiles as official identification documents for
  accessing public services."  (Independent via NNSquad)

Like the article headlines: "What could go wrong?"

Microsoft robo-DMCA takedown orders run amok (Torrent Freak)

Lauren Weinstein <>
Sun, 7 Oct 2012 18:53:18 -0700  (Torrent Freak via NNSquad)

  "Claiming to prevent the unauthorized distribution of Windows 8 Beta the
  software company listed 65 "infringing" web pages. However, nearly half of
  the URLs that Google was asked to remove from its search results have
  nothing to do with Windows 8.  This apparent screw up in the automated
  filter mistakenly attempts to censor AMC Theatres, BBC, Buzzfeed, CNN,
  HuffPo, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect,
  Washington Post, Wikipedia and even the U.S.  Government.  Judging from
  the page titles and content the websites in question were targeted because
  they reference the number "45."

Cyberattacks continue to affect U.S. banks (Nicole Perlroth)

Lauren Weinstein <>
Sun, 30 Sep 2012 12:32:44 -0700
  "Six major American banks were hit in a wave of computer attacks last
  week, by a group claiming Middle Eastern ties, that caused Internet
  blackouts and delays in online banking.  Frustrated customers of Bank of
  America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC, who
  could not get access to their accounts or pay bills online, were upset
  because the banks had not explained clearly what was going on."  (*The New York Times* via NNSquad)

I am extremely skeptical of the blame game being asserted, especially the
Iran bashing.  Anybody can claim to be anyone in this context, and I see no
conceivable upside to Iran deploying an effort to merely slow down access to
online banking in the U.S.  I've seen the effects myself—extra page
reloads required and such, but frankly the explanations the banks are giving
stink to high heaven, and the politicos seem to be pulling so-called
explanations out of thin air.

DDoS attacks on major US banks are no Stuxnet: here's why (ars technica)

Lauren Weinstein <>
Sat, 6 Oct 2012 09:49:32 -0700
  "The compromised servers were outfitted with itsoknoproblembro (pronounced
  "it's OK, no problem, bro") and other DDoS tools that allowed the
  attackers to unleash network packets based on the UDP, TCP, HTTP, and
  HTTPS protocols. These flooded the banks' routers, servers, and server
  applications-layers 3, 4, and 7 of the networking stack-with junk
  traffic. Even when targets successfully repelled attacks against two of
  the targets, they would still fall over if their defenses didn't
  adequately protect against the third.  "It's not that we have not seen
  this style of attacks or even some of these holes before," said Dan
  Holden, the director of research for the security engineering and response
  team at Arbor Networks. "Where I give them credit is the blending of the
  threats and the effort they've done. In other words, it was a focused
  attack."  Adding to its effectiveness was the fact that banks are mandated
  to provide Web encryption, protected login systems, and other defenses for
  most online services. These "logic" applications are naturally prone to
  bottlenecks-and bottlenecks are particularly vulnerable to DDoS
  techniques. Regulations that prevent certain types of bank traffic from
  running over third-party proxy servers often deployed to mitigate attacks
  may also have reduced the mitigation options available once the
  disruptions started."  (ars technica via NNSquad)

Another bank software problem

Martyn Thomas <>
Fri, 05 Oct 2012 15:29:54 +0100
Lloyds TSB says it is suffering from a "temporary system error" that is
causing "intermittent problems".  Users of the Twitter social network have
complained of being unable to use their debit cards, Lloyds TSB ATMs, or the
bank's online banking service.  The bank says it is sorry for the
inconvenience and is trying to sort out the problems.

Earlier this summer some account holders at RBS and NatWest suffered
disruption due to a computer failure.  Lloyds TSB has admitted the problem
has affected both its internet and telephone banking service, "but we don't
have a definite time scake at this time," it said.

McAfee, Trust Guard certifications can make websites *less* safe

Lauren Weinstein <>
Fri, 5 Oct 2012 11:55:46 -0700
  "That's because a design flaw in the service, and in competing services
  offered by Trust Guard and others, makes it easy to discover in almost
  real time when a customer has had the seal revoked. A revocation is a
  either a sign the site has failed to pay its bill, has been inaccessible
  for a sustained period of time, or most crucially, is no longer able to
  pass the daily security test."  (ars technica via NNSq)

The Risks of Bad Mapping

Gene Wirchenko <>
Thu, 04 Oct 2012 12:46:28 -0700
Apple is taking a kicking over their latest Map app.  Many sites are making
fun of it.  In particular

has been a great time so far.  I am only on page 24.  That page has a sign
at a London transit station with an additional information section that
reads: "For the benefit of passengers using Apple iOS 6, local area maps are
available from the booking office."  Ouch!

Support your right to own a 3D printer!

Mark Thorson <>
Sat, 29 Sep 2012 13:27:25 -0700
Gun parts are being made by 3D printer, and it may soon be possible to make
a complete gun.  This raises concerns about how legislation will respond to
advances in 3D printer technology.

Don't just throw your old hard drives into the trash

Jim Reisert AD1C <>
Tue, 2 Oct 2012 14:11:41 -0600
Kate Gosselin Halts Sale Of Negative Tell-All Book

"Kate Gosselin has scored a victory. She has gotten her lawyers to halt the
sale of a shocking new book that claims that the mom of eight "fooled the
world." [...]  ""Kate had her own lawyers deal with this," says a network
insider.  "TLC lawyers were involved as well, since there was some
confidential documents in there. "This confidential information that
troubled TLC was found in a series of private emails exchanged between
Gosselin and the Discovery network. The emails were leaked via computer hard
drives that Gosselin had put in the trash."

Jim Reisert AD1C, <>,

"Phony Facebook application security tests? Say it ain't so, Zuckerberg"

Gene Wirchenko <>
Mon, 08 Oct 2012 10:14:50 -0700
Phony Facebook application security tests? Say it ain't so, Zuckerberg
How can we explain the FTC's discovery that, for
close to a year, Facebook operated a for-profit
application security testing service that was little more than a sham?

"Windows 8 pirates: No noose is good noose"

Gene Wirchenko <>
Mon, 08 Oct 2012 13:38:36 -0700
InfoWorld, 8 Oct 2012
Windows 8 pirates: No noose is good noose
Are the BBC, CNN, and Wikipedia distributing illegal copies of
Windows 8? Nope, it's just another example of the Copyright Cartel gone wild
By Robert X. Cringely | InfoWorld

"Hackers exploit Skype API to infect Windows PCs" (Ted Samson)

Gene Wirchenko <>
Tue, 09 Oct 2012 11:13:54 -0700
Ted Samson, *InfoWorld*, 9 Oct 2012
Hackers exploit Skype API to infect Windows PCs
New worm reinforces Skype's reputation as an app with security issues

Misconduct Widespread in Retracted Science Papers, Study Finds (Carl Zimmer)

Monty Solomon <>
Sun, 7 Oct 2012 10:37:17 -0400
Carl Zimmer, *The New York Times*, 1 Oct 2012

Last year the journal *Nature* reported an alarming increase in the number
of retractions of scientific papers - a tenfold rise in the previous decade,
to more than 300 a year across the scientific literature.

Other studies have suggested that most of these retractions resulted from
honest errors. But a deeper analysis of retractions, being published this
week, challenges that comforting assumption.

In the new study, published in the Proceedings of the National Academy of
Sciences, two scientists and a medical communications consultant analyzed
2,047 retracted papers in the biomedical and life sciences. They found that
misconduct was the reason for three-quarters of the retractions for which
they could determine the cause. ...

Penn—Hackers leak personal info of students, employees and alums

Dave Farber <>
Wed, 3 Oct 2012 09:11:23 -0400

Re: Risks of linking information from Facebook leads to bigamy charges (RISKS-27.03)

Amos Shapir <>
Mon, 8 Oct 2012 13:30:23 +0200
I do not use Facebook much, so when my 13-year-old nephew requested to
become my "friend", I have accepted without giving it much thought.  Every
now and then, Facebook suggests a list of people I may want to befriend,
including their pictures.  This list now includes many 13 year old girls --
some of whose profile pictures may be considered quite provocative...  I
hope that no computer I use is ever seized by a police investigation, or I
might end up in deep trouble!

Re: The Anti-Cloud? (Mark Thorson, RISKS-27.03)

"Scott Miller" <>
Mon, 1 Oct 2012 10:51:21 -0400
There are certainly risks there, but I am not certain that any are new,
unique, or even uni-directional. Did not the SETI At Home program operate by
a similar paradigm (albeit the pay-off was not strictly a cash-equivalent)?
As an aside, I've wondered for quite some time to what extent that program
served as a prototype for botnets (may have been discussed here, but if so I
missed it). How many "cloud" users know the ultimate disposition of their
data? How many even read the EULA and privacy agreements (understandable
since a half-hour spent wading knee-deep through a fetid swamp of legalese
will in many or most cases produce nothing more definitive than a statement
allowing data sharing or delegation to _some_ third-party, identity
undisclosed or unknown)? A case could probably be made that a commercial
third party recipient of delegated cloud customer data would probably have a
greater incentive to use that data in some way counter to the interests or
desires of the original "owner". My main interest, however, lies in
identifying the risk posed to the person "renting" their excess disk space
to Symform. Suppose one of Symform customers uploads some electronic
contraband (e.g., kiddie porn) to their cloud, and though some coincidence
it is discovered by some government authority on the hard drive of a
different Symform customer?  What is the legal status of the "landlord"? I'm
not even certain if Symform is an ISP under the legal doctrine that provides
a limited shield from legal liability regarding content uploaded by
customers; I very much doubt that any shield that exists would be extended
by a court to the customer providing drive space. What little remains of the
4th amendment (US) would also seem to be of little help.

Re: Security experts not understanding security risks

Neil McKellar <>
Mon, 01 Oct 2012 07:45:43 -0600
I disagree that the picket, to use the analogy from your note, is high
enough.  Yes, the Ars Technica article focuses on password length and even
Costin Raiu's blog post focuses heavily on length, only touching on the two
choices he thinks Microsoft has had to make.  What would make me worried
about the length restriction is that there is some technical reason why the
password cannot be longer.

Raiu talks about sha512crypt, but even the weaker SHA-1 or MD5 hashes he
talks about do not have length restrictions on the passwords that can be
entered.  If there is a length restriction, I would be concerned that
Hotmail is using some homegrown hash function that limits itself to 16
characters.  History has a handful of similar hash functions and they've
generally proven to be even weaker than SHA-1.  In this case, I agree with
Raiu: I don't know which of his two options is worse.

Arguably, if the only concern here is local administrative staff at Hotmail
having access to the hashes, the risk is moderate or even low.  In that
case, Microsoft's characterization of the risk is correct and 16 characters
is plenty.  These days, I don't think security professionals should only be
worried about phishing and keystroke loggers, in spite of what was said in
the article.  We continue to see attacks that result in sizable credential
lists posted publicly.  The likelihood for any one target may not be
significant, but it is, nonetheless, a possibility that should be accounted
for.  The size of the picket makes no difference if it's not firmly attached
to the fence.

Neil (

Re: "Fake sign causes real outage" (Risks-27.03)

Gene Wirchenko <>
Sun, 30 Sep 2012 23:19:03 -0700
The story also shows another risk, that of jurisdictions.  Who had
jurisdiction?  The property loss was bad enough, but what if there had been
the possibility of loss of life?

Re: Mac calendar spam invites

Ed Ravin <>
Mon, 1 Oct 2012 03:36:31 -0400
Does not seem to be a new issue - I found this 2008 discussion of what seems
to be the problem George Michaelson is reporting:

REVIEW: "Learning from the Octopus", Rafe Sagarin

Rob Slade <>
Mon, 8 Oct 2012 14:49:42 -0800
BKLNFOCT.RVW   20120714

"Learning from the Octopus", Rafe Sagarin, 2012, 978-0-465-02183-3,
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   "Learning from the Octopus"

The subtitle promises that we will learn "how secrets from nature can help
us fight terrorist attacks, natural disasters, and disease."  The book does
fulfill that aim.  However, what it doesn't say (up front) is that it isn't
an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire
security community to task for not paying sufficient attention to the
lessons of biology.  The text and examples in the work, however, do not
present the reader with particularly useful insights.  The prologue drives
home the fact that 350 years of fighting nation- state wars did not prepare
either society or the military for the guerilla-type terrorist situations
current today.  No particular surprise: it has long been known that the
military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of "natural" security.  In this regard, the
reader is inescapably reminded of Bruce Schneier's "Liars and Outliers"
(cf. BKLRSOTL.RVW), and Schneier's review of evolution, sociobiology, and
related factors.  But whereas Schneier built a structure and framework for
examining security systems, Sagarin simply retails examples and stories,
with almost no structure at all.  (Sagarin does mention a potentially
interesting biology/security working group, but then is strangely reticent
about it.)  In chapter two, "Tide Pool Security," we are told that the
octopus is very fit and functional, and that the US military and government
did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in
regard to one type of learning (and there is no mention at all of
education).  The learning force that the author lauds is that of evolution,
which does tend to modify behaviours for the population over time, but tends
to be rather hard on individuals.  Sagarin is also opposed to "super
efficiency" (and I can agree that it leaves little margin for error), but
mostly tells us to be smart and adaptable, without being too specific about
how to achieve that.  Chapter four tells us that decentralization is better
than centralization, but it is interesting to note that one of the examples
given in the text demonstrates that over-decentralization is pretty bad,
too.  Chapter five again denigrates security people for not understanding
biology, but that gets a bit hard to take when so much of the material
betrays a lack of understanding of security.  For example, passwords do not
protect against computer viruses.  As the topics flip and change it is hard
to see whether there is any central thread.  It is not clear what we are
supposed to learn about Mutual Assured Destruction or fiddler crabs in
chapter six.

Chapter seven is about bluffing, use and misuse of information, and alarm
systems.  Yes, we already know about false positives and false negatives,
but this material does not help to find a balance.  The shared values of
salmon and suicide bombers, religion, bacterial addicts, and group identity
are discussed in chapter eight.  Chapter nine says that cooperation can be
helpful.  We are told, in chapter ten, that "natural is better," therefore
it is ironic to note that the examples seem to pit different natural systems
against each other.  Also, while Sagarin says that a natural and complex
system is flexible and resilient, he fails to mention that it is difficult
to verify and tune.

This book is interesting, readable, erudite, and contains many interesting
and thought-provoking points.  For those in security, it may be good bedtime
reading material, but it won't be helpful on the job.  In the conclusion,
the author states that his goal was to develop a framework for dealing with
security problems, of whatever type.  He didn't.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Please report problems with the web pages to the maintainer