The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 14

Tuesday 22 January 2013

Contents

Jim Horning, 24 Aug 1942—18 Jan 2013
PGN
Luther Weeks: Voting Requires Vigilance. Popular Isn't Always Prudent
PGN
Internet resources allow identification of personal genomes via
Lauren Weinstein
France wants to tax Google/Facebook based on users/data collected
Lauren Weinstein
Under pressure, Journal News withdraws gun database, but the mirrors are everywhere ...
Lauren Weinstein
These People Are Now Sharing Horrible Things About Themselves Thanks to Facebook Search
Lauren Weinstein
"Distracted driver hits senior while using her iPod"
Gene Wirchenko
"Facebook Graph Search may be a social engineering nightmare"
Ted Samson via Gene Wirchenko
Risks of inaccurate cellphone tracking info
David Tarabar
Ahmed Al-Khabaz expelled from Dawson College after finding security flaw
David J. Farber
Suresh Ramasubramanian
Steve Crocker
"Red October relied on Java exploit to infect PCs"
Gene Wirchenko
Subject: "how Oracle installs deceptive software with Java updates"
Ed Bott via Gene Wirchenko
"Disabling Java in Internet Explorer: No easy task"
Woody Leonhard via Gene Wirchenko
Just How Dumb Is It For CBS To Block CNET From Giving Dish An Award?
Mike Masnick
The 2013 Best of CES Awards: CNET's story
Lindsey Turrentine via Monty Solomon
Re: EHRs may add to, not reduce, the cost of health care
Dave Parnas
Course announcement: SecAppDev 2013, 4-8 March, Leuven, Belgium
Lieven Desmet
Info on RISKS (comp.risks)

Jim Horning, 24 Aug 1942—18 Jan 2013

Peter Neumann <Neumann@CSL.SRI.COM>
Tuesday, January 22, 2013 3:04 PM
Jim Horning was one of my favorite friends, colleagues, associates, and a
long-time inspiration, spanning the past 38 years.  He was active in the
computer field since 1958.  He was a vital member of the ACM Committee on
Computers and Public Policy, continuously since 1985; he contributed to the
very first issue of the ACM Risks Forum (1 Aug 1985), and he wrote or
co-wrote seven CACM Inside Risks articles.  He also played significant roles
in USACM.  We worked together on a joint CPSR/ACLU report for the House
Committee on Civil and Constitutional Rights in 1989.  He made many
thoughtful technical and socially aware contributions, always with wisdom,
common sense, and humanity.  I valued every contact I ever had with him.  He
will be very deeply missed by all who knew him, and indirectly by many who
did not.


Luther Weeks: Voting Requires Vigilance. Popular Isn't Always Prudent

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 22 Jan 2013 13:26:38 PST
Luther Weeks,  21 Jan 2013
Op-Ed outlining the integrity risks of the National Popular Vote Compact
http://www.ctnewsjunkie.com/ctnj.php/archives/entry/op-ed_voting_requires_vigilance._popular_isnt_always_prudent/

One third of Americans vote on machines, without the paper ballots we use in
Connecticut. Our president is chosen based on faith in those unverifiable
machines, vote accounting, and unequal enfranchisement in 50 independent
states and the District of Columbia.

In 2000, we witnessed the precarious underpinnings of this state-by-state
voting system combined with the flawed mechanism of the 12th Amendment and
the Electoral Accounting Act. The Supreme Court ruled votes could not be
recounted in Florida, because even that single state did not have uniform
recount procedures. What could possibly make this system riskier?

The National Popular Vote Compact now being considered in states, including
Connecticut, would have such states award their electoral votes to a
purported national popular vote winner. The Compact would take effect once
enough states signed on, equaling more than one-half the Electoral College.
Then the President elected would be the one with the most purported popular
votes. Sounds good and fair at first glance. Looking at the touted benefits
and none of the risks many legislators, advocates, and media influence the
public to make the Compact popular in some polls. Popular is not always
prudent. Voting requires vigilance.

The Compact, cobbled on an already precarious system, would exacerbate its
flaws, adding additional risks. Currently errors, voter suppression, and
fraud can only sway the result in the few swing states. With the Compact
errors, suppression, and fraud in every state would count toward the popular
vote total.

Compact supporters overlook and proponents befog the reality that there
would be no official national popular vote total available in time for
states to choose their electors. The only official popular vote total is the
sum of the Certificates of Attainment sent by each state to the national
Archivist. They cannot be used for choosing electors, since certificates are
not required to be sent until seven days after electors are chosen and are
not required to arrive in Washington until fifteen days after the electors
must be chosen. Supreme Court decisions in 2000 and 1876 stress that these
dates must be strictly followed.

Even if the totals could be obtained in time from each state, they would not
be audited and could not be recounted. Compact proponents obfuscate this by
describing how some states routinely perform audits or recounts. They
conveniently ignore that about one-third of the states do not have audits
and recounts; many voting machines cannot be audited; state recounts are
based on close-vote margins within a state, so even in those states,
recounts would not be triggered by a close national vote. Just as critical,
there would be insufficient time for recounts or audits given the strict
Constitutional deadlines. The Supreme Court would likely reject any recount
going beyond state borders, using the same reasoning used to reject the 2000
Florida recount, as insufficiently uniform.

Additional legal challenges and maneuvers under the Compact would also be
available for partisans bent on sending any reasonably close election to the
Supreme Court or Congress. States not signing the Compact could delay
certifying and transmitting results until the latest deadline. Partisans
could dispute results in their states or sue their Secretary of State for
using uncertified results from other states, delaying reporting or negating
the state's Electoral College vote.

Nothing is available, but legal challenges, even in Compact states, to deter
a future partisan Secretary of State from failing to follow the Compact.

Supporters and opponents debate other contentions for and against the
Compact, most of which are subjective and speculative. e.g. Which is more
ideal, the current Federal system or the popular vote? Would small states or
large states benefit more from the Compact? Where would candidates campaign
and join with PACs in media buys? How equal would every voter actually be,
given the state-by-state system of voter enfranchisement,
disenfranchisement, suppression, and registration?

An accurate, fair, and credible popular vote requires a uniform, workable
national voting system we can trust. That is, a system with uniform
enfranchisement, paper ballots, effective audits, and national recounts,
enforceable and provably enforced as a prerequisite to a considering a
national popular vote.

Luther Weeks is executive director of CTVotersCount
<http://www.ctvoterscount.org/> .

  [This is an extremely complicated issue.  However, as long as we have
  partisan election management with unauditable voting machines, non-level
  playing fields regarding registration and voter rights, extreme
  difficulties in retroactively determining manipulations and unethical,
  illegal, or deceptive practices, no system can be claimed to be fair.
  Readers of RISKS should be well aware of the wide range of pitfalls.  PGN]


Internet resources allow identification of personal genomes via surname inference

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Jan 2013 21:43:42 -0800
http://j.mp/10DqhqW  (*Science* via NNSquad) [Free read with registration]

  "Sharing sequencing data sets without identifiers has become a common
  practice in genomics. Here, we report that surnames can be recovered from
  personal genomes by profiling short tandem repeats on the Y chromosome
  (Y-STRs) and querying recreational genetic genealogy databases. We show
  that a combination of a surname with other types of metadata, such as age
  and state, can be used to triangulate the identity of the target. A key
  feature of this technique is that it entirely relies on free, publicly
  accessible Internet resources. We quantitatively analyze the probability
  of identification for U.S.  males. We further demonstrate the feasibility
  of this technique by tracing back with high probability the identities of
  multiple participants in public sequencing projects."


France wants to tax Google/Facebook based on users/data collected

Lauren Weinstein <lauren@vortex.com>
Mon, 21 Jan 2013 09:54:45 -0800
  "Last Friday, a 198-page government report to the French Ministry of the
  Economy outlined a proposal that, if approved by the French government,
  would impose a tax on tech companies based on how many users a site like
  Facebook or Google has, and how much personal information those companies
  hold."
  http://j.mp/WmsSiF  (ars technica via NNSquad)

Passage of such a law would be immediately followed by the creation of the
secret French government department to create millions of fake Google users
and share as much fake personal information about them as possible!


Under pressure, Journal News withdraws gun database, but the mirrors are everywhere ...

Lauren Weinstein <lauren@vortex.com>
Fri, 18 Jan 2013 16:20:24 -0800
http://j.mp/WeMk0C  (*Journal News* via NNSquad)

  "Today The Journal News has removed the permit data from lohud.com. Our
  decision to do so is not a concession to critics that no value was served
  by the posting of the map in the first place. On the contrary, we've heard
  from too many grateful community members to consider our decision to post
  information contained in the public record to have been a mistake. Nor is
  our decision made because we were intimidated by those who threatened the
  safety of our staffers. We know our business is a controversial one, and
  we do not cower."

And of course, proving again that "public is public" and that trying to hide
on the Internet is hopeless once it has been widely publicized, there are
the various available related mirrors:

http://j.mp/WeM2a6  (Google Sites)

More info:
Gawker releases list of gun owners in New York City (1/8/2013)
http://j.mp/WeMUeE  (Poynter)


These People Are Now Sharing Horrible Things About Themselves Thanks to Facebook Search

Lauren Weinstein <lauren@vortex.com>
Fri, 18 Jan 2013 16:44:21 -0800
  "FB's glistening new search engine makes finding interesting things about
  yourself, your past, and all of your friends excitingly easy. It also
  makes it a cinch to find strangers who are openly racist, sexist, and
  generally embarrassing."
    http://j.mp/WeQe9D (Gizmodo via NNSquad)
    [Warning: link is not safe for work or family!]

The link above is Not Safe for Family.  Not Safe for Work.  Let's face
it, Facebook just plain isn't safe.


"Distracted driver hits senior while using her iPod"

Gene Wirchenko <genew@telus.net>
Sat, 12 Jan 2013 18:42:41 -0800
"The Daily News", Kamloops, British Columbia, Canada, 2013-01-12, p. A6:
"Distracted driver hits senior while using her iPod

NORTH VANCOUVER

A 19-year-old woman is facing charges in North Vancouver after she drove
onto a sidewalk and struck a 70-year-old man while using her iPod.  The RCMP
say the victim was walking home from a gym when he was struck yesterday at
Mount Seymour Parkway and Emerson Way.  He suffered extensive injuries
including a broken leg and broken ribs, but he is expected to survive.
Police say the driver has been charged with driving without due care and
attention while using an electronic device.


"Facebook Graph Search may be a social engineering nightmare" (Ted Samson)

Gene Wirchenko <genew@telus.net>
Thu, 17 Jan 2013 12:17:30 -0800
Ted Samson, *InfoWorld*, 16 Jan 2013
Facebook's new search engine serves up the kind of data that cyber
  scammers love
http://www.infoworld.com/t/internet-privacy/facebook-graph-search-may-be-social-engineering-nightmare-211002


Risks of inaccurate cellphone tracking info

David Tarabar <dtarabar@acm.org>
Tue, 15 Jan 2013 08:11:24 -0500
"If you lose your cellphone, don't blame Wayne Dobson"

Due to a quirk in cellphone location tracking, a resident of North Las Vegas
has repeatedly been visited by people who believe that he has their lost
cellphones. More seriously, police responded to the same address in error -
due to a cellphone 911 call reporting a domestic violence incident.

http://www.lvrj.com/news/if-you-lose-your-cellphone-don-t-blame-wayne-dobson-186670171.html


Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

"David J. Farber" <farber@gmail.com>
Mon, 21 Jan 2013 10:57:35 -0500
http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/

A student has been expelled from Montreal's Dawson College after he
discovered a flaw in the computer system used by most Quebec CEGEPs (General
and Vocational Colleges), one which compromised the security of over 250,000
students' personal information.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
member of the school's software development club, was working on a mobile
app to allow students easier access to their college account when he and a
colleague discovered what he describes as `sloppy coding' in the widely used
Omnivox software which would allow “anyone with a basic knowledge of
computers to gain access to the personal information of any student in the
system, including social insurance number, home address and phone number,
class schedule, basically all the information the college has on a
student.''

“I saw a flaw which left the personal information of thousands of students,
including myself, vulnerable, I felt I had a moral duty to bring it to the
attention of the college and help to fix it, which I did. I could have
easily hidden my identity behind a proxy. I chose not to because I didn't
think I was doing anything wrong.''

“I felt I had a moral duty to bring it to the attention of the college.''

After an initial meeting with Director of Information Services and
Technology Francois Paradis on 24 Oct 2012, where Mr. Paradis congratulated
Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he
and Skytech, the makers of Omnivox, would fix the problem immediately,
things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called
Acunetix, designed to test for vulnerabilities in websites, to ensure that
the issues he and Mija had identified had been corrected. A few minutes
later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the
second time they had seen me in their logs, and what I was doing was a cyber
attack. I apologized, repeatedly, and explained that I was one of the people
who discovered the vulnerability earlier that week and was just testing to
make sure it was fixed. He told me that I could go to jail for six to twelve
months for what I had just done and if I didn't agree to meet with him and
sign a non-disclosure agreement he was going to call the RCMP and have me
arrested. So I signed the agreement.'' ...


Re: Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

"Suresh Ramasubramanian" <suresh@hserus.net>
Jan 21, 2013 11:30 AM
the rest of the article goes on to say -

1. Taza from Skytech denies he threatened Al Khabaz, and said that he'd told
him that discovering vulns was fine, but pen-testing their systems uninvited
to see whether the vulns were fixed or not wasn't legal.

2. The school seems to have separately decided to expel him, with 14 out of
15 professors voting to expel, though without giving him a hearing first.


Re: Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

<*Steve Crocker*>
Monday, January 21, 2013
The following stands out:

  Two days later, Mr. Al-Khabaz decided to run a software program called
  Acunetix, designed to test for vulnerabilities in websites, to ensure that
  the issues he and Mija had identified had been corrected. A few minutes
  later, the phone rang in the home he shares with his parents.

When I was a program manager at (D)ARPA in the early 1970s, I ran tiger
teams on the Arpanet and quickly discovered the importance of discipline in
the process.  It's one thing to find flaws, it's something else entirely to
disclose them publicly, and it's further something else to run subsequent
"tests" to determine whether the flaw has been fixed.  The people who find
the flaws often develop a sense of ownership and entitlement, and that's
where trouble arises.  A "20-year-old computer science student, and a
member of the school's software development club" probably had no training
or counseling regarding finding and reporting flaws.  Having reported his
findings to responsible parties, he fulfilled his moral obligations and he
should have remained at arms' length from the system unless invited to do
further work, but this might not have been evident to him.  Conversely, the
school's elders should have gone further than congratulating the student
for his work.  They should have realized the need to counsel the student
that his role was now complete, that he needed to stay away from further
action, and that the results might or might not be in accordance with his
instincts.  In this respect, the school's management might have been just
as uneducated in these matters as the student.

Perhaps there is more to this particular story than has been reported.
Perhaps the student was informed he was not to do further testing.  The
larger point is it would be useful to have some readily available guidelines
for appropriate behavior by both the person finding the flaw and the
organization receiving the report.


"Red October relied on Java exploit to infect PCs"

Gene Wirchenko <genew@telus.net>
Tue, 15 Jan 2013 08:45:20 -0800
http://arstechnica.com/security/2013/01/massive-espionage-malware-relied-on-java-exploit-to-infect-pcs/
Red October relied on Java exploit to infect PCs
Unearthed attack site reveals some inner workings of espionage malware.

Dan Goodin, *Arstechnica*, 15 Jan 2013

opening paragraph:

Attackers behind a massive espionage malware campaign that went undetected
for five years relied in part on a vulnerability in the widely deployed Java
software framework to ensnare their victims, a security researcher said.


"how Oracle installs deceptive software with Java updates" (Ed Bott)

Gene Wirchenko <genew@telus.net>
Tue, 22 Jan 2013 10:40:57 -0800
Ed Bott for The Ed Bott Report, 22 Jan 2013
A close look at how Oracle installs deceptive software with Java updates
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/

Summary: Oracle's Java plugin for browsers is a notoriously insecure
product.  Over the past 18 months, the company has released 11 updates, six
of them containing critical security fixes. With each update, Java actively
tries to install unwanted software. Here's what it does, and why it has to
stop.


"Disabling Java in Internet Explorer: No easy task" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Tue, 22 Jan 2013 12:56:57 -0800
Woody Leonhard, *InfoWorld*, 22 Jan 2013
Disabling Java in Internet Explorer: No easy task
Firefox, Chome, and Safari let you. But short of a complex,
CERT-documented process, there's no reliable way to disable Java in IE
http://www.infoworld.com/t/web-browsers/disabling-java-in-internet-explorer-no-easy-task-211220

  The Microsoft instructions kill about 20 Java CLSIDs. The CERT method
  kills almost 800 of them.

That has to make you wonder—at least, it makes me wonder—whether there
are other tricky methods for invoking Java in Internet Explorer, even after
the CERT fixes have been applied.


Just How Dumb Is It For CBS To Block CNET From Giving Dish An Award? (Mike Masnick)

Monty Solomon <monty@roscom.com>
Sat, 12 Jan 2013 15:28:21 -0500
Mike Masnick, *Techdirt*, 11 Jan 2013

As you may or may not recall, last year, pretty much all the TV networks
sued Dish Networks over a new feature it had launched, PrimeTime Any Time
(PTAT), with its Autohopper technology on its DVRs. PTAT is where it would
automatically record all the major networks' prime time programming and hold
onto it for a bit.  Autohopper would then automatically skip over the
commercials. It's important to recognize that these features, on their own,
have been considered legal. VCRs had auto commercial skip ages ago and DVR
technology (time shifting) has been called fair use plenty of times.  Given
that, the lawsuits aren't going well so far.

But, in a moment of pure stupidity, some very short-sighted suits at CBS
made a really silly decision. As you may or may not have heard, CES—the
massive consumer electronics show—has been going on all this week in Las
Vegas. I just got back from there myself. At the show, Dish announced
another merging of some of its products, adding its Slingbox (who they
bought years back) to the same basic setup.  Slingbox, of course, is for
"place shifting" what the DVR is for "time shifting." You hook it up to your
TV and it lets you access what's playing on your TV via the Internet via
your computer, phone or tablet). It's hardly surprising that this is where
Dish was heading. ...

http://www.techdirt.com/articles/20130111/00145421637/just-how-dumb-is-it-cbs-to-block-cnet-giving-dish-award.shtml


The 2013 Best of CES Awards: CNET's story (Lindsey Turrentine)

Monty Solomon <monty@roscom.com>
Sat, 19 Jan 2013 13:17:02 -0500
, *CNET*, 14 Jan 2013
The true story of what happened before last week's Best of CES Awards
unveiling
http://news.cnet.com/8301-30677_3-57563877-244/the-2013-best-of-ces-awards-cnets-story/

A CNET Reporter Resigns Amid CBS-Dish Tussle
January 14, 2013
http://blogs.wsj.com/digits/2013/01/14/a-cnet-reporter-resigns-amid-cbs-dish-tussle/

Dish Gives Itself The Award That CBS Stopped CNET From Giving
http://consumerist.com/2013/01/18/dish-gives-itself-the-award-that-cbs-stopped-cnet-from-giving/


Re: EHRs may add to, not reduce, the cost of health care (Lesher, RISKS-27.13)

Dave Parnas <parnas@mcmaster.ca>
Sat, 12 Jan 2013 14:30:14 -0500
Predictions of savings are usually based on two assumptions:

  1) The new system is used instead (not in addition to) of the old one.
  2) The records are shared so that tests and other exams do not have to
     be duplicated.

In the cases that I have seen (a very limited set) at most one of these
conditions have been met and often neither is met.  Old systems are often
incompatible with the new systems and may perform functions that the new
ones do not do.

Professor Emeritus, McMaster University, University of Limerick
http://www.amadon.ca/Public/information.htm  +1 613 2498038 parnas@mcmaster.ca


Course announcement: SecAppDev 2013, 4-8 March, Leuven, Belgium

Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Thu, 10 Jan 2013 10:47:57 +0100
We are pleased to announce SecAppDev Leuven 2013, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with KU Leuven and
Solvay Brussels School of Economics and Management.

SecAppDev 2013 is the 9th edition of our widely acclaimed course,
attended by an international audience from a broad range of industries
including financial services, telecom, consumer electronics and media
and taught by leading software security experts including

+ Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab.
+ Ken van Wyk, co-founder of the CERT Coordination Center and widely
   acclaimed author and lecturer.
+ Dr. Steven Murdoch of the University of Cambridge Computer
   Laboratory's security group, well known for his research in
   anonymity and banking system security.
+ Jim Manico, an OWASP board member.
+ John Steven, a sought-after architect for high-performance, scalable
   JEE systems.

When we ran our first annual course in 2005, emphasis was on awareness and
security basics, but as the field matured and a thriving security training
market developed, we felt it was not appropriate to compete as a non-profit
organization. Our focus has hence shifted to providing a platform for
leading-edge and experimental material from thought leaders in academia and
industry. We look toward academics to provide research results that are
ready to break into the mainstream and attract people with an industrial
background to try out new content and formats.

The course takes place from March 4th to 8th in the Faculty Club,
Leuven, Belgium.

For more information visit the web site: http://secappdev.org.

Places are limited, so do not delay registering to avoid disappointment.
Registration is on a first-come, first-served basis.
A 25% discount is available for Early Bird registration until January
15th. Alumni, public servants and independents receive a 50% discount.

I hope that we will be able to welcome you or your colleagues to our course.

Lieven Desmet
http://secappdev.org

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Please report problems with the web pages to the maintainer

Top