The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 24

Sunday 7 April 2013

Contents

Chinese Government To Buy Dell
Steven J. Greenwald
Deeper Meaning in a Live YouTube April Fools' Gag
Lauren Weinstein
New Test for Computers - Grading Essays at College Level
Gabe Goldberg
"Fix your DNS servers or risk aiding DDoS attacks"
Ted Samson via Gene Wirchenko
"Cyber criminals tying up emergency phone lines through TDoS attacks"
Ted Samson via Gene Wirchenko
Prenda Law's Attorneys Take The Fifth Rather Than Answer Judge Wright's Questions
Lauren Weinstein
"Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing"
Gene Wirchenko on Ted Samson
MS apologizes for employee's Xbox Durango 'always-online' tweets
Lauren Weinstein
"Ransomware uses victims' browser histories for increased credibility"
Lucian Constantin via Gene Wirchenko
ZIP Codes Are Definitely "Personal Identification Information"
Monty Solomon
Everything We Know About What Data Brokers Know About You
Monty Solomon
Mozilla Firefox CPU hog ??
Henry Baker
`Massive' Cyberattack Wasn't Really So Massive
David Talbot
Risks of ASCII-formatting mathematics
Bill Stewart
Sears Discloses User-Selected PIN
Richard Karash
Online tax returns, You're Doing It Wrong...
Valdis Kletnieks
Wow! Are we still in the 1990s?
Gene Spafford
Info on RISKS (comp.risks)

Chinese Government To Buy Dell

"Steven J. Greenwald" <sjg6@gate.net>
Mon, 1 Apr 2013 16:41:28 -0400 (GMT-04:00)
http://news.yahoo.com/china-to-buy-dell-source-155247372--sector.html

Chinese Government To Buy Dell
By Carl Michaels and Michael Silver | Rueters - Monday, Apr 1, 2013

NEW YORK / BEIJING (Rueters) - Dell Inc announced today that the Chinese
government would purchase them in a leveraged buy out. Michael Dell and
private equity firm Silver Lake Partners have announced that they welcome
the leveraged buy out. "It's the best of all the alternatives that the
company's board had explored," said Dell in a prepared statement to
shareholders.

Carl Icahn has proposed paying $15 per share for 58 percent of Dell, while
Blackstone Group has indicated it can pay $14.25 per share. But both deals
would involve saddling the troubled tech company with massive debt and
keeping it public. Silver Lake Partners would offer all cash at $13.65 per
share and take Dell private in the reverse of an IPO: an LBO or so-called
"leveraged buy out" where a failing public company goes private at a severe
loss to the shareholders and usually with massive firing of competent
employees while retaining the incompetent ones.

But Xia Xiahuang, head of the Technology Investment Government Workers
Group, a Chinese government agency, said that China would pay $17.75 per
share to acquire the ailing tech company. "We need more competition in the
Pan-Asian PC market. As a growing world economy China needs more than just
Lenovo," said Xiahuang at a press conference where she announced the
decision. "If successful in our leveraged buy out then we plan on moving
Dell to Government City Number 23 where we have lots of unemployed tech
workers." She extolled the virtues of corporate competition in her
statement. "We learned a lot from the Americans, especially about how
capitalism works with a centrally managed economy." When asked about the
history of that, she said, "Maybe we have a language issue here, but no, we
don't call that 'fascism' here."

Government City Number 23, a super-secret facilty, used to make advanced
nuclear weapons for the Chinese government. It is located, according to
sources, somewhere near the Chinese Mongolian border. "We don't need more
hydrogen bombs. We can get all of those that we want from North Korea. And
cheap!" When asked why, she said, "We need more PCs, tablets, and
smartphones." Xiahuang then said, "Also, we have all of these U.S. Treasury
bonds just sitting around doing squat. If we can use a few of those to buy a
has-been company like Dell, why not? Better than earning almost no interest
like Amercian retirees."

When asked about the business model for the decision, Xiahuang said, "Well,
we don't see much of a domestic market, but we definitely have a guaranteed
market with the U.S. government with Dell's Federal Systems Division." When
pressed for details, she said, "We don't foresee any consumer demand at all
for Dell products. We'll focus on selling hardware and software to the
U.S. Government. We have an excellent relationship with their procurement
agencies."

Michael Dell could not be reached for comment. A written press release by
Dell warned that any levereged recapitalization, even by a major government,
was risky. "While we have no objection to moving to Mongolia, especially
given how we now are headquartered in Round Rock, Texas, we do feel
compelled to mention that the telephone system near Mongolia would not
support our outsourced customer service model." Additional questions were
deferred for later according to the press release, to comply with
Sarbannes-Oxley.

Outside analysts dismissed this, noting that Dell long ago abandoned any
pretense of good customer service for anyone, especially low-level
consumers. "The Chinese will whip them in line," said Ani Prox, a financial
sector tech analyst. "I can't wait until they screw over a relative of the
Central Committee and then the Chinese publically execute a few of their
so-called 'customer support' drones." When asked if he thought this a good
move, Prox said, "I don't want to say that I'm literally jumping with
joy. But I am. Those damned monsters had it coming."

Many American analysts have concerns about the proposed U.S. cyber-espionage
rule that would limit Chinese imports of information technology products in
the wake of alleged Chinese hacking attacks on the U.S.. When asked about
those concerns, Chinese government spokesperson Xiahuang said, "The Chinese
government does not engage in hacking. Hello? If we did would we buy a
company with such strong customer dissatisfaction as Dell?" She went on to
dispute that the U.S. has evidence of hacking attacks by China and claimed
that more than half of the attacks actualy originate from Dell PCs in the
United States. "Let's face it; we do the Americans a huge favor here which
the Obama Administration knows. We don't foresee any problems with this
minor acquisition of a failed and widely-hated company."

According to the U.S. Congressional Research Service, the United States
imports about $129 billion worth of "advanced technology products" form
China, which includes PCs, laptops, tablets, smartphones, music players,
gaming devices, and military drones. U.S. military and intelligence
community purchases of these products has tripled in the past year under
Obama Administration rules.

Chinese state media, including Xinhua, the China Daily, and the People's
Daily, quoted a spokeperson for the Chinese Ministry of Commerce. "The
proposed U.S. bill sends a very wrong signal. Don't they want us to buy that
awful Dell company to use up some of the massive amounts of U.S. T-bills we
bought? We already buy up all of their real-estate that we can to prop them
up."

"This abuse of so-called national security measures is unfair to Chinese
enterprises and people, and extends the discriminatory practice of
presumption of guilt," said the article in the official People's
Daily. "This severely damages mutual trust between the U.S. and China."
China Daily, in an editorial widely believed to be written by the
government, said, "Besides, China does the U.S. taxpayers a favor by taking
this awful company off their hands. Does the U.S. want another bailout of a
failed company on their hands?"

Technology security lawyer Stuart Bleaker wrote in a recent blog post that
China could claim that the United States is violating World Trade
Organization rules. However, because Beijing hasn't signed a WTO agreement
setting international rules for government procurement, it may not be
successful in its challenge, even though no one actually pays attention to
WTO rules when big players like China are involved.

Chinese foreign ministry spokesman Hong Lei also urged the U.S. to abandon
the law at a news conference on Thursday. "This bill uses Internet security
as an excuse to take discriminatory steps against Chinese companies," he
said. "Let us buy Dell already! What's your problem? Frankly, we do you
Americans a huge favor. You can't possibly want this awful company. We'll
take it off your hands, get rid of some of the debt you owe us, and employ a
bunch of people near Mongolia. A win-win for everyone."

A U.S. State Department spokesperson could not be reached for comment.


Deeper Meaning in a Live YouTube April Fools' Gag (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Mon, 1 Apr 2013 17:10:33 -0700
          Deeper Meaning in a Live YouTube April Fools' Gag
             http://lauren.vortex.com/archive/001018.html

As I'm typing this at around 16:45 PDT on April Fools' Day, Google's YouTube
is running one of the funniest stunts I've seen in years.

On this currently live video feed ( http://j.mp/X9E9pj ) we have a pair of
presenters reading the titles and uploader descriptions of seemingly rather
randomly selected YouTube videos.  They're not showing the videos mind you
(except for a few being "spotlighted")—just reading texts from large
piles of red and white YouTube cards, in a manner reminiscent of some
twisted awards ceremony from an alternative universe.

And in fact, this April Fools' Day event is part of a larger gag (one of
many deployed by Google for today—others included "Gmail Blue," "Google
Nose," and more).

In this case our presenters are purportedly in the process of announcing
every video ever uploaded to YouTube, in preparation for shutting down
YouTube for a decade, while the corpus of existing videos is reviewed to
select the "best of them all"—to be announced in 2023, of course.

What's so very fine about this particular joke is the way the pair of
presenters (Donald and Kendra) are playing it all absolutely straight, with
barely a smile cracked as they intone out loud video descriptions ranging
from touching to ludicrous, all of which appear to be 100% absolutely legit.
And of course, the juxtaposition of completely unrelated descriptions only
adds to the amusement.

But as this delightful spectacle continues to stream onto a screen to my
left at this very moment, I'm thinking that there is a deeper meaning in
play.

Those YouTube video descriptions—from serious to silly, from banal to
urbane—and by definition the videos associated with them—are a
cross-section of real life, in all its stupendous variety and wonder.

Soldiers in battle.  Dog eating burger.  Bad guitar players.  A tribute to a
lost friend.  Millions and millions and millions of videos, every single one
meaning something to whomever took the time to upload them.

Lots of people make money posting on YouTube, but vastly more post simply
for the joy of sharing what they care about, and within those piles of cards
being read aloud today is the very essence of that meaning—remarkably
clear even absent the actual videos themselves.

I think this is a truth worth noting.  And since D and K were just provided
with chairs at last, it looks like the show may be good to go for quite a
while yet!

Even in the midst of this great April Fools' concept, there is a teachable
moment in every video upload, in every video description.  Together they're
a distillation of so many persons' loves (and hates), desires, fantasies and
memories.

That's quite remarkable, really.

And it's no joke.


New Test for Computers - Grading Essays at College Level (NYTimes.com)

Gabe Goldberg <gabe@gabegold.com>
Thu, 04 Apr 2013 17:13:20 -0400
Imagine taking a college exam, and, instead of handing in a blue book and
getting a grade from a professor a few weeks later, clicking the `send'
button when you are done and receiving a grade back instantly, your essay
scored by a software program.

And then, instead of being done with that exam, imagine that the system
would immediately let you rewrite the test to try to improve your grade...

http://www.nytimes.com/2013/04/05/science/new-test-for-computers-grading-essays-at-college-level.html?hp

What could go wrong?

  [For example, students who reverse engineer the software or gain
  experience from the program's behavior can adjust their writing styles to
  just barely get a good grade—without ever really learning how to write
  effectively.

  By the way, Harvard now “admits that the e-mail surveillance was wider
  than the school originally admitted.''  Perhaps U.C. Santa Cruz had a
  better idea to do away with grades and grade-point averages—which might
  cause problems only when an undergrad wants to get admitted to a graduate
  school other than UCSC.

  But we seem to be generally dumbing down education wholesale at many
  levels, leading to lowest-common-denominator curricula, narrowing what is
  or can be taught, and reducing personal contacts with teachers.
  Autograding certainly might be another step in that direction.  PGN]


"Fix your DNS servers or risk aiding DDoS attacks" (Ted Samson)

Gene Wirchenko <genew@telus.net>
Mon, 01 Apr 2013 13:59:26 -0700
Ted Samson, InfoWorld, 01 Apr 2013
Perpetrators of the DDoS ambush against Spamhaus exploited open DNS
resolvers in third-party servers
http://www.infoworld.com/t/security/fix-your-dns-servers-or-risk-aiding-ddos-attacks-215510

  [Not an April-Fools' piece.  It seems to have been a light year.  PGN]


"Cyber criminals tying up emergency phone lines through TDoS attacks" (Ted Samson)

Gene Wirchenko <genew@telus.net>
Tue, 02 Apr 2013 13:00:45 -0700
Ted Samson, InfoWorld, 01 Apr 2013
Similar to DDoS attacks, TDoS also used to extort cash from targets,
including businesses and public service agencies
http://www.infoworld.com/t/cyber-crime/cyber-criminals-tying-emergency-phone-lines-through-tdos-attacks-215585


Prenda Law's Attorneys Take The Fifth Rather Than Answer Judge Wright's Questions

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Apr 2013 16:05:23 -0700
http://j.mp/16uxXLr (Popehat via NNSquad)

  "Today the Prenda Law enterprise encountered an extinction-level event.
  Faced with a federal judge's demand that they explain their litigation
  conduct, Prenda Law's attorney principals - and one paralegal - invoked
  their right to remain silent under the Fifth Amendment to the United
  States Constitution. As a matter of individual prudence, that may have
  been the right decision. But for the nationwide Prenda Law enterprise,
  under whatever name or guise or glamour, it spelled doom."

Such a cheerful word in this particular case: "doom."


"Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing"

Gene Wirchenko <genew@telus.net>
Wed, 03 Apr 2013 08:12:15 -0700
I had not thought of the risk presented in the use case quoted, probably
because I am the only one who uses my computers.  I have read accounts of
people searching for something on the Web and then getting bombarded with
ads for it for some time after.

http://www.infoworld.com/t/applications/firefox-20-ups-html5-support-adds-dev-tools-and-tab-private-browsing-215672
Ted Samson, InfoWorld, 02 Apr 2013
Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing
Mozilla's latest browser release unlocks HTML5 features and supports
ARM processors for low-power smartphones

"Privacy buffs will likely be most interested in per-tab Private Browsing
feature, which lets you open a new window for an Internet session during
which no site- or page-specific data—such as history, passwords,
downloads, or cookies—is saved to your machine. You can then freely
switch back and forth between private-session windows and the regular one.

Mozilla provides a fairly innocent example of a use case: a user browsing
online for a surprise gift."


MS apologizes for employee's Xbox Durango 'always-online' tweets

Lauren Weinstein <lauren@vortex.com>
Fri, 5 Apr 2013 19:56:26 -0700
http://j.mp/10mgja9  (The Next Web via NNSquad)

  "On Thursday, Microsoft Studios creative director Adam Orth sent out a
  slew of tweets implying that he sees nothing wrong with rumors of
  Microsoft's next Xbox, codenamed Durango, requiring an "always-on"
  Internet connection to function. Unsurprisingly, the backlash from users
  was massive, and although Orth ended up setting his Twitter account to
  private to hide them from the general public, by then the damage had
  already been done.  Microsoft on Friday released an official statement
  regarding the tweets: ..."

As the song says, "When will they evvvvvver learn?"
Tweets are public.  Public is public.  Period.


"Ransomware uses victims' browser histories for increased credibility" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 02 Apr 2013 12:57:48 -0700
http://www.infoworld.com/d/security/ransomware-uses-victims-browser-histories-increased-credibility-215560
Lucian Constantin, IDG News Service, InfoWorld, 1 Apr 2013
Visited websites are listed as source of illegal material to make
bogus police messages more believable, researcher says


ZIP Codes Are Definitely "Personal Identification Information"

Monty Solomon <monty@roscom.com>
Mon, 1 Apr 2013 10:50:32 -0400
Massachusetts Supreme Court Rules ZIP Codes Are Definitely "Personal
Identification Information"

http://privacylaw.proskauer.com/2013/04/articles/uncategorized/massachusetts-supreme-court-rules-zip-codes-are-definitely-personal-identification-information/


Everything We Know About What Data Brokers Know About You

Monty Solomon <monty@roscom.com>
Tue, 2 Apr 2013 01:14:33 -0400
http://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you


Mozilla Firefox CPU hog ??

Henry Baker <hbaker1@pipeline.com>
Tue, 02 Apr 2013 11:00:32 -0700
I usually visit most web sites with Javascript turned *off*, which
traditionally has saved a lot of CPU effort, because Javascript isn't
constantly busy sending my mouse position back to the web page I'm visiting.

However, I've noticed that in the most recent versions of Mozilla Firefox
(19, perhaps even 18)—even with Javascript turned off—my Windows CPU
is working so hard for Firefox that it has trouble mouse tracking my other
applications.  I know this because the moment I exit Firefox, my mouse
tracking returns to normal.  Also, Windows Task Manager reports exceptional
usage by Firefox.

Neither the Internet Explorer nor the Opera browser require such heavy CPU
activity, so this issue is specific to Firefox.

I don't know if Firefox has gone over to the 'dark side', and is now spying
on its users full time, but there is no legitimate reason for all of this
heavy duty CPU activity.


`Massive' Cyberattack Wasn't Really So Massive (David Talbot)

Dewayne Hendricks <dewayne@warpspeed.com>
Tue, Apr 2, 2013 at 6:48 AM
[Note: This item comes to DLH via Mike Cheponis, and thence via Dave Farber.]

Date: April 1, 2013 1:28:17 AM PDT
From: Michael Cheponis <michael.cheponis@gmail.com>
Subject: Denial of Service Attack on Spamhaus Was Enabled by Lax Server

David Talbot, `Massive' Cyberattack Wasn't Really So Massive
*MIT Technology Review*, 29 Mar 2013

A decade-old fix could have easily stopped this weekend's attack on an
anti-spam company, but the truth is many Web companies simply ignore such
fixes.
http://www.technologyreview.com/news/512911/massive-cyberattack-wasnt-really-so-massive/

An attack that disrupted Internet service over the past week would have been
stopped by a simple Web server configuration fix that's been understood for
a decade but is widely ignored by Web companies, experts say.

The prolonged assault targeted Spamhaus, a European nonprofit that reports
where spam is coming from and publishes a list of implicated Web servers.
The apparent flashpoint was the addition of CyberBunker, a Dutch
data-storage company, to its roster.

The unidentified attackers used a botnet—a network of infected ordinary
computers—to attack Spamhaus's website and then the servers of
CloudFlare, a content-delivery company that stepped in to help Spamhaus
manage the influx of traffic. The attack also affected regional Internet
servers that are transit points for not only the two targeted companies but
also many others.

While some observers have suggested that the scale of the attack was smaller
than most reports indicated, according to a blog by the Austrian Computer
Emergency Response Team (CERT), the attack caused “disruption in some parts
of the Internet.''

The kind of attack that occurred is called `distributed denial-of-service'
because many computers are tricked into sending chunks of data at one
target, overwhelming it. This attack took advantage of a weakness in
domain-name servers, or DNS servers, where typed Web addresses are resolved
into the numerical codes that correspond to the machines that hold the
relevant information.

The attack involved sending DNS servers requests forged to look as if they
came from the target. These DNS servers responded by overwhelming the target
with data it didn't actually ask for. The impact can be amplified because
the DNS servers—depending how they are configured—can be asked to
send large amounts of data. [...]


Risks of ASCII-formatting mathematics (Bellovin, RISKS-27.23)

Bill Stewart <bill.stewart@pobox.com>
Sun, 31 Mar 2013 23:47:51 -0700
  What's new is that someone has managed to turn the weaknesses into a real
  exploit, albeit one that needs at least 224 and preferably 230 encryptions
  of the same plaintext to work.

Except he almost certainly didn't write that; the numbers were presumably
2**24 and 2**30, expressed in some notation that didn't survive some
reformatting process somewhere.

(Either way, it's interesting math and a good practical article.)


Sears Discloses User-Selected PIN

Richard Karash <richard@karash.com>
Sun, 7 Apr 2013 09:45:35 -0400
Sears has a "rewards" program called Shop Your Way Rewards. Users are given
a membership number and are invited to select a PIN of 4-8 digits (good).

To help users remember their credentials, the program sends regular e-mails
(sounds OK).  These e-mails contain the membership number and the
user-selected PIN (bad).  Making a bad situation even worse, the program
gives you a membership card with your number—and your selected PIN
printed right on the card.  Why have a PIN if it is printed right on the
card?

The risk arises because I, like most users, have a favorite memorable PIN
and use it at multiple sites. The risk is, by using Shop Your Way Rewards,
MY PIN has now been exposed.

  [Of course, THAT'S bad!  PGN]

Richard Karash —Richard@Karash.com—Karash Associates LLC
+1 617-308-4750 — http://Karash.com


Online tax returns, You're Doing It Wrong...

Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Sat, 06 Apr 2013 19:58:44 -0400
Just seen on Google+, slightly redacted for privacy.  All three
gentlemen share the same LASTNAME...

Will LASTNAME originally shared this post:

To Robert LASTNAME: congrats, your federal tax return has been accepted.

To Wade LASTNAME: unfortunately your tax return was rejected because you
included the wrong birth date.

To both you: learn your friggin e-mail address  Both of you input my e-mail
address into TurboTax, so now I'm getting all your tax-related e-mails.

And to +TurboTax: what the heck are you thinking, not actually verifying
people's e-mail address before you start sending personal information in
e-mails?!


Wow! Are we still in the 1990s?

Gene Spafford <spaf@purdue.edu>
Wed, 3 Apr 2013 13:38:21 -0400
I had a problem with pages at Starbucks.com displaying properly on Mac
(using Safari).  I sent an e-mail to them, pointing out the problem.
Enclosed is the response.

I don't think I need to say a lot, but it is clear that they are stuck in
the 1990s, don't know about standards-compliance, and appear to not value
customer security and choice.  I was amazed to get a reply like this in 2013
-- and not on April Fools!

Begin forwarded message:

> From: Starbucks Customer Care <info@starbucks.com>
> Date: April 3, 2013, 1:26:56 PM EDT

> Dear Gene,
> Thank you for contacting Starbucks.

> Please note, if you are attempting to access Starbucks.com through a
  browser such as Firefox or Safari, some portions of the site may not
  function properly or permit access.  We recommend using Microsoft Internet
  Explorer for optimum performance.  If you continue to experience
  difficulty, please feel free to call 1-800-STARBUC and a representative
  will be happy to assist you.

Please report problems with the web pages to the maintainer

Top