The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 29

Saturday 25 May 2013


CPSR's demise
Rebecca Mercuri
World's largest "agile" software project close to failure
Lauren Weinstein
"New Spear-Phishing Campaign Infects 12,000 Worldwide"
Chris Paoli via Gene Wirchenko
Is IT the only place having estimate problems?
Paul Robinson
Google indexes Greek IRS database of companies registered in Greece.
Vassilis Prevelakis
PCMag: How to Hack Twitter's Two-Factor Authentication
Lauren Weinstein
Curious press release from phone encryption service
Mark Frauenfelder via Dewayne Hendricks
Smartphone Wi-Fi client security weakness
Lauren Weinstein
"Growing mobile malware threat swirls mostly around Android"
Stephen Lawson via Gene Wirchenko
Skype scans all your messages: Heise reports
Peter Houppermans
Skype spying
Mark Thorson
"Is Microsoft peeking into your Skype messages?"
John P
Mello Jr. via Gene Wirchenko
Cyber Attack Affects Thousands of Akron Taxpayers
Danny Burstein
Making Quantum Encryption Practical
Larry Hardesty
Phone Firms Sell Data on Customers
Anton Troianovski via Monty Solomon
Re: Pilots communicate with ATC with text messages
Peter Bernard Ladkin
Diomidis Spinellis
John Levine
USA Intellectual Property Theft Commission Recommends Malware!
Lauren Weinstein
Re: Cell phone tracking—an example
Tony Rajakumar responding to others
Info on RISKS (comp.risks)

CPSR's demise (Re: RISKS-27.28)

RTMercuri <>
Sat, 18 May 2013 09:11:08 -0400
I was sorry to read about the dissolution of CPSR in Peter Neumann's recent
Risks Digest. CPSR was one of the first computer-related activist groups,
and their members and speakers at conferences and events, including myself
on occasion, typically provided a colorful commentary and insightful
critique of technology policy issues.

But I strongly disagree with Douglas Schuler's assessment that "the age of
the participatory membership organization is over." Far from it. What is
waining are the stodgy inbred groups that have failed to continue to attract
audiences beyond the greybeard set, in part due to their leadership's
inability or unwillingness to use social media. CPSR's website at <>
looks like it hasn't been updated since 2008, and doesn't sport links to
Facebook, LinkedIn, and Twitter pages (likely because it never set up
any). This notice of its disbanding in 2013 seems like a belated formality.

Many socially-relevant groups, like EFF and Richard Stallman's Free Software
Foundation, are still going strong. IEEE has over 400,000 members
world-wide, with many thousands who are actively involved in their stateside
public policy arm, IEEE-USA. Meetup provides a forum where anyone with any
particular pet peeve can find like-minded others and easily establish a
group, some of which grow to 1000+ in membership in less than a
year. Princeton Tech Meetup, though not specifically policy-focused, is a
good example. Their recent meeting notice included mention of an upcoming
event "Hacking Asbury" by an associated group, Jersey Shore Tech
Meetup. “It's more than a conference and more than a hackathon—it's a
community event for people to come out and hear some great speakers, sit
with some outstanding mentors, or build something cool to show the
community. Throw in some food and beer and it's pretty much a summer BBQ for
hackers, builders, & entrepreneurs'' If one wants to talk about public
policy or make changes at the grassroots level, this is a great way to do

CPSR has only itself to blame for not adapting to the times while still
retaining its focus on its key issues that are even more relevant in an era
of cel-phone triggered bombs, ubiquitous spy-cams, and killer drones. Yet
their Public Sphere Project, though well intentioned, is another example of
backward-thinking. Cataloguing of activist groups is unnecessary, partly
because some prefer to operate underground, but mainly because the rest can
already be found via search engines and social media. There's no way that
the PSP list will ever be able to stay as current or comprehensive as these
other methods, so it is a futile effort.

Although it is sentimentally sad to see CPSR go, the lesson in its departure
is that those groups that cannot keep up with the constant change of
technology will, and perhaps should, be left behind. As Dylan sang,
"...don't criticize what you can't understand...your old road is rapidly
agin', please get out of the new one if you can't lend your hand, for the
times they are a-changin'."

Sayonara, Rebecca Mercuri.

[Note: Permission granted to post this message, only in its entirety,
without editing.]

World's largest "agile" software project close to failure

Lauren Weinstein <>
Sat, 25 May 2013 07:59:09 -0700

  [Agile Is Fragile?  PGN]

"New Spear-Phishing Campaign Infects 12,000 Worldwide" (Chris Paoli)

Gene Wirchenko <>
Fri, 24 May 2013 14:21:23 -0700
Chris Paoli, *Redmond Magazine*, 22 May 2013

Is IT the only place having estimate problems?

Paul Robinson <>
Sat, 25 May 2013 00:28:07 -0700 (PDT)
One of the problems that anyone who's been familiar with typical IT projects
can recognize the problems that a department head at Kia Motors America
Inc., D. Casey Flaherty, talks about in his article "Trust, But Verify".
(Free registration required)

He mentions how you contact a vendor, and despite the fact they do
keep track of what they do and how long it usually takes, they usually can't
give a good estimate of what it will take to do the job in terms of
resources, how much it will cost, and how long it will take.

Now, is Mr. Flaherty CIO at KIA or someone involved in software development?
No, he's Chief Legal Counsel and 'a vendor' is outside counsel at a law
firm. He gives an example: "Request that outside counsel provide you with a
budget estimate for a common task, such as an opposition to a motion for
summary judgment. When counsel respond that they are unable to construct a
budget for a content-free hypothetical, ask that they merely provide you a
range of costs for a final budget. If they supply that range, ask how they
developed it, and what data it is based on... Most law firms are religious
about recording attorneys' time... Yet, ask for a budget for a prospective
task and you typically are fed a word salad about uniqueness,
idiosyncrasies, contingencies, etc. In short, you are subjected to that most
lawyerly of all phrases: 'It depends.'"  The article might be extremely
comical except for the fact it points up (which he is not aware is also a
problem in other industries than his own [like ours]) a rather nasty problem
that we, as programmers, analysts, developers and (allegedly!) software
professionals, working in a technologically-advanced profession, often don't
even have information about what we're doing, we have no metrics to even
offer reasonable estimates, and when we do offer estimates they're (also,
like lawyers) often woefully deficient in both time and resources. Plus,
programmers tend to be horrible negotiators, if management demands the
impossible, if the programmer or (former programmer and now) programming
manager, is asked to accomplish something by a date certain that he (knew
or) should know/should have known, doesn't provide enough time to do so,
instead of pushing back and saying the deadline is too tight, will go along,
and end up with either a missed deadline, a rushed and buggy project, or,
worse case, the project gets canceled and you might simply have wasted both
the money spent to build the project as well as the time lost to work on it
(and the time of the people who spent time working on it), that either you
never get back, or, worse, if you need something to solve the problem and
can't just walk away and not do anything (and continue with the existing
solution), you now have to start a brand new project and start all over (and
take a risk that you'll end up, with what would otherwise be another in a
laughingly humorous cycle of 'lather, rinse, repeat'=A0 failed
projects. Only no one's laughing, or worse, your company ends up wasting so
much resources that it goes out of business).  And, looking at his article,
this adds a new set of risks. If an IT project is too expensive or is going
to take too long, you can cancel it and either use what you were doing
before or perhaps use what you did get and do something else for the part it
doesn't accomplish. If you're having to sue someone—or worse, defend your
company against a suit—you can't just cancel the lawsuit, you'd either
default and never get relief for a contract breach or some injury, you'd
have to pay a default judgment (which if the plaintiff asked for an
unreasonable amount of money, like a trillion dollars, they might actually
be awarded that as a judgment), or in the worst case, some people could be
subject to criminal liability and maybe someone goes to jail or prison. But
if you can't even get reasonable estimates from your outside lawyers, no
wonder lawsuits are so expensive.  ABut we do have one advantage, at least
if you cancel a partially completed IT project you might have a partial
solution! A partially completed lawsuit leaves you with nothing but a very
expensive fiction story. (If you actually believe the stuff in legal briefs
has anything to do with truth or reality, well, I have some ocean-front
property in Las Vegas you really want to buy! ('really' = 'before you regain
your sanity/come to your senses, and stop payment on the check').

Google indexes Greek IRS database of companies registered in Greece.

Vassilis Prevelakis <>
Sun, 19 May 2013 04:20:16 +0300
First some background:

a) Everybody who is doing business in Greece, whether a person or company,
needs to have a unique id which is called the AFM. When issuing an AFM the
Greek IRS collects information about the "entity" (individual or company)
which includes the name, address, telephone number of the entity. If the
"entity" is a self employed person, then this information most likely is his
or her home address. If any of this information changes, the "entity" must
notify the Greek IRS so that the record may be updated.

b) The agency ( that handles IT for the Greek IRS has recently
created a web-based interface to its database so that anybody (without
authentication or prior registration) may submit an AFM and receive the
informational record of the entity that corresponds to that AFM (or an error
if the entity is not active or the submitted number has not been allocated
to an entity).

c) Since the AFM numbers consist of 8 numeric digits (plus a check digit
which is derived from the other 8) and are clustered in large allocation
chunks, it clearly follows that somebody could data mine the GSIS system (by
submitting all possible combinations of AFM numbers within each cluster) and
create a duplicate of the GSIS database [1]. And, of course, someone did. So
we have a site ( that provides a web-based application that
gives the same information as the GSIS site.

Now here comes the interesting part. Google has indexed the greekafm site,
thus the entire copy of the GSIS database is now available for searches via
Google. Possible queries include searches not only by AFM, but by telephone
number, name, street address and so on. I wonder how long it will be before
somebody integrates this with Google maps.

Another probably beneficial side-effect is that now everybody can see the
numerous errors that this database contains (dead people who are still
considered active, extinct companies that appear to be in business, 7-digit
phone numbers, despite the fact that these have been obsolete for more than
a decade, and so on).

Vassilis Prevelakis, Institut fuer Datentechnik und Kommunikationsnetze
Technische Universitaet Braunschweig

[1] Amazingly, the GSIS system did not mind if large numbers of queries of
sequential AFM numbers were submitted from the same IP address over a short
time frame. This would indicate that the GSIS administrators did not care if
someone was overtly copying their database.

PCMag: How to Hack Twitter's Two-Factor Authentication

Lauren Weinstein <>
Fri, 24 May 2013 18:22:33 -0700
  In a short, droll video about Twitter's two-factor authentication,
  Alexander congratulates Twitter for joining a "security two-step program"
  and taking the first step, admitting a problem exists. He then goes on to
  illustrate just how little the SMS-based two-factor authentication
  helps. "Your new solution leaves the door wide open," said Alexander, "for
  the same man-in-the-middle attacks that compromised the reputations of
  major news sources and celebrities." (PCMag via

Curious press release from phone encryption service (Mark Frauenfelder)

<Dewayne Hendricks>
Wednesday, May 22, 2013
  [Note:  This item comes from friend Steve Schear.  DLH]

Mark Frauenfelder, *BoingBoing*, 22 May 2013

Seecrypt costs $3 a month and allows subscribers to make encrypted phone
calls to each other. It promises a "100% protected network through
encryption between two callers anywhere in the world." Sounds interesting
and useful for keeping government snoops away. However, the press release
issued today tells a somewhat different story:

Seecrypt CEO Mornay Walters: `Seecrypt will pro-actively assist law
enforcement agencies to prevent criminal activity being carried out using
this encryption service. Our technology is designed to restore privacy
rights for legitimate usage, Seecrypt's Privacy Network has been designed so
that it can terminate access rights immediately for any individual
identified by law enforcement or other governmental authorities as suspected
of improper use.''

Does that mean that if someone is using Seecrypt and the government starts
investigating them the service simply shuts off? If so, it's a great way
for criminals to learn that they are under investigation.

Or does it mean that Seecrypt will let the suspect make calls without
letting them know that the encryption has been disabled?

Or, does it mean Seecrypt will do something else that I can't think of? I
e-mailed Seecrypt to find out and will share my answer when I get it. ...

Dewayne-Net RSS Feed: <>

Smartphone Wi-Fi client security weakness

Lauren Weinstein <>
Wed, 22 May 2013 20:55:03 -0700
  "Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have an
  inherent security weakness in the method they use for connecting to Wi-Fi
  networks that has the potential for exploitation by skilled
  cyber-attackers says security expert Raul Siles. The vulnerability is
  dependent on how the network is added to the device and stems from the
  procedure where Mobile devices keep a list of manually configured wireless
  networks plus any networks it has previously connected to on a Preferred
  Network List (PNL)."  (Net-Security via NNSquad)

"Growing mobile malware threat swirls mostly around Android" (Stephen Lawson)

Gene Wirchenko <>
Fri, 24 May 2013 10:12:39 -0700
Stephen Lawson, IDG News Service, InfoWorld Home, 22 May 2013
Attacks on mobile devices are rising just as PC malware soared with
the Web, Kaspersky Lab says

Skype scans all your messages: Heise reports

Peter Houppermans <>
Sun, 19 May 2013 11:30:50 +0200
German hackers discovered Microsoft was visiting websites up to 3 hours
later after they were mentioned in Skype messages, which was then verified
by creating some special weblinks on their own servers that could not have
been discovered any other way—sure enough, visits took place shortly
after mentioning them on Skype.

The details can be read at,
but here is a summary:

Attentive hackers found that encrypted website links (https) were visited
from a Microsoft owned location up to several hours after they were
mentioned in Skype messages.  After this was verified, Microsoft was asked
for answers, and it replied with statements that did not seem to match the

However, even more important is that the activity ended after those
questions, which suggests to me that this wasn't some automatic system
buried somewhere in their infrastructure—it was an actively supervised
process.  Which raises its own questions...

Peter Houppermans, Private & Confidential Group, Switzerland
E  T  +41 43 433 1090  W

Skype spying

Mark Thorson <>
Tue, 21 May 2013 13:12:46 -0700
Recently Microsoft has been running TV commercials deriding Google
for reading your e-mail to cue advertisers to send you "targeted" spam.
How ironic that Microsoft's Skype service has been caught using the
contents of chat messages passed through their service.

"Is Microsoft peeking into your Skype messages?" (John P. Mello Jr.)

Gene Wirchenko <>
Fri, 24 May 2013 10:15:47 -0700
John P. Mello Jr., PC World/InfoWorld Home, 22 May 2013
Ars Technica says Microsoft appears to be scanning Skype messages for
security reasons, but what's done with the information is unknown.

Cyber Attack Affects Thousands of Akron Taxpayers

Danny Burstein <>
Fri, 17 May 2013 16:31:02 -0400 (EDT)
The City of Akron is in the process of getting to taxpayers who may have had
their information posted on a hacker website.  City officials confirm that a
hacker group in Turkey posted personal and financial information of nearly
8,000 Akron taxpayers.


Making Quantum Encryption Practical (Larry Hardesty)

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 24 May 2013 11:25:18 -0400
Making Quantum Encryption Practical
Larry Hardesty, *MIT News*, 20 May 2013)

Massachusetts Institute of Technology (MIT) researchers who proposed
solutions to practical problems with quantum key distribution (QKD) as a
method of secure data transmission have now demonstrated their method
experimentally, proving all of their theoretical predictions.  QKD is
intended for cryptographic key distribution for non-quantum cryptography,
because every bit received requires the transmission of an enormous volume
of bits, which is acceptable for key distribution but not for
general-purpose communication.  In addition, QKD systems depend on photon
properties and thus are highly susceptible to signal loss, especially over
large distances, and usually only work across distances of about 100 miles.
The MIT team addressed these challenges with a new quantum communication
protocol that is far more resilient to signal loss than QKD, and transmits
only one bit for every one received.  The mutual dependency of electron
spins orbiting the nucleus of an atom at the same distance is known as
entanglement, which is delicate and begins to break down as soon as
particles interact with their immediate environments.  With the new
protocol, even if the entanglement between two light beams breaks down and
correlation returns to classical limits, it can remain much higher than it
would be if the beams had started with a classical correlation.

Phone Firms Sell Data on Customers (Anton Troianovski)

Monty Solomon <>
Fri, 24 May 2013 22:29:05 -0400
Anton Troianovski, *Wall Street Journal*, 21 May 2013

Big phone companies have begun to sell the vast troves of data they gather
about their subscribers' locations, travels and Web-browsing habits.

The information provides a powerful tool for marketers but raises new
privacy concerns. Even as Americans browsing the Internet grow more
accustomed to having every move tracked, combining that information with a
detailed accounting of their movements in the real world has long been
considered particularly sensitive.

The new offerings are also evidence of a shift in the relationship between
carriers and their subscribers. Instead of merely offering customers a
trusted conduit for communication, carriers are coming to see subscribers as
sources of data that can be mined for profit, a practice more common among
providers of free online services like Google Inc. and Facebook Inc.

When a Verizon Wireless customer navigates to a website on her smartphone
today, information about that website, her location and her demographic
background may end up as a data point in a product called Precision Market
Insights. The product, which Verizon launched in October 2012 after trial
runs, offers businesses like malls, stadiums and billboard owners statistics
about the activities and backgrounds of cellphone users in particular
locations. ...

Re: Pilots communicate with ATC with text messages (Spinellis, RISKS-27.28)

Peter Bernard Ladkin <>
Sat, 18 May 2013 08:52:16 +0200
> The *World Street Journal* (16 May 2013) ran an article on systems that
> allow pilots and air traffic controllers to communicate via text messages
> [1]......  the risks of the new technology seem to get a short shrift.

This is not "new technology", it is well-tried and -tested technology.

The protocol is called CPDLC (for Controller-Pilot Data-Link Communication)
and it has been in regular use for a decade and a half on trans-Pacific
flights, and for many years in Europe at the Maastricht center. See the
second paragraph of the WSJ article. There is an ICAO spec for it.

It's newer to the US, though, which I take it is why the WSJ is interested now.

For the history of CPDLC use, see the "Implementation" section of–pilot_data_link_communications
which is more or less accurate.

The point about CPDLC is that it replaces voice for routine communications.
Obviously "text messages" are the payload for the kind of information

A concern which I had 15 years ago was that the payload is transmitted in
cleartext and thereby theoretically open to spoofing. I didn't think that
would be much of a problem with the transoceanic FANS/1 implementation,
because that goes via satellite. But it turns out there haven't been any
significant incidents of spoofing with any of the implementations, nor with
the other protocols (there are many) which involve air-ground exchange of
textual information.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

Re: Pilots communicate with ATC with text messages (Ladkin)

Diomidis Spinellis <>
Sat, 18 May 2013 10:34:46 +0300
I fully agree that text-based communication can be better than voice-based.
My worry is about those "pop-up windows with various choices of standard
messages" described in the article.  I think that having the controllers
actually *type* short unambiguous messages that would follow a specific
protocol would be less risky.  Choosing by accident the wrong element from a
pop-up window will result in a valid but incorrect message that the other
end is likely to act upon.  On the other hand, a mis-typed message is far
more likely to appear garbled or nonsensical on the other end prompting a
request for a correction.

Re: Pilots communicate with ATC with text messages (Spinellis, RISKS-27.28)

"John Levine" <>
18 May 2013 00:01:07 -0000
> What could possibly go wrong?

Plenty, but the relevant question is how this compares to the current
situation using voice communication and often impenetrable accents.

It also seems to me that it depends a lot on the details of the
implementation, e.g., if the popup leaves some sort of hint on the
plane's track to remind the controller of what message he or she sent.

Re: Pilots communicate with ATC with text messages (Spinellis, RISKS-27.29)

Peter Bernard Ladkin <>
Sat, 18 May 2013 10:58:17 +0200
>>  What could possibly go wrong?
> Plenty,

Actually, very little.

The protocol is known as CPDLC, and replaces voice communications with
electronic messages, when desired. It has been running at Maastricht Upper
Airspace Control (MUAC), some of the busiest en-route airspace in Europe,
for over a decade.

This is upper-airspace stuff, concerned with routing on airways and
assignment of flight levels. The routine error rates are known through long
experience with CPDLC at Maastricht. More precisely, > The Maastricht Upper
Area Control Centre (MUAC) has been pioneering the use of CPDLC for over a
decade, and in 2012 close to 105,000 logons by some 77 different airlines
were recorded, exchanging an average of 670 messages with MUAC every
day. The proportion of flights resorting to CPDLC has been regularly
increasing in recent years.

There is a fair amount of information on all aspects of Maastricht upper
airspace control at

I see the security concerns to do with spoofing. If you work through the
possibilities of spoofing, you will find that the necessary error-correction
is already present in the routine defined activities of voice-based ATC. As
I just said in private to Diomidis: If you as a pilot get an odd ATC
clearance then you decline and confirm by voice, whereby the spoofing
becomes immediately apparent. Since this is broadcast, any confirmation by
an aircraft of an illicit clearance will be seen by ATC and immediately
queried. Any spoofed confirmation by an aircraft will result in ATC querying
why the aircraft is not following the accepted clearance (which is a
phenomenon which occurs regularly in any case). Any spoofed request will
result in an ATC reply, which will be seen by the aircraft and queried.

Suppose in any case that a spoof works (even though I have just argued that
it shouldn't). Then an aircraft will be deviating from flight level, or from
route. This will be apparent on radar; even picked up and flagged by some of
the supervision SW with which ATC systems work nowadays. And result in an
ATC query. That is just routine work.

There might be a question how the presence of CPDLC spoofing attempts would
affect the statistics on error during the routine activities. We can't know
that until somebody starts spoofing on a grand scale. If that should happen,
I imagine RTCA and EUROCAE (the industry bodies which define these
protocols) will move quickly to a version of CPDLC with encryption.

Exactly the same question arises with railway control. There is a
European-wide system for wireless control defined, based on a wireless
transmission protocol known as GSM-R (that is, mobile-phone GSM adapted for
rail). As with CPDLC, it supplants voice control.

They have gone overboard on the security. All they need is authentication,
but they have gone for a symmetric scheme with centralised key management.
When I heard about it at a conference last November, I said "what on earth
are you doing that for?" and gave some colleagues in German rail a hard
time. But they pointed out that the scheme is already European law so that
is what everyone has to implement. (Yet more evidence that political science
should become a required part of engineering education.)

>> ....but the relevant question is how this compares to the current
>> situation using voice communication and often impenetrable accents.
>> It also seems to me that it depends a lot on the details of the
>> implementation, e.g., if the popup leaves some sort of hint on the
>> plane's track to remind the controller of what message he or she sent.
> I fully agree that text-based communication can be better than
>> voice-based.  My worry is about those "pop-up windows with various
>> choices of standard messages" described in the article...

As far as I know, the relevant human factors analysis has gone into the
design of the current CPDLC interfaces (Eurocontrol has some of the leading
people in human-machine-interface human factors) and at this point there has
been considerable experience with these systems. I can probably put you in
touch with the people who are involved with it if you want to pursue it.

Peter Bernard Ladkin Causalis Limited and University of Bielefeld

Re: Pilots communicate with ATC with text messages (Ladkin)

Diomidis Spinellis <>
Sat, 18 May 2013 13:00:32 +0300
> As far as I know, the relevant human factors analysis has gone into the
> design of the current CPDLC interfaces (Eurocontrol has some of the
> leading people in human-machine-interface human factors) and at this
> point there has been considerable experience with these systems.

Great, this sounds quite reassuring.  It seems we're learning from past

USA Intellectual Property Theft Commission Recommends Malware!

Lauren Weinstein <>
Fri, 24 May 2013 11:03:17 -0700

Oh boy.  The "Commission on the Theft of American Intellectual Property" has
released its long awaited report, and it's 90 or so pages of doom, gloom,
and the bizarre—including one section that had me almost literally doing
a "spit-take" onto my screens while sipping my morning coffee. ( [IP Commission—PDF] )

I'm not going to try critique the entire report here and now.  As you'd
expect, it presents a dire scenario of intellectual property theft run amok,
and while offering only a few words of lip service to the grossly flawed
measurement methodologies that vastly overstate dollar losses in various
sectors, the report instead suggests that those exaggerations are actually
understatements—that the problem is far, far worse than we ever imagined.
Oh, the horror.  The horror.

But we expected this sort of skew to massively hyperbolize the underlying
actual problems of IP theft.

What you may not have expected, however, is that the authors of this report
appear to have been smoking "funny cigarettes" during its drafting.  OK, we
don't know this for a fact, but it's otherwise difficult to wrap your mind
around this specific proposal in the "cyber" section of the report:

"Additionally, software can be written that will allow only authorized users
to open files containing valuable information. If an unauthorized person
accesses the information, a range of actions might then occur. For example,
the file could be rendered inaccessible and the unauthorized user's computer
could be locked down, with instructions on how to contact law enforcement to
get the password needed to unlock the account. Such measures do not violate
existing laws on the use of the Internet, yet they serve to blunt attacks
and stabilize a cyber incident to provide both time and evidence for law
enforcement to become involved."

Booooing!  Say what?  Is this the parody section of the report?  Something
from "The Onion" or perhaps a "Saturday Night Live" skit?

I'm afraid they're serious.  And what they're proposing is no less than the
legitimizing of a form of malware that has attacked vast numbers of Internet
users, costing them immense lost time, money, and grief.

You may have been unlucky enough to see this for yourself.  It comes in
various forms, but generally it claims to be a law enforcement warning
(often saying it's from the FBI).  It accuses you of having some kind of
"illicit" material (usually a copyright violation and/or porn) on your
system, and demands that you contact an address for "more information"—or
even that you make immediate payment of a "fine" to release your computer.
Your webcam may even be surreptitiously used to include your photo to
further confuse and upset you.

Of course, this is all a scam.  If you go to that address, you'll likely
download more malware, or be directed to provide credit card or bank account
info to pay for your "violation" of law.  Even if you pay, you have no
assurance that this malware will go away.  Even if it does seem to release
you, it may hang around in the background sucking up your private
information, bank account access data, and who knows what else.

Consumers attacked by this class of malware have spent enormous sums to get
it actually cleaned out, and very many have been directly defrauded by it as
well.  And of course, these systems can't be used for anything else while
the malware is actively threatening you.

So now we have the IP Commission suggesting that firms be allowed to use
basically this same technique—pop up on someone's computer because you
*believe* they've stolen something from you, terrify them with law
enforcement threats, and lock them out of their (possibly crucial) data and
applications as well.

What the hell are these guys thinking?  Outside of the enormous collateral
damage this sort of "permitted malware" regime could do to innocents—how
would the average user be able to tell the difference between this class of
malware and the fraudulent variety that is currently a scourge across the

What's more, how can it possibly be justified to lock users out of their
systems on this sort of unilateral basis?  How much "theft"—even when it
actually occurred—is enough to justify locking someone out of their
private applications and data, some of which may be absolutely necessary to
their daily lives.

I could get into a lot of technical details about this, but we can just cut
to the chase for now: the whole concept is utterly insane, and frankly calls
into question the competency of the commission in general.

With our own commissions coming up with idiotic, dangerous nonsense like
this, we may have more to worry about from their kind of thinking than from
the "cyber-crooks" themselves.

And that's really, seriously, scary.

Lauren Weinstein (
Co-Founder: People For Internet Responsibility:
 - Network Neutrality Squad:
 - PRIVACY Forum:
 - Data Wisdom Explorers League:
 - Global Coalition for Transparent Internet Performance:
Tel: +1 (818) 225-2800 / Skype:

Re: Cell phone tracking—an example (via Dave Farber's IP)

Tony Rajakumar <>
May 24, 2013 6:23:35 PM EDT
Dave, the best way in the past to ensure anonymity was to buy a prepaid
cellphone for cash. That way there is no way to tie one's identity to the

Or so we thought. Researchers have found just using location information
available at the cell towers is enough to identify

In other words, you can't hide any more, especially if they want to find you.


> Date: Friday, May 24, 2013
> From: doug humphrey=20
> Subject: Re: [IP] Cell phone tracking—an example

> Turning off GPS does not stop cell phone tracking, unless you are talking
> about shooting down the satellites :-)

> Your phone communicates to cell phone towers (antennas on towers to be
> technical) and since multiple of them can see your phone signal at once,
> they triangulate on your location and know where you are.  yes, if your
> phone as GPS turned on and can just tell them the GPS location fix, then
> it is more accurate, but for a long time phones had no GPS capability and
> cell phone location worked just fine.

> If the phone is powered up, then its location is known.  period.  and
> remember, just because you "turned it off" does not always mean that it is
> turned off.  if the radios in the phone are powered, then it is likely
> "ping ponging" with the cell towers and they know where you are.  has
> nothing to do with making a call or use the phone in any way.

> doug

>> Begin forwarded message:
>> From: Dan Gillmor <>
>> Subject: Re: [IP] Cell phone tracking—an example
>> Date: May 24, 2013 3:01:16 PM EDT
>> Given the vanishingly small likelihood that companies or governments will
>> do anything about this, I'm interested in what countermeasures we can take
>> individually. The obvious one is to turn off GPS except on rare occasions.
>> I'll be discussing all this in an upcoming book, and in my Guardian column
>> soon. So I'd welcome ideas.
>> Dan

Please report problems with the web pages to the maintainer