The RISKS Digest
Volume 27 Issue 32

Tuesday, 4th June 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


BA plane's emergency landing at LHR caused by maintenance error
Gwyn Topham via PGN
`Ultra-secure' online primary in France disrupted by multiple and fake voting
John Lichfield via NNSquad
Public Internet election in France marred by vulnerabilities that were demonstrated by journalists
UK takes more moves toward true police state status
Alison Langley via NNSquad
"FBI Internet-tapping good for criminals, bad for everyone else"
Ted Samson via Gene Wirchenko
Google's new Moto X superphone will spy on you 24/7, and you'll like it
Joly MacFie
Google cuts grace period on exploits from 60 days to 7
Mark Thorson
Free Android app to skim credit cards
Prashanth Mundkur
Apple says you can't use the iTunes/App Store when you travel abroad
Vassilis Prevelakis
"Spam catchers catching spammers better"
Woody Leonhard via Gene Wirchenko
Launch of OpenBook Wisconsin—One for targeted advertisers
Dimitri Maziuk
I thought it was a fake Flickr message
NFP regarding the "blind captcha" problem
Danny Burstein
Re: The Hazards of Gambling
Chris Drewe
Re: The Internet is no place for Critical Infrastructure
Chris Drewe
Re: Risks of spreadsheets
Pete Kaiser
Info on RISKS (comp.risks)

BA plane's emergency landing at LHR caused by maintenance error

"Peter G. Neumann" <>
Sat, 1 Jun 2013 13:42:41 PDT
Investigators call on Airbus to again tell operators to ensure essential
safety checks are made on cowl closures, a known safety risk

After a British Airways A319 made an emergency landing at Heathrow on 24 May
2013, it was photographically evident that the cowls were not properly shut
-- causing the 40kg metal coverings to fly loose during takeoff on what
would have been a flight to Oslo.  The right-hand engine caught fire, and
the plane had to be landed on one engine.  [Source: Gwyn Topham, *The
Guardian*, 31 May 2013; PGN-ed]

`Ultra-secure' online primary in France disrupted by multiple and fake voting (John Lichfield)

Lauren Weinstein <>
Sun, 2 Jun 2013 19:26:15 -0700
John Lichfield, Fake votes mar France's first electronic election,
*The Independent* via NNSquad

  “What was already shaping up as a tense and close election was thrown into
  utter confusion at the weekend. Journalists from the news site Metronews
  proved that it was easy to breach the allegedly strict security of the
  election and vote several times using different names.  To register their
  vote on-line, Parisians were supposed to make a credit-card payment of 3
  euros and give the name and address of someone on the city's electoral
  roll.  Metronews said that one of its journalists had managed to vote five
  times, paying with the same credit card, using names, including that of
  Nicolas Sarkozy.''

Public Internet election in France marred by vulnerabilities that were demonstrated by journalists

"Peter G. Neumann" <>
Sun, 2 Jun 2013 19:00:51 PDT
More from the same article:

This `electronic' election had been touted as "fraud-proof" and
"ultra-secure", but apparently permitted multiple voting and fraudulent
voting for other people, with little difficulty.  Journalists turned into

UK takes more moves toward true police state status (Alison Langley)

Lauren Weinstein <>
Mon, 3 Jun 2013 16:14:30 -0700
Alison Langley, UK considers stepping up Internet blocking,
*Columbia Journalism Review* (via NNSquad)

  Her suggested remedy is a three-pronged approach: ban more organizations
  and Muslim schools that the government believes are inciting hate; block
  extremist websites, and revive the Communications Data Bill, which would
  which would require Internet service providers and mobile companies to
  keep records of every user's browsing activities, email correspondences,
  and texts for 12 months. Phone companies in the UK already are required to
  retain email and telephone contact data.

  Some filters against extremist websites have been in place since 2010,
  [Home Secretary Theresa] May told the BBC. Since then, police have gotten
  more than 5,500 postings deleted from the Internet, she added. Police and
  governments routinely request that Internet companies and Web hosts take
  down, block, or filter content they deem to be offensive or illegal.
  Companies can voluntarily comply or wait for a court order to do so.

  Now May would like to examine whether officials should have broader power
  to demand that content be removed.

  Home Office spokeswoman Sally Henfield said in a telephone interview that
  the examination will be part of the government's Extremist and
  Radicalization Task Force, established this week in the aftermath of the
  Woolwich stabbing. Further details have yet to be decided.

  The conservative government's coalition partner, the Liberal Democrats,
  said that in the wake of the Woolwich murder, they would agree to some
  parts of the draft Communications Data Bill, which they blocked in April
  over privacy concerns.

 - - -

The UK is declining into true police state status faster than anywhere else
in the world that I know of. How long before they try to ban VPNs and

"FBI Internet-tapping good for criminals, bad for everyone else" (Ted Samson)

Gene Wirchenko <>
Tue, 04 Jun 2013 13:27:56 -0700
Ted Samson, InfoWorld, 31 May 2013
Bruce Schneier says 'eavesdroppable' Internet communication products
would hurt innocent users and tech companies

Google's new Moto X superphone will spy on you 24/7, and you'll like it

<*Joly MacFie*>
Monday, June 3, 2013
  [via Dave Farber's IP]

Dennis Woodside, CEO of Motorola, Google's wholly owned phone-making
subsidiary, walked onto a stage yesterday with the company's rumored new
superphone and while he refused to take it out of his pocket, he confirmed
that it's real and that it's launching in October of this year.

He also dropped a number of technical details about the phone, known as the
Moto X, which indicate that, essentially, it's the world's most
sophisticated cluster of sensors you can wear on your person, and it's going
to know every single thing you do, whether it's driving, sleeping or taking
a walk around the block. Google is betting that you will love your pocket
Stasi so much you'll never want to be without it—and Google is right.

Joly MacFie  218 565 9365 Skype:punkcast  WWWhatsup NYC -  VP (Admin) ISOC-NY

Google cuts grace period on exploits from 60 days to 7

Mark Thorson <>
Mon, 3 Jun 2013 20:50:49 -0700
Google discovers many bugs in other companies software, and previously
allowed them 60 days to roll out a fix before making the exploit known to
third parties.  Now, that period is reduced to 7 days.

Free Android app to skim credit cards

Prashanth Mundkur <>
Sat, 01 Jun 2013 14:42:42 -0700
Android users now tired of having their information and credit stolen can
now fight back!  With a free Android app, they can now read the credit card
information of other people, provided their cards have an embedded NFC chip.
Even better, CBC News has done the QA and confirmed that this works.

The next time I'm in a checkout line, I'm going to be wondering how many
people are secretly stealing each other's credit card info ...

Apple says you can't use the iTunes/App Store when you travel abroad

Vassilis Prevelakis <>
Mon, 3 Jun 2013 14:22:46 +0200
According to the Apple iTunes/App Store terms of agreement, if you use the
Apple iTunes/App Store when you are traveling abroad, you are in violation
of your contract.

Here is the US version of the agreement, but it also applies to all the
other national agreements I could check (and read).

> [...]

> The iTunes Service is available to you only in the United States, its
> territories, and possessions. You agree not to use or attempt to use the
> iTunes Service from outside these locations. Apple may use technologies to
> verify your compliance.

So the global product is in fact a national product, available strictly
within national boundaries, even in the case of EU countries where a common
market is supposedly in effect.

I think that somebody liked the DVD-style partitioning of the world into
distinct markets (where a product purchased in one market cannot be used in
another) so much that they decided to apply it to its extreme. What is
coming next? having each state designated as a separate market, so that you
can use your iphone in New Jersey, but not in New York?

Vassilis Prevelakis, Institut fuer Datentechnik und Kommunikationsnetze
Technische Universitaet Braunschweig Germany

"Spam catchers catching spammers better" (Woody Leonhard)

Gene Wirchenko <>
Tue, 04 Jun 2013 13:31:55 -0700
Woody Leonhard, InfoWorld, 31 May 2013
After a decline in the capabilities of spam-catching software, it's
heartening to see that the good guys are getting better

selected text:

  "It would be natural to expect those sources all to be Internet service
  providers, with the top positions occupied by ISPs in developing
  countries, where many people run cracked and thus unpatched versions of
  Windows XP—a dream for botherers."

But no, that isn't what Ken found. The No. 1 source of spam in Ken's study
is The Planet, a Web service offered by SoftLayer, a Web hosting company
with 436 employees and an active abuse team. Second was a German firm,
STRATO, also known for Web hosting. Third was yet another Web hosting firm,
of dubious pedigree. Of the top 25 spamming sources in the study, only six
were ISPs.

Launch of OpenBook Wisconsin—One for targeted advertisers

Dimitri Maziuk <>
Tue, 04 Jun 2013 16:43:45 -0500
When you get to the last sentence, keep in mind that UW-Madison, like
many other places, has a searchable employee directory with work
address, telephone numbers, and e-mail address.

- - ------ Original Message --------
Date: Tue, 4 Jun 2013 16:29:05 -0500
Subject: Launch of OpenBook Wisconsin
From: Vice Chancellor Darrell Bazzell <>

Date: June 4, 2013
To: All UW-Madison Employees
From: Vice Chancellor for Finance and Administration Darrell Bazzell
Re: Launch of OpenBook Wisconsin

As some of you may know, the State of Wisconsin is preparing to launch a new
expenditure website called OpenBook Wisconsin,
The site is part of an ongoing effort to make state government more
transparent for the citizens of Wisconsin.

The site launch will be conducted in phases, but we cannot predict with
certainty when OpenBook will go live. We are communicating now with the
intent of giving employees as much notice and consideration of the site
launch as possible.

The OpenBook website stems from 2011 Wisconsin Act 32, s.16.413 of the
Wisconsin Statutes, which requires the Department of Administration to
create a searchable website with information about all state agency
expenditures in excess of $100.  For ease of administration, UW-Madison will
report all expenditures, regardless of amount.

The database will eventually include state and UW salaries and fringe
benefits, grants paid by state agencies, and contract payments made by any
agency or UW institutions.

At this time, the university is taking steps to ensure that employees with
legitimate personal safety needs that require removal of their name from the
OpenBook database will be protected. Such legitimate personal safety
concerns for removal from the OpenBook website would include having been the
victim of a crime (e.g., domestic abuse) or circumstances involving court
orders that would require the removal of the employee's name.

In the event that an employee would like to request his or her name be
redacted from this database, based on the stated safety concerns, they need
to contact Zubin Mufti (e-mail: <>, phone: (608)
262-4587) from the Office of Human Resources to discuss a possible

If an employee has currently been removed from the university directory for
a reason consistent with the above factors, the employee's name will also be
removed from OpenBook.

It must be emphasized that only the employee name will be removed. The
expenses an employee submits and the payroll information will be included on
the website, but the name will be withheld from the related
expenditure. OpenBook will not post Social Security numbers, home addresses
or home telephone numbers of any employee.

I thought it was a fake Flickr message

Mon, 03 Jun 2013 07:19:24 +0800
>>>>> "F" == Flickr  <> writes:

F> Smile. Everyone now gets a free terabyte of space.

That's an about face from the previous measly 200 picture allowance,
plus there isn't a single link to in the message, but instead
just links to "". SpamAssassin analysis gives:

 0.4 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
-0.5 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 0.6 HTML_IMAGE_RATIO_04    BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 0.0 T_REMOTE_IMAGE         Message contains an external image

Ho hum, just another scam message. But wait, browsing shows
it is real.

NFP regarding the "blind captcha" problem (Guarini, RISKS-27.31)

Danny Burstein <>
Fri, 31 May 2013 19:29:41 -0400 (EDT)
- Every so often, usually after numerous fails of trying to resolve a Google
  captcha, I ask it to kick over the audio.

Fuggedabitit. Completely unusable.

- Come to think of it, since the audio is meant to be heard and transcribed
by a human, it might as well be a completely clear and simple word like
"cat" or the number "123".

Re: The Hazards of Gambling (Ward, RISKS-27.31)

Chris Drewe <>
Tue, 04 Jun 2013 22:30:28 +0100
My favourite quote here is "a politician who robs Peter to pay Paul can
probably rely on Paul's vote".  If the Government takes money off rich
people and gives it to poor people, this may seem to be "fairer" and reduce
inequality, but it rewards people who rely on welfare and punishes those who
provide for themselves (hence in the UK a lifetime on welfare is quite a
popular career option).  If Government spending rises faster that the
general level of wealth in the country (GDP growth), then the Government
will eventually run out of money; its only sources of income are taxes or
borrowing, and if it tries to borrow too much, then either creditors stop
lending (as in Greece), or the interest payments become crippling (as in the
UK, which has to borrow to pay the interest on existing debt).

Another favourite quote is from the obituary in the newspaper of an
economist called Professor James Buchanan (1919-2013):

  In modern democracies, Buchanan argued, politicians and bureaucrats come
  under constant pressure to placate interest groups with subsidies, tax
  breaks, regulation and uneconomic public investment; to take on ever more
  responsibilities to show they are `doing something'; and to expand budget
  deficits because they cannot square competing demands to spend more and to
  tax less. Politicians tend to regard political decisions of this sort as
  somehow independent of the economy and therefore immune from the sort of
  cost-benefit approach applied in the private sector, justifying them with
  reference to concepts such as `public good' or the `public interest'.

-- which in two sentences describes exactly why western countries are how
they are now, though not how to improve things.  The risk here looks like
governments gambling on getting enough money from "the rich" to match their
spending ambitions, and losing.

Re: The Internet is no place for Critical Infrastructure (R 27 31)

Chris Drewe <>
Tue, 04 Jun 2013 22:30:28 +0100
> This begs the question of what one means by "The Internet". ...

It's not only critical infrastructure.  Several recent criminal events in
the UK are alleged to have been encouraged by the availability of "extreme"
material on the internet, inevitably followed by demands for it to be made
illegal, with ISPs, search engines, or whoever required to block it (Google
has come in for particularly fierce criticism, as if web sites were only
accessible via them).  As Bob Frankston says, given the worldwide, amorphous
nature of the internet and the huge volume of constantly-changing
information in web sites, it's by no means clear who could be held liable or
how effective blocking could be, or even what is and isn't unacceptable
material, though of course that doesn't stop people from trying.

Re: Risks of spreadsheets (RISKS-27.30)

Pete Kaiser <>
Sat, 01 Jun 2013 09:12:35 +0200
The discussion here centers, as does discussion in the European Spreadsheet
Risks Interest Group (, on errors in creating spreadsheets.

But spreadsheet programs are software and have bugs.  It's quite possible to
program a spreadsheet that's correct and appropriate in every way, but for
the spreadsheet to deliver a wrong result.  One can think of ways to
mitigate that possibility, but they require effort, possibly lots of it.

In the late 1980s I found a calculation bug in DEC's spreadsheet program for
VAX/VMS; and since I was working there at the time, I reported it through
the internal mechanism which should have given it elevated attention.  I
followed up and checked with the engineering group from time to time, and in
fact nothing was done about the bug for years, during which the calculation
engine—with the bug—became part of the workstation product.  As new
releases came out, they all still had the calculation bug.  Several years
after it was reported, the engineering group apparently made a sweep through
as-yet unresolved problems and called me to ask if it had been fixed!  When
the young guy who called me heard it was still present, he followed it up,
and it was finally diagnosed as a problem with the compiler used to compile
the software.  Final resolution: it was too much work to try to debug *that*
problem, and the calculation bug was never fixed.

Luckily by that time there was PC software to replace it.  And we can be
sure there are no problems there.

Please report problems with the web pages to the maintainer