The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 45

Friday 30 August 2013


Super Puma helicopter endured rapid dive before crash
Shutdown at Nasdaq Is Traced to Software
Michael J. de la Merced via Matthew Kruk
Text a driver in New Jersey, and you could see your day in court
Lauren Weinstein
Why the children of tomorrow are the NSA's biggest nightmare
Charles Stross via Paul Saffo
iOS and Android Weaknesses Allow Stealthy Pilfering of Web Credentials
Dan Goodin via ACM TechNews
"Android random number flaw implicated in Bitcoin thefts"
Paul Ducklin via Gene Wirchenko
Sensitive data left on hard drives
Richard A. O'Keefe
"Report: NSA broke into UN video teleconferencing system"
Lucian Constantin via Gene Wirchenko
Facebook considers adding profile photos to facial recognition database
Lauren Weinstein
More garbage from Facebook
Vindu Goel via Matthew Kruk
"The end of Groklaw and our online privacy?"
Pamela Jones via Monica Goyal via Gene Wirchenko
HuffPo Edward Snowden Impersonated NSA Officials: Report
Sharon Kramer via Dave Farber
It's just Metadata? But it may be wrongly interpreted!
Donald B. Wagner
Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata'
Marshall Clow
Info on RISKS (comp.risks)

Super Puma helicopter endured rapid dive before crash, says report

"Peter G. Neumann" <>
Fri, 30 Aug 2013 5:13:18 PDT
A Super Puma helicopter crashed on 23 Aug 2013 off Shetland, killing four
passengers after an alarming and rapid descent into the North Sea.  Fourteen
passengers survived, largely because the crash occurred near land.  The
black box voice and flight-data recorder has now been recovered from the
tail section, and accident investigators have released their preliminary
findings. "The evidence currently available suggests that the helicopter was
intact and upright when it entered the water. It then rapidly inverted and
drifted northwards towards Garths Ness. The helicopter was largely broken up
by repeated contact with the rocky shoreline."

The article notes that this is the fifth accident involving Super Pumas in
the past four years, although this one appears unrelated to the previous
ones.  The British have discontinued all Super Puma flights (disrupting oil
workers, both offshore and onshore), although the Norwegians have not.

[Source: *The Guardian*, 29 Aug 2013, PGN-ed]

Shutdown at Nasdaq Is Traced to Software (Michael J. de la Merced)

"Matthew Kruk" <>
Fri, 30 Aug 2013 01:36:03 -0600
Michael J. de la Merced, Shutdown at Nasdaq Is Traced to Software, DealBook
-- A Financial News Service of *The New York Times*, 29 Aug 2013 [PGN-ed]

Though the Nasdaq market calls itself home for the stocks of the world's
biggest technology companies, the exchange acknowledged on 29 Aug 2013 that
a three-hour halt in trading arose from a problem with its software.  The
Nasdaq OMX Group released preliminary findings that provided the clearest
official insight into what caused the trading halt, being called in trading
circles as the "flash freeze."

While stock prices were little affected when the exchange reopened late in
the afternoon of Aug. 22, the episode reignited concerns about the fragility
of modern markets and their dependence on intricate software systems.

In particular, a series of attempts by a market operated by the NYSE
Euronext to connect with the Nasdaq system that reports the prices of recent
trades generated a surge of data. That led to a failure of Nasdaq's backup
systems, forcing the market to go offline to fix the problem. [...]

Text a driver in New Jersey, and you could see your day in court

Lauren Weinstein <>
Thu, 29 Aug 2013 09:23:47 -0700
  "On Tuesday, three appeals court judges agreed with it—in principle.
  They ruled that if the sender of text messages knows that the recipient is
  driving and texting at the same time, a court may hold the sender
  responsible for distraction and hold him or her liable for the accident."  (CNN via NNSquad)

Even the theoretical concept of holding the person at the other end of an
electronic communication (hell, even another person just talking in the same
vehicle) responsible for a driver's stupidity is beyond ludicrous.

Why the children of tomorrow are the NSA's biggest nightmare (Charles Stross)

Paul Saffo <>
Fri, 30 Aug 2013 05:54:06 -0700
Charles Stross, Spy Kids, *Foreign Policy*, 28 Aug 2013
A sci-fi visionary on why the children of tomorrow are the NSA's biggest
  nightmare [PGN-ed]

In the 21st century, the U.S. National Security Agency (and other espionage
agencies) face a storm of system-wide problems that I haven't seen anybody
talking about. The problems are sociological, and they threaten to undermine
the way the Western security state operates.

The big government/civil service agencies are old. The NSA's roots stretch
back to the State Department's "Black Chamber" (officially dissolved by
Secretary of State Henry Stimson in 1929 with the immortal words "Gentlemen
do not read each other's mail"). The CIA is a creation of the late
1940s. J. Edgar Hoover's FBI was established as the Bureau of Investigation
in 1908. These organizations are products of the 20th-century industrial
state, and they are used to running their human resources and internal
security processes as if they're still living in the days of the "job for
life" culture. Potential spooks-to-be were tapped early (often while at
school or university), vetted, and then given a safe sinecure along with
regular monitoring to ensure they stayed on the straight-and-narrow all the
way to the gold watch and pension. Because that's how we all used to work,
at least if we were civil servants or white-collar paper-pushers back in the

But outside the walled garden of the civil service, things don't work that
way anymore. A major consequence of the 1970s resurgence of neoliberal
economics was the deregulation of labor markets and the deliberate
destruction of the job-for-life culture (partly because together they were a
powerful lever for dislodging unionism and the taproots of left-wing power
in the West, and partly because a liquid labor market made entrepreneurial
innovation and corporate restructuring easier).

Government departments may be structured on old-fashioned lines, but their
managers aren't immune to outside influences and they frequently attempt
reforms, in the name of greater efficiency, that shadow the popular
private-sector fads of the day. One side effect of making corporate
restructuring easier was the rush toward outsourcing, and today around 70
percent of the U.S. intelligence budget is spent on outside contractors. And
it's a big budget—well over $50 billion a year. Some chunks go to heavy
metal (the National Reconnaissance Office is probably the biggest
high-spending agency you've never heard of: it builds spy satellites), but a
lot goes to people. People to oil the machines. People who work for large
contracting organizations. Organizations that increasingly rely on
contractors rather than permanent labor to retain "flexibility."

Here's the problem: The organizations are now running into outside
contractors who grew up in the globalized, liquid labor world of Generation
X and Generation Y, with Generation Z fast approaching.  [...]

If I were in charge of long-term planning for human resources in any
government department, I'd be panicking. Even though it's already too late.

   [This is a long but pithy article, pruned extensively for RISKS, although
   I kept the concluding paragraph above. PGN]

iOS and Android Weaknesses Allow Stealthy Pilfering of Web Credentials (Dan Goodin)

ACM TechNews <technews@HQ.ACM.ORG>
Wed, 28 Aug 2013 11:43:52 -0400
Dan Goodin, Ars Technica, 27 Aug 2013
via ACM TechNews, Wednesday, August 28, 2013

Microsoft and Indiana University researchers have found an architectural
weakness in both the iOS and Android mobile operating systems that makes it
possible for hackers to steal sensitive user data and login credentials for
popular email and storage services.  The researchers, in a paper to be
presented at the ACM Special Interest Group on Security, Audit and Control's
(SIGSAC) Computer and Communications Security Conference in November, found
that both operating systems fail to ensure that browser cookies, document
files, and other sensitive content from one Internet domain are off-limits
to scripts controlled by a second address without explicit permission.  The
same-origin policy is a basic security mechanism enforced by desktop
browsers, but the protection is absent from many iOS and Android apps.  The
researchers demonstrated the threat by creating several hacks that carry out
cross-site scripting and cross-site request forgery attacks.  "The problem
here is that iOS and Android do not have this origin-based protection to
regulate the interactions between those apps and between an app and another
app's Web content," says Indiana University professor XiaoFeng Wang.  The
researchers created a proof-of-concept app called Morbs that provides
OS-level protection across all apps on an Android device.  Morbs works by
labeling each message with information about its origin that could make it
easier for developers to specify and enforce security policies based on the
sites where sensitive information originates.

"Android random number flaw implicated in Bitcoin thefts" (Paul Ducklin)

Gene Wirchenko <>
Thu, 29 Aug 2013 11:55:27 -0700
Paul Ducklin, Sophos Naked Security, 12 Aug 2013, with comments
Filed Under: Android, Cryptography, Data loss, Featured, Google

Sensitive data left on hard drives

"Richard A. O'Keefe" <>
Thu, 29 Aug 2013 17:59:05 +1200
Dax Roberts completed a PhD in another department of this university this
year.  100 second-hand hard drives were bought.  24 of these still contained
private information, 13 of them just plug it in and turn it on and it's
there.  Four of the 24 were from high schools (none in the Otago region).

[Source: the *Otago Daily Times*, 11 May 2013]

"Report: NSA broke into UN video teleconferencing system" (Lucian Constantin)

Gene Wirchenko <>
Wed, 28 Aug 2013 12:38:15 -0700
Lucian Constantin, IDG News Service, InfoWorld, 26 Aug 2013
The agency reportedly cracked the system's encryption to snoop on
internal UN communications

Facebook considers adding profile photos to facial recognition DB

Lauren Weinstein <>
Thu, 29 Aug 2013 21:49:12 -0700
  "Facial recognition technology has been a sensitive issue for technology
  companies, raising concerns among some privacy advocates and government
  officials. Tag suggest, which the company introduced in 2011, is not
  available in Europe due to concerns raised by regulators.  Google's social
  network, Google+, also employs similar technology, but requires user
  consent. And it has banned third-party software makers from using facial
  recognition technology in apps designed for its Glass wearable computer." (Guardian)

More garbage from Facebook (Vindu Goel)

"Matthew Kruk" <>
Fri, 30 Aug 2013 01:41:16 -0600
Vindu Goel, Facebook to Update Privacy Policy, but Adjusting Settings Is No
Easier, *The New York Times*, 29 Aug, 2013 [PGN-ed]

Facebook announced Thursday that it planned to enact changes to its privacy
policies on Sept. 5.  But the social network's famously difficult privacy
controls will not become any easier to navigate.  Mostly, the new data use
policy and statement of rights and responsibilities lay out more clearly the
things that Facebook already does with your personal information, Ed
Palmieri, the company's associate general counsel for privacy, said in an
interview. "The updates that we are showing in the red lines are our way to
better explain the products that exist today," he said.  [...]

The old policy explicitly stated, "You can use your privacy settings to
limit how your name and profile picture may be associated with commercial,
sponsored, or related content (such as a brand you like) served or enhanced
by us."

Facebook's new language starts with the opposite position. "You give us
permission to use your name, and profile picture, content, and information
in connection with commercial, sponsored, or related content (such as a
brand you like) served or enhanced by us," the company said. "If you have
selected a specific audience for your content or information, we will
respect your choice when we use it."

Mr. Palmieri said the two versions amount to the same thing.

It brings to mind Humpty Dumpty in Lewis Carroll's "Through the Looking
Glass."  As he told young Alice, "When I use a word, it means just what I
choose it to mean - neither more nor less."

"The end of Groklaw and our online privacy?" (Pamela Jones via Monica Goyal)

Gene Wirchenko <>
Thu, 29 Aug 2013 11:45:48 -0700
Monica Goyal, *IT Business*, 28 Aug 2013

opening paragraph:

"My personal decision is to get off of the Internet to the degree it's
possible. I'm just an ordinary person. But I really know, after all my
research and some serious thinking things through, that I can't stay online
personally without losing my humanness, now that I know that ensuring
privacy online is impossible. I find myself unable to write. I've always
been a private person. That's why I never wanted to be a celebrity and why I
fought hard to maintain both my privacy and yours."

Pamela Jones, Groklaw in her last post.

HuffPo Edward Snowden Impersonated NSA Officials: Report (via Dave Farber]

Sharon Kramer <>
Aug 29, 2013 2:04 PM
  FYI.  If private sector employee, Edward Snowden, could impersonate NSA
  honchos for the purpose of exposing system flaws and security breaches
  harmful to the public; then who else could and may have done this for less
  honorable purposes?  Are there several people who knew how to do this and
  we may never know what info got into the wrong hands?  [Sharon Kramer, San
  Diego, via Dave Farber]

Edward Snowden Impersonated NSA Officials: Report

"Edward Snowden, the former government contractor who leaked information on
the National Security Agency's surveillance programs, impersonated NSA
officials in order to obtain files, NBC News
reported Thursday.

While working for Booz Allen Hamilton, the technology consulting firm that
contracted for the NSA, Snowden reportedly used his access as a system
administrator to borrow the electronic identities of officials with higher
security clearances via NSAnet, the agency's intranet. Snowden reportedly
used the identities obtain 20,000 documents containing information on the
agency's controversial programs.

'Every day, they are learning how brilliant [Snowden] was, an anonymous
former intelligence official told NBC, `'This is why you don't hire
brilliant people for jobs like this. You hire smart people. Brilliant people
get you in trouble.''


It's just Metadata? But it may be wrongly interpreted!

"Donald B. Wagner" <>
Thu, 29 Aug 2013 11:00:35 +0200
A 24-year-old Danish man was recently denied entry to the U.S. with his
family.  He has no criminal record, no known political activities and no
known connection to terrorism, but what he did have was a phone number that
once belonged to a man with known terrorist ties.
  Much more in Danish:

dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund
Denmark, Tel. +45-3331 2581

  [Incidentally, there is a fairly comprehensive article on the pluses and
  minuses of metadata by Jaron Lanier, The Meta Question: What is the NSA
  doing with your metadata?  *The Nation*, 15 Jul 2013, along with
  subsequent some diverse comments online.  PGN]

Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (RISKS-27.44)

Marshall Clow <>
Wed, 28 Aug 2013 19:43:38 -0700
There's an easy way for Mr. Obama and the NSA to convince people that
the "metadata" that they collect has no privacy implications.

They can publish theirs.

Publish the "metadata" for all phone calls made to or from the White House
and the NSA, whether they be landlines, wireless, or VOIP.  Put it on a
website with a search engine, and update the data (at least) every day.

Marshall Clow, Idio Software

Please report problems with the web pages to the maintainer