The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 53

Tuesday 15 October 2013

Contents

Azerbaijan releases election results—before the election started
PGN
Computer Failure Cuts off Access to Food Benefits
PGN
Another botched Black Tuesday for MS
Woody Leonhard via Gene Wirchenko
D-Link SOHO Routers reported to contain backdoor
Bob Gezelter
Russian government's political comment trolling operation exposed
Lauren Weinstein
EFF Resigns from Global Network Initiative
EFF
Re: "Let's build a more secure Internet"
Peter Houppermans
Bob Frankston
Fred Cohen
Re: Why the NSA's attacks on the Internet must be made public
Fred Cohen
Re: NSA data center 'meltdowns' force year-long delay
Paul Saffo
Correction re: Cyber Schools Fleece Taxpayers
Gene Wirchenko
Re: Our Founding Fathers ...
Thor Lancelot Simon
Info on RISKS (comp.risks)

Azerbaijan releases election results—before the election started

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 9 Oct 2013 22:39:07 PDT
http://www.washingtonpost.com/blogs/worldviews/wp/2013/10/09/oops-azerbaijan-released-election-results-before-voting-had-even-started/?hpid=z4

Azerbaijan's big presidential election, held on Wednesday, was anticipated
to be neither free nor fair. President Ilham Aliyev, who took over from his
father 10 years ago, has stepped up intimidation of activists and
journalists. Rights groups are complaining about free speech restrictions
and one-sided state media coverage. The BBC's headline for its story on the
election reads `The Pre-Determined President'.
<http://www.bbc.co.uk/news/world-europe-24450227>
So expectations were pretty low.

Even still, one expects a certain ritual in these sorts of authoritarian
elections, a fealty to at least the appearance of democracy, if not
democracy itself. So it was a bit awkward when Azerbaijan's election
authorities released vote results—a full day before voting had even
started.
<http://www.eurasianet.org/node/67607?utm_source=dlvr.it&utm_medium=twitter>

The vote counts—spoiler alert: Aliyev was shown as winning by a landslide
-- were pushed out on an official smartphone app run by the Central Election
Commission. It showed Aliyev as "winning" with 72.76 percent of the vote.
That's on track with his official vote counts in previous elections: he won
("won"?) 76.84 percent of the vote in 2003 and 87 percent in 2008.  [...]

  [PGN-ed.  The rest of this story is interesting as well.
  [Also noted by Dan Swinehart, who said, “This is a variant on the punch
  line to a joke that I've told for decades. Reality trumps fiction again.''
http://politics.slashdot.org/story/13/10/10/0043217/azerbaijan-election-results-released-before-voting-had-even-started
  PGN]


Computer Failure Cuts off Access to Food Benefits

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 14 Oct 2013 16:26:37 PDT
AP item in *The New York Times*, PGN-ed, 13 Oct 2013:

  People in 17 states (including NJ and CA) were unable to use their food
  stamp debit cards for several hours on 12 Oct 2013, because a routine test
  of backup systems by Xerox failed.  (Yes, RISKS readers know nothing is
  always "routine".)


Another botched Black Tuesday for MS (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Thu, 10 Oct 2013 11:30:10 -0700
Woody Leonhard, InfoWorld, 10 Oct 2013
Another botched Black Tuesday: KB 2878890 patch brings back
  two-year-old KB 951847—repeatedly
Microsoft's four-month body count: 23 bad patches. It's past time for
  Microsoft to improve the quality of its Automatic Updates
http://www.infoworld.com/t/microsoft-windows/another-botched-black-tuesday-kb-2878890-patch-brings-back-two-year-old-kb-951847-repeatedly-228538

  [It's a (Bach -> Batch -> BOTCH) FUGUE, which recapitulates the same
  themes repeatedly, although sometimes in a slightly different form.  PGN]


D-Link SOHO Routers reported to contain backdoor

"Bob Gezelter" <gezelter@rlgsc.com>
Mon, 14 Oct 2013 03:48:44 -0700
Apparently, D-Link SOHO routers sold under their own and some private labels
have been reported to contain a "backdoor" which can allow anyone
Administrator without the device password. This "feature" is implemented by
the codebase using a pre-defined username, which does not need a password.
Users are cautioned to act appropriately. When will firm's learn that
backdoors are generically dangerous and should not be created?  The original
article is at:
   http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Bob Gezelter, http://www.rlgsc.com


Russian government's political comment trolling operation exposed

Lauren Weinstein <lauren@vortex.com>
Thu, 10 Oct 2013 09:12:27 -0700
http://j.mp/GI5Ro3 (*St. Petersburg Times* via NNSquad)

  "Local reporters have infiltrated a covert organization that hired young
  people as "Internet operators" near St. Petersburg and discovered that the
  employees are being paid to write pro-Kremlin postings and comments on the
  Internet, smearing opposition leader Alexei Navalny and U.S. politics and
  culture."


EFF Resigns from Global Network Initiative

<*EFF Press*>
Thursday, October 10, 2013
Citing Concerns Over NSA's Impact on Corporate Members, EFF Leaves Industry
Group

San Francisco - The Electronic Frontier Foundation (EFF) today withdrew from
the Global Network Initiative (GNI), citing a fundamental breakdown in
confidence that the group's corporate members are able to speak freely about
their own internal privacy and security systems in the wake of the National
Security Agency (NSA) surveillance revelations.

EFF has been a civil society member of the multi-stakeholder human rights
group since GNI was founded in 2008 to advance freedom of expression and
privacy in the global information and communication technologies sector.
While much has been accomplished in these five years, EFF can no longer sign
its name on joint statements knowing now that GNI's corporate members have
been blocked from sharing crucial information about how the US government
has meddled with these companies' security practices through programs such
as PRISM and BULLRUN.

"We know that many within the industry do not like or approve of such
government interference, and GNI has, in statements, made it clear that
member companies want permission from the US government to engage in greater
transparency," EFF's International Director Danny O'Brien and Director for
International Freedom of Expression Jillian C. York write in a letter to GNI
leadership.  "However, until serious reforms of the US surveillance programs
are in place, we no longer feel comfortable participating in the GNI process
when we are not privy to the serious compromises GNI corporate members may
be forced to make. Nor do we currently believe that audits of corporate
practice, no matter how independent, will uncover the insecurities produced
by the US government's--and potentially other governments'--behavior when
operating clandestinely in the name of national security."

EFF's involvement with GNI included helping to define its founding
principles over two years of negotiations; coordinating opposition to the
United Kingdom's Communications Data Bill in 2011; releasing a paper
addressing free-speech issues surrounding account deactivation and content
removal; and collaborating with fellow members in internal international
technical and policy analysis.  However, EFF can no longer stand behind the
credibility of what had been one of GNI's most significant
achievements--third-party privacy and freedom of expression assessments of
service providers, including Google, Microsoft and Yahoo.

Moving forward, EFF plans to continue to provide guidance to the GNI and
engage companies directly, but as an external organization.  EFF supports
the other organizations and individuals that continue to work within the GNI
for the free speech and privacy rights of users worldwide.

"Although EFF is taking a step back, GNI can still serve an important role
as a collaborative project between human rights groups, companies, investors
and academics," York said.  "If the United States government truly supports
international 'Internet freedom,' it would recognize the damage its policies
are doing to weaken such efforts and the world's confidence in American
companies."

For the text of the letter:
https://www.eff.org/document/gni-resignation-letter-0

For this release:
https://www.eff.org/press/releases/eff-resigns-global-network-initiative

About EFF

The Electronic Frontier Foundation is the leading organization protecting
civil liberties in the digital world. Founded in 1990, we defend free speech
online, fight illegal surveillance, promote the rights of digital
innovators, and work to ensure that the rights and freedoms we enjoy are
enhanced, rather than eroded, as our use of technology grows. EFF is a
member-supported organization.  Find out more at https://www.eff.org.

Electronic Frontier Foundation Media Release
For Immediate Release: Thursday, October 10, 2013

Jillian C. York
  Director for International Freedom of Expression
  Electronic Frontier Foundation
  jillian@eff.org <javascript:;>
  +1 415 436-9333 x118


Re: "Let's build a more secure Internet" (Dourado, RISKS-27.52)

Peter Houppermans <peter@houppermans.net>
Thu, 10 Oct 2013 09:39:37 +0200
With all due respect to the respective people involved, in my opinion you
have the problem backwards.

By attempting to create a trustworthy Internet, you are ignoring the fact
that practically any platform carrying data over the Internet only survives
by exactly NOT doing that.  The nice thing about not trusting the network
layer is that it then becomes irrelevant what the carrier is: a comfy "hard
shell, soft centre" insider threat corporate LAN, or a shaky "I have only 1
bar and my battery is dying" EDGE connection somewhere out in the field.
Well, irrelevant from a security perspective :).

Only when we ensure that everything that travels over the Internet has at
least a basic level of security attached can we progress, and there is much
to fix.  Why do websites still default to FTP uploads?  Why is encrypted
SMTP not the default for inter-party email exchange?

You improve security by adjusting the equation effort & risk vs. reward, and
use tools you control yourself: content, framing and encryption.  What is
out of your control is by default untrusted, and doing it right also means
that it's no longer worth doing the lower level intercept.

Finally, in context I appreciate the irony of sending that submission from a
Google account :)


Re: Let's Build a More Secure Internet (Dourado, RISKS-27.52)

<*Bob Frankston*>
Thursday, October 10, 2013
  [via Dave Farber's IP distribution.  PGN]

This assumes that the Internet is a layer on top of a physical
infrastructure—a notion which misses the revolutionary idea of the
Internet. The Internet is not the switches. It is a way we use the physical
infrastructure as a resource rather than a dependency. For that matter the
very wording assumes there is an Internet that is apart from everything else
when many of the issues are in the practices both in the way we exchange
bits and the service we create using connectivity.

As long as we require that operators and service providers make a profit we
force the creation of the meta data that can then be used to analyze our
usage of the network. If we have funding model that doesn't require every
wire be a profit center than we wouldn't need to disclose (as much) metadata
and the network operators wouldn't obliged to monetize it.

There is a risk in seeking the social and business problems in technology
rather than in understanding.


Let's Build a More Secure Internet - hardly... (Re: RISKS-27.52)

Fred Cohen <fc@all.net>
Mon, 14 Oct 2013 06:44:50 -0700
> Eli Dourado, *The New York Times*, 8 Oct 2013
> Can we ever trust the Internet again?

As usual, the press gets it wrong soup to nuts. Starting with the premise
that the Internet was ever worthy of trust in the first place, which leads
to the question - trust for what? If you trusted the Internet for integrity,
confidentiality, availability, use control, or accountability, you were
making a mistake, and this is nothing new. I refer you to the series of
articles I wrote in the mid-1990s called Internet Holes and the continuation
of that series through the present day
(http://all.net/Analyst/index.html). Not that the problems began then...

> In the wake of the disclosures about the National Security Agency's
> surveillance programs, considerable attention has been focused on the
> agency's collaboration with companies like Microsoft, Apple and Google,
> which according to leaked documents appear to have programmed "back door"
> encryption weaknesses into popular consumer products and services like
> Hotmail, iPhones and Android phones.

The difference being that they used legal process or money to get
willing cooperation? Does anybody really believe that this wasn't being
done earlier by planted insiders? And why worry about the NSA when they
are only one of more than 100 countries likely undertaking the same sort
of thing (many known to be doing so) since the beginning of the Internet.

> But while such vulnerabilities are worrisome, equally important - and
> because of their technical nature, far less widely understood - are the
> weaknesses that the N.S.A. seems to have built into the very
> infrastructure of the Internet.

We didn't need them to build weaknesses in. The commercial companies are
perfectly capable of doing it intentionally and by accident. Weaknesses
were always there. In terms of understanding, while I believe the press
widely ignored these issues for much of the last 30+ years, the
information protection field has been pointing them out since the
technology was put into use.

> The concern is that even if consumer software companies like Microsoft and
> telecommunications companies like AT&T and Verizon stop cooperating with
> the N.S.A., your online security will remain compromised as long as the
> agency can still take advantage of weaknesses in the Internet itself.

As they always have and always likely will.

> Fortunately, there is something we can do: encourage the development of an
> "open hardware" movement - an extension of the open-source movement that
> has led to software products like the Mozilla browser and the Linux
> operating system.

Open software has nothing on closed software in terms of protection, In
fact, arguably, closed source has produced fewer vulnerabilities per
line of code over time than open source. I say "arguably" because, as a
field, we have few and poorly collected metrics of such things. But
those metrics seem to indicate that open source is not more secure as a
rule.

> The open-source movement champions an approach to product development in
> which there is universal access to a blueprint, as well as universal ability
> to modify and redistribute the blueprint. Wikipedia is perhaps the
> best-known example of a product inspired by the movement. Open-source
> advocates typically emphasize two kinds of freedom that their products
> afford: they are available free of charge, and they can be used and
> manipulated free of restrictions.

Open source is not the same as free, not the same as anybody can
(legally) modify it, or any such thing. It just means you can see the
"blueprint".

> But there is a third kind of freedom inherent in open-source systems: the
> freedom to audit. With open-source software, independent security experts
> can scrutinize the code for vulnerabilities - whether accidentally or
> intentionally introduced. The more auditing by the programming masses, the
> better the security. As the open-source software advocate Eric S. Raymond
> has put it, "given enough eyeballs, all bugs are shallow."

This is a fallacy. It is simply not true that more eyes makes better
security or that "all bugs are shallow" as a side effect. Experiments have
historically shown that even if we point out the location of an intentional
Trojan horse to within a few hundred lines of code, experts don;t find
it. And automated software doesn't even look for the sorts of intentional
subversion that is used in many Trojan horses.

> Perhaps the greatest open-source success story is the Internet itself - at
> least its "soft" parts. The Internet's communications protocols and the
> software that implements them are collaboratively engineered by loose
> networks of programmers working outside the control of any single person,
> company or government. The Internet Engineering Task Force, which develops
> core Internet protocols, does not even have formal membership and seeks
> contributions from developers all over the world.

And the Internet is full of holes. It is the best example of how open source
does not provide protection. And its success is largely because it (the
process) doesn't seek to provide protection. The Internet is designed for
functionality - widespread, general, rapidly deployed, easily developed,
flexible, changeable, etc. functionality. As such, it is designed to support
rapid change, not stability. It is designed to be redundant, recoverable,
etc. NOT private, unalterable, etc.

"Security" is afforded by this approach, but not secrecy, integrity, use
control, or accountability. Availability is somewhat questionable. The
security provided is the ability to change, learn, adapt, create, do your
own thing, etc.

> But the problem is that the physical layer of the Internet's infrastructure
> - the hardware that transmits, directs and relays traffic online, as well as
> its closely knit software (or "firmware") - is not open-source. It is made
> by commercial computing companies like Cisco, Hewlett-Packard and Juniper
> Networks according to proprietary designs, and then sold to governments,
> universities, private companies and anyone else who wants to set up a
> network.

Making it "open source" will not help the situation. It will likely reveal
far more vulnerabilities, but not fix them, and not reveal the tricky
ones. But it will certainly cause these companies financial problems as
their technical advantages over competitors will collapse, and their
investment in new technology be reduced, thus reducing innovation and rate
of progress.

> There is reason to be skeptical about the security of these networking
> products.  The hardware firms that make them often compete for contracts
> with the United States military and presumably face considerable pressure
> to maintain good relations with the government. It stands to reason that
> such pressure might lead companies to collaborate with the government on
> surveillance-related requests.

And those made in China have Chinese Trojan horses.

> Because these hardware designs are closed to public scrutiny, it is
> relatively easy for surveillance at the Internet's infrastructural level
> to go undetected.  To make the Internet less susceptible to mass
> surveillance, we need to recreate the physical layer of its infrastructure
> on the basis of open-source principles.

This won't work. It will just make it more expensive to run the government
surveillance programs, costing the taxpayers more money and forcing the NSA
back into the darker corners.

> At the moment, the open hardware movement is limited mostly to hobbyists -
> engineers who use the Internet to collaboratively build "open" devices
> like the RepRap 3D printer.

Which uses what open source processor chips? None! They all depend on
proprietary chips.

> But the Internet community, through a concerted effort like the one that
> currently sustains the Internet's software architecture, could also
> develop open-source, Internet-grade hardware. Governments like Brazil's
> that have forsworn further involvement with American Internet companies
> could adopt such nonproprietary equipment designs and have them
> manufactured locally, free from any N.S.A. interference.

As if this would free them. It won't.

> The result would be Internet infrastructure, both hardware and software,
> that was 100 percent open and auditable.

Again, a fantasy. Even if realized, it would not accomplish the stated goal.

The "open source" version of the Internet would not be an improvement. It is
already largely open source, and has all of the problems that the
Information age portends. It is an inherent property of the information age
that in order to have effective protection, we need to restrain ourselves
from doing the wrong thing in high volume and an effective government has to
restrain itself or be restrained by its people. But this is nothing
new. Perhaps we need well armed Internet militias.

Draft of the Xth amendment: A well regulated Militia, being necessary to the
security of a free State, the right of the people to keep and bear Internet
Arms, shall not be infringed.

Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies
http://all.net/       PO Box 811    Pebble Beach, CA 93953


Re: Why the NSA's attacks on the Internet must be made public (Schneier, RISKS-27.51)

Fred Cohen <fc@all.net>
Mon, 14 Oct 2013 07:01:57 -0700
> Among IT security professionals, it has been long understood that the
> public disclosure of vulnerabilities is the only consistent way to improve
> security. That's why researchers publish information about vulnerabilities
> in computer software and operating systems, cryptographic algorithms, and
> consumer products like implantable medical devices, cars, and CCTV
> cameras.

This is a fallacy. There is no substantial science behind the asserted claim
(that disclosure improves protection) and no statistics behind the actual
claim (that IT security professionals have long understood that or even
agree to the asserted claim).

The rest of the article repeats this mistake. It asserts cause and effect
without a substantial basis.

> It's folly to believe that any NSA hacking technique will remain secret
> for very long.

Really! You may rest assured that they have plenty of methods that, while
published long ago in some form, remain largely a secret to anyone who is
affected by them. That's because, as a community, we don't bother to review
the literature before proclaiming ourselves experts. Nothing I have seen
published about what the NSA is asserted to have done is a big secret in
terms of the ability to do it. The secret (if there is one) is that they did
do it, with whom, etc. The techniques I have heard about are hardly a
secret. Bribe a company, extort a company, plant an insider, plant a Trojan,
not new, not secret methods. In terms of longevity, I would bet that there
are lots of things still secret from the 1950s, some of which died with
those who held them.

> The NSA has two conflicting missions. Its eavesdropping mission has been
> getting all the headlines, but it also has a mission to protect US
> military and critical infrastructure communications from foreign attack.
> Historically, these two missions have not come into conflict. During the
> cold war, for example, we would defend our systems and attack Soviet
> systems.

The equities issue has always been present, and the equities have
historically always favored attack over defense. The question that needs to
be addressed is how this balance should be as opposed to how it has been. My
personal view is that the defense should be favored far more than it is at
present or has been in the past, but then I am a defender.

The reason for my view? Because the US and our allies are asymmetrically
dependent on information and technology. So successful attack can hurt us a
lot more than it hurts them.  Meanwhile, successful defense depends on
knowledge, skills, effort, etc. which we presumably have more of then our
enemies. So if we build strong defenses that require ongoing effort, we will
win as long as we are willing to spend the effort and they are not. Of
course if it takes too much effort, it will sap our strength...  and
somewhere in there is an equation to be produced and solved.

Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies
http://all.net/       PO Box 811    Pebble Beach, CA 93953


Re: NSA data center 'meltdowns' force year-long delay (RISKS-27.52)

Paul Saffo <psaffo@me.com>
Wed, 09 Oct 2013 20:05:33 -0700
... it appears the problem isn't with the grid supplying the power, but with
the electrical system on the NSA site.


Correction re: Cyber Schools Fleece Taxpayers (RISKS-27.51)

Gene Wirchenko <genew@telus.net>
Wed, 09 Oct 2013 21:54:01 -0700
The link for the first item ("Cyber Schools Fleece Taxpayers for Phantom
Students and Failing Grades") is actually:
http://www.prwatch.org/news/2013/10/12257/junk-bonds-junk-schools-cyber-schools-fleece-taxpayers-phantom-students-and-faili

      (The item's link was missing "cyber-schools-".)


Re: Our Founding Fathers ... (Robinson, RISKS-27.51)

Thor Lancelot Simon
Fri, 11 Oct 2013 01:28:48 +0000 (UTC)
> A couple thousand years ago, the way you moved from Slave or peon to
> Citizen in Imperial Rome was you raised enough money to afford a sword and
> shield ...

This is empirically false, and it's a shame to see made-up "facts" given
credibility by appearing in RISKS.  Without this and the several other
similar assertions of "fact" in the piece I quote above, I'm not sure there
is any support for its argument at all.

If you'd like to know how changes in status really took place in Imperial
(or pre-Imperial) Rome, I can recommend Crook, J.A., _Law and Life Of Rome_,
90 B.C. - A.D. 212 (Ithaca: Cornell, 1967).

Thor Lancelot Simon, : Public Access Networks Corp., tls@panix.com

Please report problems with the web pages to the maintainer

Top