The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 56

Monday 21 October 2013


Harry Lewis's blog on Harvard's Gov 1310
Dick Cheney Said He Disabled Heart Device to Avoid Terrorist Threats
Gabe Goldberg
Judge Posner recants his previous ruling on Voter ID
Virginia Voter Purge List
Ship Tracking Hack Makes Tankers Vanish from View
Suzanne Johnson
Crooks 'stole' Experian data the old-fashioned way: They bought it!
Serdar Yegulalp via Gene Wirchenko
"Is Wikipedia for Sale?"
Lauren Weinstein
NSA Surveillance: The 21st-Century Panopticon
Bruce Schneier
France summons US ambassador to answer allegations of widespread NSA surveillance
Amar Toor via Dewayne Hendricks
Americans Are Way Behind in Math, Vocabulary, and Technology
Roberto A. Ferdman via Allan Davidson
Google Unveils Technology Tools for Digital Rebels
*Time* via Lauren Weinstein
More on "online schools" fleecing taxpayers
Ed Ravin
Re: GPS map leads to border crossing and shooting
Anthony DeRobertis
Re: "We can't let the Internet become Balkanized"
Amos Shapir
"Users hit by Blue Screen, 0xC1900101 - 0x40017 error with Windows 8.1 update"
Woody Leonhard via Gene Wirchenko
"Resurrected KB 951847 'zombie' patch fixed—but now has new problem"
Woody Leonhard via Gene Wirchenko
"Problems remain after Microsoft yanks Windows RT 8.1 update"
Woody Leonhard via Gene Wirchenko
Microsoft “Still Working'' on KB2862330 Windows 7 Update Fix
Henry Baker
GCHQ spooks update PC and mobile security advice for public sector
Nap van Zuuren
REVIEW: Craig P. Bauer, Secret History: The Story of Cryptology
Ben Rothke
Info on RISKS (comp.risks)

Harry Lewis's blog on Harvard's Gov 1310

"Peter G. Neumann" <>
Fri, 18 Oct 2013 10:56:06 PDT
Harvard Professor Harry Lewis recently posted a blog item that reviews the
episodes leading up to and following Harvard having accused a large number
of students of cheating in an open-book open-Web exam in an undergraduate
Government course, suspending them en masse, and also surreptitiously
searching e-mail accounts, and hiding many of the details from public view.
Harry's blog item gives RISKS readers an insider follow-up to the two rather
terse external views on this situation that Lauren Weinstein contributed to
RISKS-27.19 (11 Mar 2013).

  13 Oct 2013: Honor and Dishonor

For those of you interested in delving further into the history, Harry's
blogspot also includes seven previous postings that give a more extensive
view of his reactions to how this situation evolved (badly).

  3 Feb 2013: Bits and Pieces: Lingering questions about the `cheating scandal'
  9 Mar 2013: Bits and Pieces: E-mail Privacy at Harvard
 12 Mar 2013: Bits and Pieces: E-mail Snooping Update
  6 Apr 2013: Bits and Pieces: Seizing the Opportunity to Restore Trust
 27 Apr 2013: Bits and Pieces: E-mail Privacy Update
 23 Jul 2013: Bits and Pieces: The Keating Report
  2 Sep 2013: Bits and Pieces: E-mail Privacy Redux

Dick Cheney Said He Disabled Heart Device to Avoid Terrorist Threats

Gabe Goldberg <>
Sun, 20 Oct 2013 19:09:21 -0400
Former U.S. Vice President Dick Cheney said the implanted defibrillator that
helped keep him alive in 2007 had its wireless feature disabled because he
feared terrorists could use it to kill him.  Bloomberg,

To read the entire article, go to

The risk: fear that technology will be abused leads to disabling the
technology.  Of course, technology subject to abuse—e.g., medical devices
vulnerable to hacking/tampering—has its own risks.  Tough choices.

Judge Posner recants his previous ruling on Voter ID

"Peter G. Neumann" <>
Fri, 18 Oct 2013 11:52:04 PDT
Second Thoughts on Voter ID, Editorial, *The New York Times*, 16 Oct 2013

On 18 Oct 2013, Richard Posner, a highly respected federal judge, offered an
unusual admission. He had made a mistake, he said, in voting to uphold one
of the country's first voter-ID laws. As courts in Texas, North Carolina
and other states deal with litigation over ever-stricter versions of such
laws—all enacted in the name of preventing nonexistent fraud—the
question is what effect Judge Posner's admirable candor could have.

In 2005, Indiana passed a law requiring voters to show photo IDs at the
polls. Opponents sued, saying the law would mainly prevent those most likely
not to have photo IDs—poor, elderly, and minority voters—from
voting. Judge Posner, a Reagan appointee to the United States Court of
Appeals for the Seventh Circuit, rejected the challenge because he saw no
evidence that any voters would be disenfranchised, and reducing vote fraud
was a legitimate state goal—despite the fact that Indiana had never
prosecuted anyone for that crime.

The Supreme Court upheld the ruling in 2008, and proponents of voter-ID laws
have relied on that opinion ever since. In an interview with HuffPost Live
on Friday, Judge Posner acknowledged that he had failed to appreciate how
voter-ID laws would be abused when he wrote the decision upholding the
Indiana statute.

“Maybe we should have been more imaginative.  We weren't really given
strong indications that requiring additional voter identification would
actually disenfranchise people entitled to vote.'' Those indications were
clear, of course, to judges who disagreed with Judge Posner at the time. In
a new book, he writes that he was `guilty' of upholding a law “now widely
regarded as a means of voter suppression rather than of fraud prevention.'
Had he spoken those words a few years ago, the landscape of voter-ID laws
might look very different.

Virginia Voter Purge List

"Peter G. Neumann" <>
Fri, 18 Oct 2013 13:20:10 PDT
Democrats say about 1/3 of the names on the purge list were incorrect.  An
article in *The Washington Post* says that 38,000 of 56,000 names proposed
for purge by the State Board of Election were ultimately purged.  That's
pretty close to 1/3 being incorrect.

Ship Tracking Hack Makes Tankers Vanish from View

<*Suzanne Johnson*>
Friday, October 18, 2013
  [Via Dave Farber's IP distribution]

A system used by ships worldwide to broadcast their location for safety
purposes lacks security controls and is vulnerable to spectacular spoofing
attacks, researchers show. ...

“We were really able to compromise this system from the root level,'' says
Kyle Wilhoit, a researcher with Trend Micro's Future Threat Research team.
By purchasing a 700-euro piece of AIS equipment and connecting it to a
computer in the vicinity of a port, the researchers could intercept signals
from nearby craft and send out modified versions to make it appear to other
AIS users that a vessel was somewhere it was not.

Using the same equipment and software, it is possible to force ships to stop
broadcasting their movements using AIS by abusing a feature that lets
authorities manage how nearby AIS transmitters operate. AIS transmissions
could also be sent out that make fake vessels or structures such as
lighthouses or navigational buoys appear, and to stage spoof emergencies
such as a `man in the water' alert or collision warning. No direct attacks
were staged on any real vessels.

The researchers showed that their spoof signals were faithfully reproduced
on the maps provided by online services that monitor AIS data, such as this

One online service was fooled into showing a real tugboat disappearing from
the Mississippi and reappearing on a Dallas lake, and depicting a fake
vessel traveling off Italy on a course that spelled out the hacker term for
a compromised system: `pwned'.

Crooks 'stole' Experian data the old-fashioned way: They bought it! (Serdar Yegulalp)

Gene Wirchenko <>
Mon, 21 Oct 2013 11:26:46 -0700
Serdar Yegulalp | InfoWorld, 21 Oct 2013
Credit bureau sold personal data from half a million users to fraudster
posing as a Private Investigator, who then resold data on the black market

"Is Wikipedia for Sale?"

Lauren Weinstein <>
Sat, 19 Oct 2013 14:58:17 -0700
  "In recent months though, insiders have encountered something altogether
  more worrying: a concerted attack on the very fabric of Wikipedia by PR
  companies that have subverted the online encyclopedia's editing hierarchy
  to alter articles on a massive scale-perhaps tens of thousands of
  them. Wikipedia is the world's most popular source of cultural,
  historical, and scientific knowledge-if their fears are correct, its
  all-important credibility could be on the line."  (Vice via NNSquad)

NSA Surveillance: The 21st-Century Panopticon (Bruce Schneier)

David Farber <>
Mon, 21 Oct 2013 11:03:12 -0400
Bruce Schneier, NSA Surveillance: The 21st-Century Panopticon, *The Atlantic*,

Director of National Intelligence James Clapper told Congress the NSA
doesn't collect information on millions of Americans. (Reuters)

The basic government defense of the NSA's bulk-collection programs --
whether it be the list of all the telephone calls you made, your email
address book and IM buddy list, or the messages you send your friends—is
that what the agency is doing is perfectly legal, and doesn't really count
as surveillance, until a human being looks at the data.

It's what Director of National Intelligence James R. Clapper meant when he
lied to Congress. When asked, "Does the NSA collect any type of data at all
on millions or hundreds of millions of Americans?" he replied, "No sir, not
wittingly." To him, the definition of "collect" requires that a human look
at it. So when the NSA collects—using the dictionary definition of the
word—data on hundreds of millions of Americans, it's not really
collecting it, because only computers process it.

The NSA maintains that we shouldn't worry about human processing, either,
because it has rules about accessing all that data. General Keith Alexander,
director of the NSA, said that in a recent New York Times interview: "The
agency is under rules preventing it from investigating that so-called
haystack of data unless it has a 'reasonable, articulable' justification,
involving communications with terrorists abroad, he added."

There are lots of things wrong with this defense.

First, it doesn't match up with U.S. law. Wiretapping is legally defined as
acquisition by device, with no requirement that a human look at it. This has
been the case since 1968, amended in 1986.

Second, it's unconstitutional. The Fourth Amendment prohibits general
warrants: warrants that don't describe "the place to be searched, and the
persons or things to be seized." The sort of indiscriminate search and
seizure the NSA is conducting is exactly the sort of general warrant that
the Constitution forbids, in addition to it being a search by any reasonable
definition of the term. The NSA has tried to secretly redefine the word
"search," but it's forgotten about the seizure part. When it collects data
on all of us, it's seizing it.

Third, this assertion leads to absurd conclusions. Mandatory cameras in
bedrooms could become okay, as long as there were rules governing when the
government could look at the recordings. Being required to wear a
police-issued listening device 24/7 could become okay, as long as those same
rules were in place. If you're uncomfortable with these notions, it's
because you realize that data collection matters, regardless of whether
someone looks at it.

Fourth, creating such an attractive target is reckless. The NSA claims to be
one of the biggest victims of foreign hacking attempts, and it's holding
all of this information on us? Yes, the NSA is good at security, but it's
ridiculous to assume it can survive all attacks by foreign governments,
criminals, and hackers—especially when a single insider was able to walk
out of the door with pretty much all their secrets.

Finally, and most importantly: Even if you are not bothered by the
speciousness of the legal justifications, or you are already desensitized to
government invasion of your privacy, there is a danger grounded in
everything we have learned about how humans respond when put in positions of
unchecked power. Assuming the NSA follows its own rules—which even it
admits it doesn't always—rules can change quickly. The NSA says it only
looks at such data when investigating terrorism, but the definition of that
term has broadened considerably. The NSA is constantly pushing the law to
allow more and more surveillance. Even Representative Jim Sensenbrenner, the
author of the Patriot Act, says that it doesn't allow what the NSA claims
it allows.

It doesn't make sense to build systems that could facilitate a future police
state.  A massive trove of surveillance data on everyone is incredibly
tempting for all parts of government to use. Once we have everyone's data,
it'll be hard to prevent it from being used to solve conventional crimes
and for all sorts of things. It's a totalitarian government's wet dream.

The NSA's claim that it only looks when it's investigating terrorism is
already false. We already know the NSA passes data to the DEA and IRS with
instructions to lie about its origins in court—"parallel construction" is
the term being used. What else is done with that data? What else could be?

It doesn't make sense to build systems that could facilitate a future police

This sort of surveillance isn't new. We even have a word for it: It's the
Panopticon. The Panopticon was a prison design created by 18th-century
philosopher Jeremy Bentham, and has been a metaphor for a surveillance state
ever since. The basic idea is that prisoners live under the constant threat
of surveillance. It's not that they are watched all the time—it's that
they never know when they're being watched. It's the basis of Orwell's 1984
dystopia: Winston Smith never knew if he was being watched, but always knew
it was a possibility. It's why online surveillance works so well in China to
deter behavior; no one knows if and when it will detect their actions

Panopticon-like surveillance—intermittent, but always possible—changes
human behavior. It makes us more compliant, less individual. It reduces
liberty and freedom. Philosopher Michael P. Lynch recently wrote about how
it dehumanizes us: “when we lose the very capacity to have privileged
access to our psychological information— the capacity for self-knowledge,
so to speak, we literally lose our selves .... To the extent we risk the
loss of privacy we risk, in a very real sense, the loss of our very status
as subjective, autonomous persons.''

George Dyson recently wrote that a system that “is granted (or assumes)
the absolute power to protect itself against dangerous ideas will of
necessity also be defensive against original and creative thoughts.''
That's what living in a Panopticon gets you.

Already, many of us avoid using `dangerous' words and phrases online, even
innocuously. Or making nervous jokes about it when we do.

By ceding the NSA the ability to conduct ubiquitous surveillance on
everybody, we cede to it an enormous amount of control over our own
lives. Once the NSA takes a copy of your data, you no longer control it. You
can't delete it. You can't change it. You might not even know when the rules
under which it uses your data change. And until Edward Snowden leaked
documents that show what the NSA is doing, you didn't even know that the
government had taken it.

What else don't we know that the NSA has or does?

France summons US ambassador to answer allegations of widespread NSA surveillance (Amar Toor)

<*Dewayne Hendricks*>
Monday, October 21, 2013
Amar Toor, The Verge, 21 Oct 2013
Agency reportedly recorded millions of French phone calls over 30-day
period last year

Americans Are Way Behind in Math, Vocabulary, and Technology (Roberto A. Ferdman, *The Atlantic*)

Allan Davidson <>
October 11, 2013 7:07:01 PM EDT
  "A new global report (pdf) by the Organization for Economic Cooperation
  and Development finds that Americans rank well below the worldwide average
  in just about every measure of skill. In math, reading, and
  technology-driven problem-solving, the United States performed worse than
  nearly every other country in the group of developed nations."

It seems to me that the results should be grounds for serious concern, even
though (or perhaps particularly because) China isn't included in the charts.
Particularly concerning seems to be the poor performance of the 16-24
compared to the 55-65 year-olds.

  [Let's hear it for us old people.  PGN]

Google Unveils Technology Tools for Digital Rebels (*Time*)

Lauren Weinstein <>
Mon, 21 Oct 2013 10:18:43 -0700  (*Time* via NNSquad)

  The most ambitious product launch is uProxy, a new Web browser extension
  that uses peer-to-peer technology to let people around the world provide
  each other with a trusted Internet connection. This product is designed to
  protect the Internet connection of users in, say, Iran, from state
  surveillance or filtering. Google Ideas is providing funding and technical
  assistance for uProxy, which was developed by researchers at the
  University of Washington and Brave New Software.  “If you look at
  existing proxy tools today, as soon as they're effective for dissidents,
  the government finds out about them and either blocks them or infiltrates
  them.  Every dissident we know in every repressive society has friends
  outside the country whom they know and trust. What if those trusted
  friends could unblock the access in those repressive societies by sharing
  their own access? That was the problem we tried to solve.''  UProxy allows
  users in the U.S. to give their trusted friends in Iran-people they might
  already be emailing or chatting with-access to the open U.S. Internet.
  “The user in Iran can get unfiltered access to the Internet that's
  completely uncensored and will look just like it does in the U.S.  It's
  completely encrypted and there's no way for the government to detect
  what's happening because it just looks like voice traffic or chat
  traffic. We wanted to build a proxy service that builds on top of trusted
  relationships that already exist.''

    [Knowing what we know about the lack of security and anonymity,
    how likely is this to be useful in critical environments?  PGN]

More on "online schools" fleecing taxpayers

Ed Ravin <>
Sun, 20 Oct 2013 15:02:14 -0400
The Forward reported back in 2012 on a similar scam at the college
level, where an online school sucks up US Federal grant money meant for
low-income students, without actually graduating anyone, and where most
of their students weren't even in the US:

And a recent followup:

I doubt this school is the only one playing this game.

Re: GPS map leads to border crossing and shooting (Scott Nicol)

Anthony DeRobertis <>
Fri, 18 Oct 2013 00:56:53 -0400
This is the most misleading Subject: line I can remember having appeared in
RISKS.  Even "contributes to" seems a stretch, especially since the articles
clearly state GPS navigation being involved is *a guess*.

"Stealing multiple cars, getting in multiple police chases, and crashing
through border patrol vehicles" is more like it...

There is an legitimate risk to be discussed here, indeed it appears its easy
to miss the "you're crossing an international border" warning; but the
results of that should be delay (including maybe having to turn around and
take a much longer route), not being shot at!

Re: "We can't let the Internet become Balkanized" (Steingold, R-27.55)

Amos Shapir <>
Sun, 20 Oct 2013 16:38:04 +0200
In RISKS-27.55, Sam Steingold writes:
> I actually welcome this scandal because it should bring home to people the
> fact that we have lost "the expectation of privacy" battle.

What battle?  The way the Internet is built and operated, it has been a
broadcasting network from day one.  No intelligent person should have
expected any privacy, any more than when walking on a public street.

"Users hit by Blue Screen, 0xC1900101 - 0x40017 error with Windows 8.1 update" (Woody Leonhard)

Gene Wirchenko <>
Fri, 18 Oct 2013 11:10:14 -0700
Woody Leonhard | InfoWorld, 18 Oct 2013
Microsoft is struggling to figure out how to handle a widely reported
problem when Windows 8 users update to Windows 8.1

"Resurrected KB 951847 'zombie' patch fixed—but now has new problem" (Woody Leonhard)

Gene Wirchenko <>
Fri, 18 Oct 2013 11:14:08 -0700
Woody Leonhard | InfoWorld, 18 Oct 2013
Botched patch installs .Net Framework 3.5 without warning or consent
-- even on systems that have studiously avoided .Net

"Problems remain after Microsoft yanks Windows RT 8.1 update"

Gene Wirchenko <>
Mon, 21 Oct 2013 11:31:07 -0700
Woody Leonhard | InfoWorld, 21 Oct 2013
Windows RT/8 updates have inspired a stream of complaints. Here's an
overview of what's happened, how you might recover

Microsoft “Still Working'' on KB2862330 Windows 7 Update Fix

Henry Baker <>
Sun, 20 Oct 2013 05:13:00 -0700
FYI—Obviously, the US Government shutdown kept the NSA from doing final
QA on this particular Windows backdoor^H^H^H^H^H^H^H^Hupdate. :-)

October 15th, 2013, 05:31 GMT  By Bogdan Popa

  - The patch is still being delivered via Windows Update

More and more users confirm issues with the KB2862330 Windows 7 update, as
the bulletin apparently fails to install on lots of computers, but Microsoft
remains pretty much tight-lipped on this subject.

Ben Herila, Microsoft product manager, has confirmed through a small post
that Redmond is still working to find the cause of the issues, explaining
that a free-of-charge support incident is available to anyone willing to
help the team deal with the problem.

“We can offer anyone who has this issue and is willing to go through
troubleshooting a free-of-charge support incident and Support will work with
you 1-1 to get your computer(s) back into a working state. The teams who
released this update do know that there may be a problem and are doing
additional testing to identify the root cause of the issue that folks are

At this point, the patch is still being delivered via Windows Update, which
means that in most cases, the bulletin is expected to install just fine.

Windows 7
Windows Update

GCHQ spooks update PC and mobile security advice for public sector

"Nap van Zuuren" <>
Sun, 20 Oct 2013 13:01:28 +0200
This might be of interest to RISKS readership.

Subject: GCHQ spooks update PC and mobile security advice for public sector;
CESG offers strengths and weaknesses guide

REVIEW: Craig P. Bauer, Secret History: The Story of Cryptology

Ben Rothke <>
Sun, 20 Oct 2013 17:43:28 -0400
Narrating a compelling and interesting story about cryptography is not an
easy endeavor

Many authors have tried and failed miserably—attempting to create better
anecdotes about the adventures of Alice and Bob.  David Kahn did the best
job of it when wrote The Codebreakers: The story of secret writing in 1967
and set the gold standard on the information security narrative.  Kahn's
book was so provocative and groundbreaking that the US Government originally
censored many parts of it.

A lot has change[d] since 1967, and while Secret History: The Story of
Cryptology is not as groundbreaking, it also has no government censorship.
With that, the book is fascinating read that provides a combination of
cryptographic history and the underlying mathematics behind it. ...

Kahn himself wrote that he felt this book is by far the clearest and most
comprehensive of the books dealing with the modern era of cryptography
including classic ciphers and some of the important historical ones such as
Enigma and Purple—but also newer systems such as AES and public-key

See more at:

See the full review here at:

Please report problems with the web pages to the maintainer