The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 59

Tuesday 5 November 2013


Honda recalls 344,000 Odyssey vans for software glitch
David Undercoffler via Monty Solomon
Opinion: Don't Gerrymander the Internet!
Joseph Lorenzo Hall with Leslie Harris
No Morsel Too Minuscule for All-Consuming NSA
Scott Shane via Monty Solomon
U.S. Postal Service Logging All Mail for Law Enforcement
Ron Nixon via Monty Solomon
Perhaps "Air Gaps" Need to be "Opaque Vacuums": The dangers of software controlled embedded devices
Bob Gezelter on Dan Goodin
Why The Attack on Buffer Was A Serious Wake-Up Call
David Berlind via Lauren Weinstein
Shut Down the Internet?
Steven J. Greenwald
Adobe: Hackers stole account info of 38 million users, not 3 million
Salvador Rodriguez via Monty Solomon
Re: Metric System and Math
Henry Baker
Amos Shapir
Re: Utility network protection? No.
Dick Mills
Re: An App That Saved 10,000 Lives
Bruce Horrocks
Info on RISKS (comp.risks)

Honda recalls 344,000 Odyssey vans for software glitch

Monty Solomon <>
Tue, 5 Nov 2013 10:18:03 -0400
David Undercoffler, *Los Angeles Times*, 4 Nov 2013

Honda Motor Co. has announced it is voluntarily recalling more than 344,000
Odyssey minivans to correct a problem with the vehicles' stability control

The recall affects 344,187 Odyssey vans from the 2007 and 2008 model
years. In certain circumstances, an error in the software can prevent the
system from calibrating correctly, leading to pressure building up in the
braking system, the National Highway Traffic Safety Administration said.

If pressure builds to a certain point, "the vehicle may suddenly and
unexpectedly brake hard, and without illuminating the brake lights,
increasing the risk of a crash from behind," the NHTSA said. ...,0,3097543.story

Opinion: Don't Gerrymander the Internet! (with Leslie Harris)

Joseph Lorenzo Hall <>
Mon, Nov 4, 2013 at 1:30 PM
Leslie Harris and Joseph Lorenzo Hall
Don't gerrymander the Internet

We can partially blame gerrymandering for the current gridlock in the
U.S. Congress. By shaping the electoral map to create politically safe
spaces, we have generated a fractious body that often clashes rather than
collaborates, limiting our chances of resolving the country's toughest
challenges. Unfortunately, revelations about the global reach of American
security surveillance programs under the National Security Agency (NSA) are
leading some to propose what amounts to gerrymandering for the Internet in
order to route around NSA spying.  This will shackle the Internet,
inherently change its technical infrastructure, throttle innovation, and
likely lead to far more dangerous privacy violations around the globe.

Nations are rightly upset that the communications of their citizens are
swept up in the National Security Agency's pervasive surveillance dragnet.
There is no question the United States has overreached and violated human
rights in its collection of communications information on innocent people
around the globe; however, the solution to this problem should not, and
truly cannot, be data localization mandates that restrict data storage and

The calls for greater localization of data are not new, but the recent
efforts of Brazil's President, Dilma Rousseff, to protect Brazilians from
NSA spying reflected the view of many countries suddenly faced with a new
threat to the privacy of the communications of their citizens. Rousseff has
been an advocate for Internet freedom, so undoubtedly her proposal is well
intentioned, though the potential unintended repercussions are alarming.

First, it's important to consider the technical reasons why data location
requirements are a really bad idea. The Internet developed in a widely
organic manner, creating a network that allowed data to flow from all
corners of the world—regardless of political boundaries, residing
everywhere and nowhere at the same time. This has helped increase the
resilience of the Internet and it has promoted significant efficiencies in
data flow. As is, the network routes around damage, and data can be wherever
it best makes sense and take an optimal route for delivery.

Data localization mandates would turn the Internet on its head.  Instead of
a unified Internet, we would have a fractured Internet that may or may not
work seamlessly. We would instead see districts of communications that cater
to specific needs and interests—essentially we would see Internet
gerrymandering at its finest.  Countries and regions would develop localized
regulations and rules for the Internet to benefit them in theory, and would
certainly aim to disadvantage competitors. The potential for serious winners
and losers is huge. Certainly the hope for an Internet that promotes global
equality would be lost.

Data localization may only be a first step. Countries seeking to keep data
out of the United States or that want to exert more control over the
Internet may also mandate restrictions on how data flows and how it is
routed.  This is not far-fetched. Countries such as Russia, the United Arab
Emirates, and China have already proposed this at last year's World
Conference on International Telecommunications.

As Internet traffic begins to demand more bandwidth, especially as we
witness more real-time multimedia applications, efficient routing is
essential to advance new Internet services. High capacity applications like
Apple's FaceTime may slow to the painful crawl reminiscent of the dial-up
days of the Internet.

This only begins to illustrate the challenges Internet innovators would
face, but big established players like Facebook, Google and Microsoft, would
potentially have the resources to abide by localization mandates—of
course, only if the business case supports working in particular locales.
Some countries with local storage rules may be bypassed altogether.  For
small or emerging businesses, data localization requirements would be a
greater challenge. It would build barriers to markets and shut off channels
for innovation. Few emerging businesses could afford to locate servers in
every new market, and if local data server requirements become ubiquitous,
it will be businesses in emerging markets that are most disadvantaged. The
reality for developing nations is that protectionist measures such as data
localization will further isolate local business from the global market,
depriving them of the advantages for growth that are provided by the
borderless Internet.

Most important though, is the potential for fundamental harm to human rights
due to data localization mandates. We recognize that this is a difficult
argument to accept in the wake of the revelations about NSA surveillance,
but data localization requirements are a double-edged sword. It is important
to remember that human rights and civil liberties groups have long been
opposed to data localization requirements because if used inappropriately,
such requirements can become powerful tools of control, intimidation and

When companies were under intense criticism for turning over the data of
Chinese activists to China, Internet freedom activists were united in theirs
calls to keep user data out of the country. When Yahoo!  entered the
Vietnamese market, it placed its servers out of the country in order to
better protect the rights of its Vietnamese users.  And the dust up between
the governments of the United Arab Emirates, Saudi Arabia, India, and
Indonesia, among others, demanding local servers for storage of BlackBerry
messages in order to ensure legal accountability and meet national security
concerns, was met with widespread condemnation. Now with democratic
governments such as Brazil and some in Europe touting data localization as a
response to American surveillance revelations, these oppressive regimes have
new, albeit inadvertent, allies. While some countries will in fact store,
use and protect data responsibly, the validation of data localization will
unquestionably lead to many regimes abusing it to silence critics and spy on
citizens. Beyond this, data server localization requirements are unlikely to
prevent the NSA from accessing the data.  U.S. companies and those with a
U.S. presence will be compelled to meet NSA orders, and there appear to be
NSA access points around the world.

Data localization is a proposed solution that is distracting from the
important work needed to improve the Internet's core infrastructural
elements to make it more secure, resilient and accessible to all. This work
includes expanding the number of routes, such as more undersea cables and
fiber runs, and exchange points, so that much more of the world has
convenient and fast Internet access. If less data is routed through the
U.S., let it be for the right reason: that it makes the Internet stronger
and more accessible for people worldwide. We also need to work to develop
better Internet standards that provide usable privacy and security by
default, and encourage broad adoption.

Protecting privacy rights in an era of transborder surveillance won't be
solved by ring fencing the Internet. It requires countries, including the
U.S., to commit to the exceedingly tough work of coming to the negotiating
table to work out agreements that set standards on surveillance practices
and provide protections for the rights of privacy and free expression for
people. Germany and France have just called for just such an agreement with
the U.S. This is the right way forward.

In the U.S., we must reform our surveillance laws, adopt a warrant
requirement for stored email and other digital data, and implement a
consumer privacy law. The standards for government access to online data in
all countries must likewise be raised. These measures are of course much
more difficult in the short run that than data localization requirements,
but they are forward-looking, long-term solutions that can advance a free
and open Internet that benefits us all.

No Morsel Too Minuscule for All-Consuming NSA (Scott Shane) ,

Monty Solomon <>
Sat, 2 Nov 2013 15:30:49 -0400
When Ban Ki-moon, the United Nations secretary general, sat down with
President Obama at the White House in April to discuss Syrian chemical
weapons, Israeli-Palestinian peace talks and climate change, it was a
cordial, routine exchange.

The National Security Agency nonetheless went to work in advance and
intercepted Mr. Ban's talking points for the meeting, a feat the agency
later reported as an "operational highlight" in a weekly internal brag
sheet. It is hard to imagine what edge this could have given Mr. Obama in a
friendly chat, if he even saw the N.S.A.'s modest scoop. (The White House
won't say.)

But it was emblematic of an agency that for decades has operated on the
principle that any eavesdropping that can be done on a foreign target of any
conceivable interest - now or in the future - should be done. After all,
American intelligence officials reasoned, who's going to find out?

 From thousands of classified documents, the National Security Agency
emerges as an electronic omnivore of staggering capabilities, eavesdropping
and hacking its way around the world to strip governments and other targets
of their secrets, all the while enforcing the utmost secrecy about its own
operations. It spies routinely on friends as well as foes, as has become
obvious in recent weeks; the agency's official mission list includes using
its surveillance powers to achieve "diplomatic advantage" over such allies
as France and Germany and "economic advantage" over Japan and Brazil, among
other countries.

Mr. Obama found himself in September standing uncomfortably beside the
president of Brazil, Dilma Rousseff, who was furious at being named as a
target of N.S.A. eavesdropping. Since then, there has been a parade of such
protests, from the European Union, Mexico, France, Germany and
Spain. Chagrined American officials joke that soon there will be complaints
from foreign leaders feeling slighted because the agency had not targeted

James R. Clapper Jr., the director of national intelligence, has repeatedly
dismissed such objections as brazen hypocrisy from countries that do their
own share of spying. But in a recent interview, he acknowledged that the
scale of eavesdropping by the N.S.A., with 35,000 workers and $10.8 billion
a year, sets it apart.  "There's no question that from a capability
standpoint we probably dwarf everybody on the planet, just about, with
perhaps the exception of Russia and China," he said.

Since Edward J. Snowden began releasing the agency's documents in June, the
unrelenting stream of disclosures has opened the most extended debate on the
agency's mission since its creation in 1952.  The scrutiny has ignited a
crisis of purpose and legitimacy for the N.S.A., the nation's largest
intelligence agency, and the White House has ordered a review of both its
domestic and its foreign intelligence collection. While much of the focus
has been on whether the agency violates Americans' privacy, an issue under
examination by Congress and two review panels, the anger expressed around
the world about American surveillance has prompted far broader questions.

If secrecy can no longer be taken for granted, when does the political risk
of eavesdropping overseas outweigh its intelligence benefits? Should foreign
citizens, many of whom now rely on American companies for email and Internet
services, have any privacy protections from the N.S.A.? Will the American
Internet giants' collaboration with the agency, voluntary or otherwise,
damage them in international markets? And are the agency's clandestine
efforts to weaken encryption making the Internet less secure for everyone?

Matthew M. Aid, an intelligence historian and author of a 2009 book on the
N.S.A., said there is no precedent for the hostile questions coming at the
agency from all directions. ...

U.S. Postal Service Logging All Mail for Law Enforcement (Ron Nixon)

Monty Solomon <>
Sun, 3 Nov 2013 17:13:19 -0400
Ron Nixon, *The New York Times*, 3 Jul 2013

WASHINGTON - Leslie James Pickering noticed something odd in his mail last
September: a handwritten card, apparently delivered by mistake, with
instructions for postal workers to pay special attention to the letters and
packages sent to his home.

"Show all mail to supv" - supervisor - "for copying prior to going out on
the street," read the card. It included Mr. Pickering's name, address and
the type of mail that needed to be monitored. The word "confidential" was
highlighted in green.

"It was a bit of a shock to see it," said Mr. Pickering, who with his wife
owns a small bookstore in Buffalo. More than a decade ago, he was a
spokesman for the Earth Liberation Front, a radical environmental group
labeled eco-terrorists by the Federal Bureau of Investigation. Postal
officials subsequently confirmed they were indeed tracking Mr. Pickering's
mail but told him nothing else.

As the world focuses on the high-tech spying of the National Security
Agency, the misplaced card offers a rare glimpse inside the seemingly
low-tech but prevalent snooping of the United States Postal Service.

Mr. Pickering was targeted by a longtime surveillance system called mail
covers, a forerunner of a vastly more expansive effort, the Mail Isolation
Control and Tracking program, in which Postal Service computers photograph
the exterior of every piece of paper mail that is processed in the United
States - about 160 billion pieces last year. It is not known how long the
government saves the images.

Together, the two programs show that postal mail is subject to the same kind
of scrutiny that the National Security Agency has given to telephone calls
and e-mail. ...

Perhaps "Air Gaps" Need to be "Opaque Vacuums": The dangers of software controlled embedded devices (Re: Dan Goodin article)

"Bob Gezelter" <>
Fri, 01 Nov 2013 00:46:20 -0700
"Airgaps" are a long-accepted precaution. In principle, an isolated system
cannot be contaminated or compromised by way of its network connections.  A
report in Ars Technica discusses how this long-accepted wisdom may be
somewhat incomplete in the age of audio-visual enabled devices. The affair
at a Philadelphia-area school, where IT technical staff remotely enabled
student's integral laptop cameras demonstrated the dangers of remotely
enabled cameras; we now have a preliminary report of malware communicating
with other infected systems via integral speakers and microphones.  Besides
the tongue in cheek renaming of "air gaps" as "opaque vacuums", perhaps
physical (non-software intermediated) On/Off switches on integral devices
would be a good privacy feature.  The original article [* by Dan Goodin] is at:
Bob Gezelter,

  [* Note: Don Goodin's article is a really fascinating one, and worth a
  careful read.  The website also includes a response to questioning
  comments from readers, saying that as a journalist for more than 17 years,
  he has never written a spoof story, and it is completely coincidental that
  this one ran on Hallow'en.  PGN]

Why The Attack on Buffer Was A Serious Wake-Up Call (David Berlind)

Lauren Weinstein <>
Mon, Nov 4, 2013 at 6:41 PM
  "End-users must also recognize that, despite the best intentions of those
  stakeholders and the imprimaturs of widely-used federated credentialing
  technologies like OAuth, there's no guarantee that their identities cannot
  be stolen and abused for impersonation.  Vulnerabilities exist, especially
  as a result of the implementation decisions that vary from developer to
  developer and API provider to API provider."  (Programmable Web via NNSquad)

[Also noted by Prashanth Mundkur.  PGN]

Shut Down the Internet?

"Steven J. Greenwald" <>
Mon, 4 Nov 2013 18:17:59 -0500 (GMT-05:00)
My physicians expect me to sleep at night without drugs.

I tried to pay my property taxes on-line. It didn't work. I got an error
message of "unknown." So I e-mailed them. I got the following response.
Do not read with liquid in mouth. Please.

 - - - -

Dear Taxpayer,

We apologize for the inconvenience you're getting with our new system.
Please try again to submit your payment by following the instructions below:

* Clear browsing history. Go to the Tools Option on the top of the page,
  delete browsing history.
* Shut down the Internet.

During the time of transaction, do not use the back arrow key.

Thank you for contacting us,

Miami-Dade Tax Collection <>
"Delivering Excellence Every Day"

  [Lovely follow-up to this message omitted by Steve, including discussion
  of the implications of someone actually shutting down the Internet!  PGN]

Adobe: Hackers stole account info of 38 million users, not 3 million (Salvador Rodriguez)

Monty Solomon <>
Tue, 5 Nov 2013 10:18:03 -0400
Salvador Rodriguez, *Los Angeles Times*, 30 Oct 2013

After originally saying that fewer than 3 million users had been affected by
a cyber security breach earlier this month, Adobe is now saying that at
least 38 million users' accounts were compromised.  The software company,
known for Photoshop and other programs, said hackers were able to obtain the
Adobe IDs and encrypted passwords for about 38 million users who are active
with their accounts. ...,0,5964601.story

Re: Metric System and Math (Jansen, RISKS-27.58)

Henry Baker <>
Fri, 01 Nov 2013 14:52:36 -0700
The denigration of degrees as a measure of angles is a particularly
unfortunate example, as the various units are far more complex, and far less
standard, than might have been imagined.  In particular, in countries close
to Finland--e.g., Sweden & Russia--local standards were traditionally
different, and it took NATO (?!?) to standardize the "mil":

"Note: Do not confuse the angular mil with the minute of arc (MOA).
1 trigonometric milliradian (mrad)  3.43774677078493 MOA.
1 NATO mil = 3.375 MOA (exactly)."

The risk here is in using the wrong unit of angle to aim your artillery.

Re: Metric System and Math (Jansen, RISKS-27.58)

Amos Shapir <>
Sun, 3 Nov 2013 00:52:21 +0200
> In my school days, I don't recall ever seeing non-metric measures in the
> lab, and they ended before 1975.

That was exactly my point: that the metric system is presented as good for
use only by scientists, and has no bearing on everyday life.  This is an
indicator of the general attitude against science in the US, which leads to
willful ignorance (of which Creationism is just one extreme example).

Re: Utility network protection? No. (RISKS-26.86)

Dick Mills <>
Fri, 1 Nov 2013 19:01:04 -0400
With what we know today, that utility network protection project may have
been killed at the order of NSA, because it was secure.  It seems clear that
NSA feels that if anyone anywhere has a truly secure system that NSA can't
monitor, then terrorists could use it, and it must be corrupted or thwarted.

Who is to say that NSA is wrong?  If anyone brags about having a really
secure system, they would become a target for terrorists who would like to
duplicate their system, or at least learn how they did it.

NSA's dual role to spy on foreigners and to help assure secure domestic
networking is hopelessly conflicted.

I was once an electric utility employee.  Today, if I was really serious
about power grid security, I would be forced to reject anything recommended
or mandated by government, and to nix any cooperation or reporting of
security related information to government.  But if I did so, then I become
even more a choice terrorist target.  It is a lose lose situation.

That is the true extent of the damage caused by NSA's overreach.

  [Killed "because it was secure"?  Perhaps a little overstated, where "too
  secure" might have been a little more realistic.  As most RISKS readers
  know, there is no such thing as a system that cannot be compromised
  somehow, considering insiders, design flaws, and inherent practical
  limitations.  It's just a question of how much effort it might take.  PGN]

Re: An App That Saved 10,000 Lives (O'Leary, RISKS-27.54)

Bruce Horrocks <>
Sat, 2 Nov 2013 10:23:09 +0000
Amy O'Leary's item was billed as a "success story". I don't dispute that --
it is a success story.  However, the *article* as quoted, is worthy of a
RISKS item.

Firstly, an ambiguity [* See PGN Note, below]:
> This week, the start-up heard from its 10,000th user
> who said the site saved her life.

So is that: 10,000 (female) users each say the site has saved her life, or
that the 10,000th user alone says the site saved her life?

If the former, then the app probably deserves a Nobel prize for medicine:
somehow it has identified a previously unknown, significant threat to female
health. If the latter, then one of those remarkable that only seem to happen
in press releases where [$convenient round number]th user has a major,
life-threatening condition rather than a bunion.

Let's assume the latter, on balance of probabilities.
So has that 10,000th user just recently visited the site?

> Since its founding in 2012, the site has logged nearly a billion questions
> and answers, from simple queries about headaches or the flu, to more
> complicated ones, like whether mechlorethamine is a cancer medication.

Wow, that's... [gets out calculator to divide 1bn by 10k ;-) ]...  100,000
queries per user. Those people must be really sick!

Okay, so the site must clearly have had more than 10K visitors, and the
story is a follow-up on the 10,000th visited long after she visited the

So how many people do we think have visited the site?

Assuming 5 questions per user, a billion questions equates to 200m
users. Hmm, that's virtually all of the US population old enough to use a
computer. All using the site in the last year. It's all starting to look a
bit iffy.

And then we are told:

> None of that would be possible without the participation
> of nearly 50,000 doctors who contribute their advice free

So 50k doctors answering a billion questions equals 20k questions each.
Assuming 5 mins per question to answer, and 8 hour days, that's 208 days of
full-time work *each* doctor has given free since the site was founded only
a year ago. However do they manage to find time to see their paying

Okay, so enough cheap shots at an over-inflated site usage figure.

The RISKS: Don't take a newspaper headline at face value (but you knew that
anyway). Web site statistics given out by the sites themselves need to be
independently verified (but you knew that anyway). Only in some dim, distant
past did journalists question or verify the information they were given.

Finally, this is absolutely not a shot at Monty Solomon nor PGN for raising
and including the item: I too would like to see more success stories—I
just wish that journalists would write them better.

Bruce Horrocks, Hampshire, UK

  [PGN notes, actually, there is no *ambiguity* as written.
  Perhaps what Bruce is suggesting is that instead of
    > This week, the start-up heard from its 10,000th user
    > who said the site saved her life.
  the author should have written
    > This week, the start-up heard from its 10,000th user,
    > who said the site saved her life.

  Yes, the original could have been very sloppy writing, but it might even
  be that the author may have actually written it correctly with the comma,
  which got dropped by the editor.  Also, in Bruce's second version, the
  "alone" is clearly gratuitous, because some number of women less than
  10,000 might have also noted that the site had saved her life.  PGN]

Please report problems with the web pages to the maintainer