The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 63

Wednesday 4 December 2013


Jury: Newegg infringes Spangenberg patent, must pay $2.3 million
Lauren Weinstein
Amazon Air Prime and the Labor Question
Andrew Russell
"Stuxnet's Secret Twin", by Ralph Langner at Foreign Policy
via Prashanth Mundkur
Dial 00000000 for Armageddon
Henry Baker
Monday meltdown
Gary Hinson
"Million-dollar robbery rocks bitcoin exchange"
Jon Gold via Gene Wirchenko
Bitcoin Miners being planted in programs being surreptitiously installed on users' computers
Techienews via Lauren Weinstein
Why Comcast and other cable ISPs aren't selling you gigabit Internet
ArsTechnica via Lauren Weinstein
Dutch intelligence agency AIVD hacks Internet forums
NRC via LW
Snowden claims... NSA used lots of spyware
Danny Burstein
UK ministers will order ISPs to block terrorist and extremist websites
Lauren Weinstein
New FCC Chairman appears to simultaneously endorse NetNeutrality and letting ISPs crush Net services and consumers
Public Knowledge
"Malice or mistake? Cyber sleuths weigh in on Internet hijack attack"
Serdar Yegulalp via Gene Wirchenko
A spurned techie's revenge: Locking down his ex's digital life
Sean Gallagher via Monty Solomon
Facebook Vulnerability Discloses Friends Lists Defined as Private
Surveilling the police!
Prashanth Mundkur
Couchsurfing - The Crash - Montreal 2006
Re: A joke that went wrong
Brian Randell
Willis Ware
The Spyware That Enables Mobile-Phone Snooping
Susan Crawford via Robert Schaefer
Healthcare IT
Digital Outcasts: Moving Technology Forward without Leaving People Behind
Ben Rothke
Info on RISKS (comp.risks)

Jury: Newegg infringes Spangenberg patent, must pay $2.3 million

Lauren Weinstein <>
Mon, 25 Nov 2013 21:55:02 -0800
  "Newegg, an online retailer that has made a name for itself fighting the
  non-practicing patent holders sometimes called "patent trolls," sits on
  the losing end of a lawsuit tonight. An eight-person jury came back
  shortly after 7:00pm and found that the company infringed all four
  asserted claims of a patent owned by TQP Development, a company owned by
  patent enforcement expert Erich Spangenberg.  The jury also found that the
  patent was valid, apparently rejecting arguments by famed cryptographer
  Whitfield Diffie. Diffie took the stand on Friday to argue on behalf of
  Newegg and against the patent."
    [ via NNSquad]

       [Insanity. Idiocy. LW]

Jury: Newegg infringes Spangenberg patent, must pay $2.3 million

"Peter G. Neumann" <>
Tue, 26 Nov 2013 11:30:22 PST
Newegg trial: Crypto legend takes the stand, goes for knockout patent punch  (Ars Technica)

  "We've heard a good bit in this courtroom about public key
  encryption," said Albright. "Are you familiar with that?"

  "Yes, I am," said Diffie, in what surely qualified as the biggest
  understatement of the trial.

  "And how is it that you're familiar with public key encryption?"

  "I invented it."

Amazon Air Prime and the Labor Question (via Dave Farber)

Andrew Russell <>
December 4, 2013 at 10:30:20 AM EST
Lee Vinsel has posted a provocative piece on "Autonomous Vehicles and the
Labor Question."  The post sets a couple of recent discussion topics - a New
Yorker article on self-driving cars, and the 60 Minutes profile of Jeff
Bezos [1 Dec 2013]—into a richer context, including the connections
between the industrial and digital economies, and what these new
technologies might mean for human labor (aka "jobs").

  [The highlight of the Charlie Rose's interview with Bezos was clearly
  the film snippet of an Octocopter drone delivering a book from Amazon
  to someone at his doorstep.  The risks of collisions, spoofing, and
  so on were never mentioned.  PGN]

"Stuxnet's Secret Twin", by Ralph Langner at Foreign Policy

Prashanth Mundkur <>
Tue, 26 Nov 2013 20:46:39 -0800
First two paras:

  Three years after it was discovered, Stuxnet, the first publicly disclosed
  cyberweapon, continues to baffle military strategists, computer security
  experts, political decision-makers, and the general public. A comfortable
  narrative has formed around the weapon: how it attacked the Iranian
  nuclear facility at Natanz, how it was designed to be undiscoverable, how
  it escaped from Natanz against its creators' wishes. Major elements of
  that story are either incorrect or incomplete.

  That's because Stuxnet is not really one weapon, but two. The vast
  majority of the attention has been paid to Stuxnet's smaller and simpler
  attack routine—the one that changes the speeds of the rotors in a
  centrifuge, which is used to enrich uranium. But the second and
  "forgotten" routine is about an order of magnitude more complex and
  stealthy. It qualifies as a nightmare for those who understand industrial
  control system security. And strangely, this more sophisticated attack
  came first. The simpler, more familiar routine followed only years later
 —and was discovered in comparatively short order.

Dial 00000000 for Armageddon.

Henry Baker <>
Sat, 30 Nov 2013 19:32:25 -0800
FYI—This secret number was probably taped to the bottom of the "red
phone"...  "The Onion" and "SNL" couldn't make up this story; and the people
in charge of the PAL program must have laughed hysterically at the movie
Dr. Strangelove, but for a totally different reason from the rest of us...

Dial 00000000 for Armageddon. U.S.'s top secret launch nuclear launch code
was frighteningly simple
*Daily Mail*, 29 Nov 2013 UPDATED: 21:59 EST

For nearly 20 years, the secret code to authorize launching U.S. nuclear
missiles, and starting World War III, was terrifyingly simple and even noted
down on a checklist.  From 1962, when John F Kennedy instituted PAL encoding
on nuclear weapons, until 1977, the combination to fire the devastating
missiles at the height of the Cold War was just 00000000.  This was chosen
by Strategic Air Command in an effort to make the weapons as quick and as
easy to launch as possible, as reported by Today I Found Out.

The Permissive Action Link (PAL) is a security device for nuclear weapons
that it is supposed to prevent unauthorized arming or detonation of the
nuclear weapon.  JFK signed the National Security Action Memorandum 160 in
1962 that required all nuclear missiles to be fitted with a PAL system.  But
nuclear experts claim the military was worried about the possibility of
command centers or communication lines being destroyed in real nuclear war,
stopping soldiers getting the codes or authorization to launch missiles when
they were actually needed.
So they simply left the security code for the weapons as eight zeros, getting around the security safeguards.

Dr. Bruce G. Blair, worked as a Minuteman launch officer between 1970 and
1974. He has written several articles about nuclear command and control
systems.  In a paper called Keeping Presidents in the Nuclear Dark, he wrote
that Strategic Air Command 'remained far less concerned about unauthorized
launches than about the potential of these safeguards to interfere with the
implementation of wartime launch orders.'  Incredibly, he also writes that
the vital combination for America's nuclear deterrent was even helpfully
noted down for the officers.  'Our launch checklist in fact instructed us,
the firing crew, to double-check the locking panel in our underground launch
bunker to ensure that no digits other than zero had been inadvertently
dialed into the panel,' Dr Blair wrote.

According to Today I Found Out, Blair wrote an article in 1977 entitled The
Terrorist Threat to World Nuclear Programs.  This claimed that it would take
just four people working together to launch nuclear missiles from the silos
he had worked in.

That very same year all the PAL systems were activated, and the nuclear
codes were changed. Hopefully to something more complicated than 00000000.

  [Bob Frankston noted a Gizmodo article by Karl Smallwood, 29 Nov 2013:
  For 20 Years the Nuclear Launch Code at US Minuteman Silos Was 00000000  PGN]

Monday meltdown

"Gary Hinson" <>
Wed, 4 Dec 2013 08:08:41 +1300
"RBS today admitted that it had failed to invest properly in IT systems for
decades, as customers woke up to find money had been emptied from their
accounts by a computer glitch" .

Curiously frank admission by a bank, that.  According to the paper, the CEO
said "'I will be outlining plans in the New Year for making RBS the bank
that our customers and the UK need it to be. This will include an outline of
where we intend to invest for the future."  Let's hope the 'outline' is
sufficient to support a generous budget request, and 'the future' is not too
far off.

Being the Daily Mail, the journalism is heavy on emotive stuff such as "I
couldn't purchase milk for my four-week-old baby" but RISKS readers ought to
be able to guess at how this incident, and the associated adverse publicity
and Twitter storm, may have affected the RBS (Royal Bank of Scotland) brand.

Dr Gary Hinson, IsecT CEO,

"Million-dollar robbery rocks bitcoin exchange" (Jon Gold)

Gene Wirchenko <>
Fri, 29 Nov 2013 11:08:44 -0800
Jon Gold, InfoWorld, 26 Nov 2013
Latest Bitcoin security breach affects major European exchange, which
shuts down personal wallet service

[Gene Wirchenko noted
" warns passwords in danger after DNS attack"
Jeremy Kirk, InfoWorld, 02 Dec 2013
Some users are advised to change their passwords after the site's DNS
registrar was breached

Also see

Bitcoin Miners being planted in programs being surreptitiously installed on users' computers

Lauren Weinstein <>
Sat, 30 Nov 2013 11:51:21 -0800
Report: Bitcoin Miners being planted in programs being surreptitiously
installed on users' computers  (Techienews via NNSquad)

  "These miners surreptitiously carry out Bitcoin mining operations on the
  user's system consuming valuable CPU time without explicitly asking for
  user's consent. Because of the extensive mathematical calculations
  involved, the mining operation consumes a lot of CPU resource and renders
  the user's system almost useless for regular operations.  Malwarebytes
  first came across such an instance of a Bitcoin miner when one of the
  users of its software requested for assistance on November 22 through a
  forum post."

Why Comcast and other cable ISPs aren't selling you gigabit Internet

Lauren Weinstein <>
Sun, 1 Dec 2013 20:31:26 -0800
  "Cable tech could hit a gigabit today, but why bother when customers lack
  choice?"  (Ars Technica via  NNSquad)

Dutch intelligence agency AIVD hacks Internet forums

Lauren Weinstein <>
Sat, 30 Nov 2013 09:08:15 -0800
  Nico van Eijk, a Dutch professor in Information Law, is of the opinion
  that the Dutch intelligence service has crossed the boundaries of Dutch
  legislation. "They use sweeps to collect data from all users of web
  forums.  The use of these techniques could easily lead to mass
  surveillance by the government."  IT specialist Matthijs Koot says that
  the exploitation of this technology can lead to a blurring of the lines
  between normal citizens and legitimate targets of the intelligence
  services. (NRC via NNSquad)

    [I suppose this is new form of Dutch Treat, where the Dutch and their
    government split the costs?  PGN]

Snowden claims... NSA used lots of spyware

Danny Burstein <>
Sat, 23 Nov 2013 13:50:38 -0500 (EST)
[courtesy of a Netherlands news groups web post. Don't have any info on
their veracity]

NSA infected 50,000 computer networks with malicious software

The American intelligence service - NSA - infected more than 50,000 computer
networks worldwide with malicious software designed to steal sensitive
information. Documents provided by former NSA-employee Edward Snowden and
seen by this newspaper, prove this.

A management presentation dating from 2012 explains how the NSA collects
information worldwide. In addition, the presentation shows that the
intelligence service uses "Computer Network Exploitation" (CNE) in more than
50,000 locations. CNE is the secret infiltration of computer systems
achieved by installing malware, malicious software.


UK ministers will order ISPs to block terrorist and extremist websites

Lauren Weinstein <>
Thu, 28 Nov 2013 09:52:48 -0800
  "The government is to order broadband companies to block extremist
  websites and empower a specialist unit to identify and report content
  deemed too dangerous for online publication.  The crime and security
  minister, James Brokenshire, said on Wednesday that measures for censoring
  extremist content would be announced shortly. The initiative is likely to
  be controversial, with broadband companies already warning that freedom of
  speech could be compromised." (Guardian via NNSquad)

Maybe also try block sites of political critics? No matter, a thousand
proxies will bloom, for good or ill. That's the reality, like it or not.

New FCC Chairman appears to simultaneously endorse Net Neutrality and letting ISPs crush Net services and consumers

Lauren Weinstein <>
Tue, 3 Dec 2013 16:24:51 -0800  (Public Knowledge via NNSquad)

  Yesterday, new FCC Chairman Tom Wheeler delivered his first formal public
  address.  After a prepared speech that explained his regulatory approach,
  he moved to a Q&A session.  In that session, he appeared to endorse the
  opposite of net neutrality: allowing ISPs to charge websites and services
  in order to reach that ISP's subscribers.  In other words, giving ISPs the
  power to pick winners and losers online.  This endorsement was all the
  more unexpected because it followed his explicit endorsement of "net
  neutrality" and a speech that touted the FCC's role in protecting the
  public interest.

    [This might give new meaning to "Wheeler Dealer".  PGN]

"Malice or mistake? Cyber sleuths weigh in on Internet hijack attack" (Serdar Yegulalp)

Gene Wirchenko <>
Tue, 26 Nov 2013 12:11:58 -0800
Serdar Yegulalp | InfoWorld, 22 Nov 2013
Security experts investigate roots and motive behind surprise
rerouting of Internet traffic through Belarus and Iceland

A spurned techie's revenge: Locking down his ex's digital life (Sean Gallagher)

Monty Solomon <>
Sat, 30 Nov 2013 00:29:36 -0500
Sean Gallagher, Ars Technica, 22 Nov 2013
Revenge porn is just the tip of the iceberg when it comes to
cyber-domestic abuse.

The e-mail's subject line was "Interested in hiring you." The sender, a
woman, said she had seen me on a local Baltimore news show talking about
revenge porn, and she was "interested in talking to you about some work."
She gave an office phone number, and her e-mail address was from a large
local hospital system, so I thought it might be for some sort of speaking

It was anything but. When I contacted her, the woman told me her life had
been turned upside down by her ex-boyfriend. He had hacked her phones, her
voicemail, and her family's computer, and he was blocking her out of her
digital life. She was looking for someone to help her regain control.

To some, those claims might sound like paranoia. But there are thousands of
incidents of this type of abusive use of technology annually, perpetrated by
(mostly male) spouses or partners. The most public forms of tech-centered
abuse, especially revenge porn, are getting attention from legislators
across the US right now. But these incidents are not entirely new. For more
than a decade, domestic violence and "intimate partner" stalking and
harassment have relied heavily on technology.

The most recent comprehensive study on stalking and domestic violence,
conducted by the Department of Justice in 2006, found that more than 887,000
people were aware that they were victims of cyber stalking or electronic
monitoring in that year alone. And that was a year before the iPhone was
released and well before the smartphone boom really began. ...

Facebook Vulnerability Discloses Friends Lists Defined as Private

Lauren Weinstein <>
Mon, 25 Nov 2013 11:02:10 -0800
  "Irene Abezgauz from the Quotium Seeker Research Center identified a
  security flaw in Facebook privacy controls. The vulnerability allows
  attackers to see the friends list of any user on Facebook. This attack is
  carried out by abusing the 'People You May Know' mechanism on Facebook,
  which is the mechanism by which Facebook suggests new friends to users."  (Quotium via NNSquad)

Surveilling the police!

Prashanth Mundkur <>
Wed, 27 Nov 2013 06:37:36 -0800
  Saleh was so troubled by what he saw that he decided to install video
  cameras in his store. Not to protect himself from criminals, because he
  says he has never been robbed. He installed the cameras—15 of them --
  to protect him and his customers from police.

Couchsurfing - The Crash - Montreal 2006

Tue, 03 Dec 2013 04:59:15 +0800
Gone without any backups!
Never do this.

Re: A joke that went wrong (Randell, RISKS-2.56)

Brian Randell <>
Wed, 27 Nov 2013 21:15:31 +0000
  [Brian sets the record straight after a RISKS posting 27.5 years ago!

RISKS-2.56 (30 May 1986,
carried an article passed on by me from the (London) Guardian, under the
heading "A joke that went wrong". The newspaper article described a court
case in which Mr Dean Talboys "admitted criminal damage at Acton crown court
in the first British prosecution for electronic graffiti". A bug in some
software that he was creating as a (harmless) practical joke, on a system
that was in "test mode", accidentally caused disruption at his employer's
headquarters when the computer was switched to "operational mode". (The
article does not indicate the cause of this switch, but there is no
suggestion that Mr Talboys was responsible.) There has I learn been a
long-lasting effect of this incident, in that ever since Internet searches
on his (rather unusual) name have frequently led people to this article, and
to their drawing unjustified conclusions about him. This followup message to
RISKS should from now on also be found by people doing Internet searches on
his name, and thus should help alleviate an unfortunate situation.

Brian Randell, School of Computing Science, Newcastle University, Newcastle
upon Tyne, NE1 7RU, UK +44 191 222 7923

- - - - -

Begin forwarded message:

Date: 27 November 2013 21:00:26 GMT
From: <<>>
To: Brian Randell <>
Subject: RE: A joke that went wrong

Hi Brian,

Very well put and much appreciated. With respect to the "switch", it is
worth pointing out that this was a typical mainframe environment where
systems, operations, and development existed as autonomous units. The only
way I could have been held fully responsible for the failure was if I had
requested the systems programmer to move the test program into the live
environment. Not only was the program incomplete when I left to join a
consultancy, it was perhaps three months later that the problem occurred (I
had enough of a job explaining it to my QC, who was concerned the public
jury would not get it at all). The only reason they came after me was the
fact that my employee number was hard coded into a conditional statement -
hardly the action of someone intent on damage or financial gain. Personally,
I think Dixon's were a little annoyed at me leaving so soon after they had
trained me on ManTIS but then it was the 80s and companies were stealing
employees left, right and centre. They were no different in that respect.

It struck me that there is a cruel irony considering the circumstances, you
the contributor to a magazine intended for a limited readership, which
through the actions of a third-party, Google, unintentionally leads to a
much wider audience.

Thanks again and have a nice Christmas!


Willis Ware

"Peter G. Neumann" <>
Mon, 25 Nov 2013 21:45:53 PST
Willis died at 93.  He was a colleague, friend, and continual inspiration.
He was one of the nicest people I ever met.  It is almost impossible to do
his passing justice here, but I thought I would excerpt a few comments.

Gene Spafford <>

* Willis worked at the Institute for Advanced Studies for John von Neumann,
  building an early computer system.
* He helped build the Johnniac.
* He was at RAND for more than 40 years.
* He was heavily involved early in the ACM.
* He was the founding president of AFIPS.
* The Ware Report in 1967 was one of the real landmarks
* In 1972, he chaired the Advisory Committee on Automated Personal Data
  Systems for HEW (now HHS). "Records, Computers, and the Rights of Citizens
* That influenced the Privacy Act of 1974
* He was the first chairman of the Information System and Privacy
  Advisory Board formed under the Computer Security Act of 1987
* He was one of the most honored professionals in computing.  [LONG LIST]

Dr. Willis H. Ware was truly a pioneer computer scientist, an early
innovator in computing education, one of the founders of the field of
computer security, and an early proponent of the need to understand
appropriate use of computing and the importance of privacy. His dedication
to the field and the public interest was both exceptional and seminal.

(The New York Times* apparently ran two different obits,
and another by John Markoff on 3 Dec 2013, who quoted Willis from 1966:

  "The computer will touch men everywhere and in every way, almost on a
  minute-by-minute basis.  Every man will communicate through a computer,
  whatever he does.  It will change and reshape his life, modify hs career,
  and force him to accept a life of continuous change."

He was incredibly wise.  Overall, he called 'em as he saw 'em. and he was
usually right on the mark.   PGN

The Spyware That Enables Mobile-Phone Snooping (Susan Crawford)

Robert Schaefer <>
Tue, 3 Dec 2013 08:22:03 -0500
Susan Crawford - Nov 27, 2013

"The technology involved is called cellular interception. The active variety
of this, the `IMSI catcher', is a portable device that masquerades as a
mobile phone tower...Because the security hole that allows for this snooping
is associated with 2G mobile networks, any 2G phone can be fooled by an IMSI
catcher. To bring in newer phones, corporate spies and other criminals can
easily jam nearby 3G, 4G and long-term evolution, or LTE, networks so that
phones associated with them “think” they have to fall back on 2G
networks. All phones, no matter how modern, continue to work in 2G mode,
because carriers are reluctant to make the investments required to move up
from 2G networks nationwide...As things stand, U.S. mobile networks can
easily be exploited by criminals and by foreign governments."

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886  781-981-5767

Healthcare IT (IEEE S&P)

"Peter G. Neumann" <>
Mon, 2 Dec 2013 11:51:44 PST
With all the current kerfuffle over Healthcare in the US and elsewhere, the
November-December 2013 IEEE Security and Privacy magazine has a timely
special issue devoted to Healthcare IT.  The articles (in addition to the
Guest Editors' Introduction by Kelly Caine and Michael Lesk, and the
concluding Point/Counterpoint with Deborah Peel and Deven McGraw) are

 * Nonconfidential Patient Types in Emergency Clinical Decision Support
 * Electronic Medical Regords: Confidentiality, Care, and Epidemiology
 * Securing Information Technology in Healthcare
 * Identity Management—In Privacy We Trust: Bridging the Trust Gap
   in eHealth Environments

Digital Outcasts: Moving Technology Forward without Leaving People Behind

Ben Rothke <>
Tue, 26 Nov 2013 07:23:34 -0500
Many of us have experimented what it means to be disabled—by sitting in a
wheelchair for a few minutes or putting a blindfold over our eyes.  In
Digital Outcasts: Moving Technology Forward without Leaving People Behind --
author Kel Smith details the innumerable obstacles disabled people have to
deal with in their attempts to use computers and the Internet.  Smith writes
that despite our growing potential to augment human capability and
competence through technology—the innovation curve sometimes leaves
behind people who could most benefit.

Full book review at

Please report problems with the web pages to the maintainer