The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 78

Monday 3 March 2014

Contents

Startups don't realize the issue with security until it's too late
Jenna Wortham and Nicole Perlroth
Apple Rolls Out CarPlay
Apple Press Info via Monty Solomon
Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market
Karl Bode via Monty Solomon
"Yahoo breach exposes naked truth about online security"
Robert X. Cringely via Gene Wirchenko
Snowden made cyber-geek nightmares true. Can 'private' be normal again?
Dan Gillmor via Dewayne Hendricks
Ed Felten at TrustyCon
PGN
Apple's Serious Security Issue: Update Your iPhone or iPad Immediately
Molly Wood via Monty Solomon
The goto Squirrel
Dennis E. Hamilton
Re: iPhone's Critical Security Bug: a Single Bad `Goto'
Dimitri Maziuk
Henry Baker
Info on RISKS (comp.risks)

Startups don't realize the issue with security until it's too late (Jenna Wortham and Nicole Perlroth)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Mon, 3 Mar 2014 11:45:23 -0500
No surprise here to anyone who's ever worked for a startup—making
software products secure isn't high on anyone's list.  That's not what
brings in customers, and hence additional funding.

Until someone gets hurt, that is.

Jenna Wortham and Nicole Perlroth, 2 March 2014
When Start-Ups Don't Lock the Doors
http://www.nytimes.com/2014/03/03/technology/when-start-ups-dont-lock-the-doors.html?nl=todaysheadlines&emcŪit_th_20140303


Apple Rolls Out CarPlay

Monty Solomon <monty@roscom.com>
Mon, 3 Mar 2014 11:04:26 -0500
Apple Rolls Out CarPlay Giving Drivers a Smarter, Safer & More Fun
Way to Use iPhone in the Car
CarPlay Premieres with Leading Auto Manufacturers at the Geneva
International Motor Show

GENEVA--March 3, 2014--Apple today announced that leading auto manufacturers
are rolling out CarPlay, the smarter, safer and more fun way to use iPhone
in the car. CarPlay gives iPhone users an incredibly intuitive way to make
calls, use Maps, listen to music and access messages with just a word or a
touch. Users can easily control CarPlay from the car's native interface or
just push-and-hold the voice control button on the steering wheel to
activate Siri without distraction. Vehicles from Ferrari, Mercedes-Benz and
Volvo will premiere CarPlay to their drivers this week, while additional
auto manufacturers bringing CarPlay to their drivers down the road include
BMW Group, Ford, General Motors, Honda, Hyundai Motor Company, Jaguar Land
Rover, Kia Motors, Mitsubishi Motors, Nissan Motor Company, PSA Peugeot
CitroŽn, Subaru, Suzuki and Toyota Motor Corp.

http://www.apple.com/pr/library/2014/03/03Apple-Rolls-Out-CarPlay-Giving-Drivers-a-Smarter-Safer-More-Fun-Way-to-Use-iPhone-in-the-Car.html


Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market (Karl Bode)

Monty Solomon <monty@roscom.com>
Mon, 3 Mar 2014 11:07:44 -0500
Karl Bode, 3 Mar 2014

The single coffee cup craze has been rolling now for several years in both
the United States and Canada, with Keurig, Tassimo, and Nespresso all
battling it out to lock down the market. In order to protect their dominant
market share, Keurig makers Green Mountain Coffee Roasters has been on a bit
of an aggressive tear of late. As with computer printers, getting the device
in the home is simply a gateway to where the real money is: refills. But
Keurig has faced the `problem' in recent years of third-party pod refills
that often retail for 5-25% less than what Keurig charges. As people look to
cut costs, there has also been a growing market for reusable pods that
generally run anywhere from five to fifteen dollars.

Keurig's solution to this problem? In a lawsuit (pdf) filed against Keurig
by TreeHouse Foods, they claim Keurig has been busy striking exclusionary
agreements with suppliers and distributors to lock competing products out of
the market. What's more, TreeHouse points out that Keurig is now developing
a new version of their coffee maker that will incorporate the java-bean
equivalent of DRM—so that only Keurig's own coffee pods can be used in
it: ...

http://www.techdirt.com/articles/20140227/06521826371/keurig-will-use-drm-new-coffee-maker-to-lock-out-refill-market.shtml

https://s3.amazonaws.com/s3.documentcloud.org/documents/1031250/treehouse-v-greenmountain.pdf

http://www.canadianbusiness.com/companies-and-industries/keurig-2-single-serve-coffee-pod-drm/


"Yahoo breach exposes naked truth about online security" (Robert X. Cringely)

Gene Wirchenko <genew@telus.net>
Mon, 03 Mar 2014 14:49:18 -0800
Robert X. Cringely, Infoworld, 28 Feb 2014
The umpteenth violation of our Internet privacy proves once again the
dearth of common sense among us Web users
http://www.infoworld.com/t/cringely/yahoo-breach-exposes-naked-truth-about-online-security-237460

opening text:

The hits just keep on coming. Yesterday's news that Brit spy mongers
recorded the video chats of 1.8 million Yahoo users over six months left me
numb, as if I had inhaled a frosty Slurpee full of Novocain.  Yahoo claims
no knowledge of the theft—yeah, I said it, because that's what it is --
but that declaration is worthy of more than a little skepticism.


Snowden made cyber-geek nightmares true. Can 'private' be normal again? (Dan Gillmor)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Sunday, March 2, 2014
Dan Gillmor, *The Guardian*, 28 Feb 2014
The NSA leaks created everyday interest in products built to protect. At a
security pow-wow turned sour, that's a good thing.
http://www.theguardian.com/commentisfree/2014/feb/28/snowden-privacy-products-trustycon-2014

In the nearly nine months since the Edward Snowden revelations began on this
website, some of the most jaw-dropping surveillance news has involved a
company called RSA, which for years has been one of the top computer
security firms in the world. Boiled down, RSA is alleged to have weakened a
core element of a widely used encryption product at the behest of the
National Security Agency, receiving $10 million in the process of providing
a `back door' for government snooping.

RSA issued what amounted to a non-denial denial after Reuters' Joseph Menn
broke a key part of the story back in December. This week, at its annual
cyber-security conference here in San Francisco, the company was on defense
at an event usually reserved for looking forward, not back. Its CEO said
that any weakness was inadvertent, at least on RSA's part, and not the
result of some nefarious deal with the US government. Respected
cryptographer and university professor Matt Blaze summed it up nicely:
“Everyone to RSA: Did you deliberately sell us out, or are you incompetent?
RSA: We're incompetent.''

It's too early to tell whether this incompetence—or betrayal, take your
pick—will hit RSA and its $51bn parent company, EMC, where it should: on
the bottom line. And despite a boycott by some scheduled speakers here, the
RSA conference was well-attended. As one security expert who's expressed
contempt for the company's behavior told me, it's still his best chance to
catch up, face-to-face, with other top people in this still burgeoning
field.

But the episode did spark another gathering, held Thursday across the street
from where RSA held its conference, where the topic of the moment wasn't
security, per se. It was trust, a commodity in short supply these days.

`TrustyCon'—short for the Trustworthy Technology Conference—came
together in a hurry after Mikko Hypponen, chief research officer for
F-Secure, a Finnish security company, announced in January, in a public
letter to RSA, that he was canceling his scheduled RSA conference talk and
that his own company would skip the event entirely. Hypponen, a rock star in
the computer security world, gave the opening keynote at TrustyCon
instead. It was a pessimistic assessment of technology users' chances to
have a computing and communications they can genuinely trust in an age when
nation-states have taken over as the most dangerous—even malicious --
hackers on Earth.

“Our worst fears turned out to be fairly accurate,'' Hypponen said of what's
transpired in the security world over the past few years. And he's right: in
the past nine months, it's become clear that many of the people once derided
as paranoid were, if anything, understating the reality of how much we're
all being watched. Certainly, Thursday's revelation on this website that spy
services had become outright peeping toms by hijacking webcam images would
have sounded ridiculous not so long ago.

Alas, from betrayal rose a glimmer of hope in this insidery community --
that privacy might make an everyday comeback, and maybe even sell.

At TrustyCon, for example, technologists updated the audience on an
important security service for whistleblowers and the journalists to whom
they leak documents. This was `SecureDrop', a project started by the late
Aaron Swartz and now run by the Freedom of the Press Foundation which
ensures safe communications by relying on the Tor web-anonymity system. No
one says SecureDrop is perfect. But it is easy to use and robust, a vast
improvement over what journalists have typically deployed. [...]


Ed Felten at TrustyCon

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 2 Mar 2014 08:13:07 PST
Princeton Professor and USACM Council Co-Vice-Chair Ed Felten gave the final
talk at TrustyCon on 27 Feb 2104.  This begins at 6:32:33 (six and one half
hours into the day's events).  Mikko Hypponen's keynote (see the previous
RISKS item from Dan Gillmor) runs from 0:15:27 to 1:04:20.

  http://www.youtube.com/watch?v=lkO8SNiDSw0?

The subject matter of TrustyCon (Trustworthy Technology Conference) might
really be thought of as UnTrustyCon, referring to the `Untrustworthy
confidence game' that it pervasively exposes.


Apple's Serious Security Issue: Update Your iPhone or iPad Immediately (Molly Wood)

Monty Solomon <monty@roscom.com>
Sat, 1 Mar 2014 01:28:00 -0500
This week, Apple rushed out a patch for its iOS 7 and iOS 6 operating
systems to fix a serious security issue. Before I explain further,
let me just say this: If you've gotten the prompt to update and you
haven't, do it now. If you're still running older versions of iOS on
your iPhone, iPod, or iPad, update now.

Done? O.K., good.

 - - - -

Apple Issues Fix for Security Problem on Macs
Molly Wood, *The New York Times* blogs, 25 Feb 2014
http://bits.blogs.nytimes.com/2014/02/24/apples-serious-security-issue-update-your-iphone-or-ipad-immediately/

Apple has finally issued a security update to its OS X Mavericks software
for Macintosh computers, patching a bug that could have let hackers
eavesdrop on supposedly encrypted connections and steal everything from
usernames and passwords to location data.

Version 10.9.2 comes four days after Apple patched iOS, its mobile operating
system, to close the same hole. The OS X update addresses several security
issues, including the so-called `goto fail' code bug, which Apple said could
allow an attacker to capture or modify data in sessions users believe are
protected by the Secure Sockets Layer (SSL) or Transportation Layer Security
(TLS) encryption methods. ...

http://bits.blogs.nytimes.com/2014/02/25/apple-issues-fix-for-security-problem-on-macs/


The goto Squirrel (Re: Petra et al., RISKS-27.77)

"Dennis E. Hamilton" <dennis.hamilton@acm.org>
Fri, 28 Feb 2014 16:55:22 -0800
Oh look, a misplaced goto statement that short-circuits a security
procedure.

Squirrel!

It is amazing to me that, once the specific defect is disclosed (and the
diff of the actual change has also been published), the discussion has
devolved into one of coding style and whose code is better.  I remember
similar distractions around the Ariane 501 defect too, although in that case
there was nothing wrong with the code—the error was that it was being run
when it wasn't needed and it was not simulation tested with new launch
parameters under the mistaken assumption that if the code worked for Ariane
4, it should work for Ariane 5.

It is not about the code.  It is not about the code.  It is not about goto.
It is not about coming up with ways to avoid introducing this particular
defect by writing the code differently.

I say this is all about the engineering and delivery process that allowed
this gaff to be introduced into production code for a security-important
procedure and allowed to remain there until someone noticed externally.  The
coding style could have been perfect, with the code still not establishing
security correctly and it would have been put into the live release, all
else being equal.  Some of the offered alternatives, I daresay, offer many
ways to inject a comparable defect that is much less apparent.

The defect was introduced when code was being patched to change the
signature of some of the functions being called.  This strikes me as a
classic lapse about not testing what is thought to be obvious, although I
have no idea what the actual scenario was.

There are any ways the particular defect could have been detected and
remedied well before the code was committed to the code base.  A walkthrough
would likely catch it, assuming a skilled human other than the original
programmer simply read through it.  I bet explaining it on a walkthrough
would probably have led the originator to notice it.

A pretty-printer (or any IDE that reflows indentation) would point it out.

So would a modern IDE that identifies unreachable code.

Any practical code-coverage testing would reveal it too.

Furthermore, it is incomprehensible to me that a change to security-
important code wasn't subjected to regression testing and confirmation of
the procedure.  For that matter, I'm a little disappointed that a review and
commit by a senior technical-staff member was evidently not required.

What's appalling to me is the evident absence of risk management and
procedures for detection and mitigation of regressions.

It is incumbent on all of us to stand back from the code and look at the
process by which injection of a regression was allowed to sit there and
fester all this time.


Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.77)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Fri, 28 Feb 2014 17:57:48 -0600
 ... algol, curlies, bad code, fortran, oo ...

Or Apple could just read the fine manual for the compiler they presumably
downloaded together with the rest of xBSD:

 gcc -Wunreachable-code -Werr

would've told them:

cc1: warnings being treated as errors
 ... In function 'SSLVerifySignedServerKeyExchange':
 ,.. error: will never be executed

Dimitri Maziuk BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Re: iPhone's Critical Security Bug: a Single Bad `Goto'

Henry Baker <hbaker1@pipeline.com>
Sat, 01 Mar 2014 04:35:51 -0800
There's not enough space or patience in comp.risks to re-litigate the GOTO
wars.  However, for anyone interested in a deep understanding of the issues,
you can start with Steele & Sussman's excellent paper `LAMBDA: The Ultimate
Imperative' (and then read most of the papers in the computer science
literature that reference this one):

http://dspace.mit.edu/bitstream/handle/1721.1/5790/AIM-353.pdf

In particular, one must have a thorough understanding of the term
`continuation-passing style' before it is possible to have a useful
discussion on the subject of GOTO's.

Please report problems with the web pages to the maintainer

Top